How to Prevent Email Spoofing of Your Domain
Email spoofing is when scammers forge your domain as the sender. Three DNS records — SPF, DKIM and DMARC — together make spoofing far harder and protect your reputation.
Step-by-step
- Set up SPF and DKIM first. Open Email → Email Deliverability and Repair any invalid records — see SPF and DKIM.
- Confirm both show Valid for your domain.
- Add a DMARC record to tell receivers what to do with mail that fails SPF/DKIM — see setting up DMARC.
- Start DMARC in monitoring mode (p=none) so you can watch reports without blocking anything.
- Tighten gradually to quarantine and then reject once you confirm your legitimate mail passes.
- Test by emailing a Gmail account and checking Show original for SPF, DKIM and DMARC all passing.
💡 Good to know
- All three records work together — SPF and DKIM authenticate, DMARC sets policy.
- Move to a strict DMARC policy only after confirming your real mail passes, to avoid blocking yourself.
- These records also improve your inbox placement — see reducing bounces.