Email Spoofing Explained: Why 'From' Lies

The email "From" address was never designed to be trustworthy. Spoofing exploits that.

How spoofing works

SMTP lets a sender claim almost any "From" address. Without authentication, your bank's domain can be impersonated by anyone.

The defenses

• SPF lists which servers may send for a domain.
• DKIM cryptographically signs messages.
• DMARC tells receivers what to do when SPF/DKIM fail.

Read the deep dive in SPF, DKIM and DMARC explained.

What you can do

Don't trust the display name. Verify unexpected requests through a known channel, and use disposable addresses so a spoofed message to a throwaway inbox can't reach your real identity.