What is Domain spoofing?

Domain spoofing is a cyberattack where an attacker makes an email, website, or digital message appear as if it came from a trusted domain. The goal is to trick users, customers, or employees into trusting a fake sender and taking action.

Attackers most often use it in phishing, business email compromise, credential theft, invoice fraud, and malware delivery. The attack works because users usually trust recognizable domains more than unknown senders.

How does it work?

Attackers typically spoof a domain in two ways:

Email authentication standards such as SPF, DKIM, and DMARC help receiving mail servers verify whether a message is authorized to use a domain. CISA and Microsoft both identify these controls as core protections against spoofed email.

Why is it dangerous?

This attack can damage brand trust, expose credentials, and help attackers bypass human suspicion. A spoofed email may look like it came from a vendor, bank, SaaS provider, or internal leader.

It also creates operational risk. Security teams may need to investigate fraudulent messages, warn users, protect customers, and repair domain reputation after abuse.

How can organizations prevent it?

Use layered controls:

• Publish SPF records for approved sending servers.
• Enable DKIM to cryptographically sign outbound email.
• Enforce DMARC to tell receiving servers how to handle failed authentication.
• Monitor lookalike domains and suspicious registrations.
• Train users to verify payment requests, login links, and unusual sender behavior.

The UK NCSC also recommends SPF, DKIM, and DMARC as anti-spoofing controls.