Basics 5 min read

What is Email Spoofing? A Plain English Guide

You receive an email from your bank asking you to verify your account. The "From" address looks legitimate. But is it really from your bank? Maybe not. Welcome to the world of email spoofing.

Key Takeaways

  • Email spoofing is when scammers forge the "From" address to impersonate someone else
  • Like a fake return address on a letter - anyone can write anything
  • SPF, DKIM, and DMARC are email security protocols that prevent spoofing
  • Domains without protection can be spoofed by anyone with zero skill
  • Use TrustNope to check if a domain can be spoofed before trusting an email

The Envelope Analogy

Think of email like a physical letter. When you receive a letter, you see a return address on the envelope. But here's the thing: anyone can write any return address they want.

Nothing stops someone from writing "The White House, Washington DC" on an envelope and dropping it in the mail. The postal service will still deliver it.

Email works similarly. The "From" address you see? Anyone can set it to anything. Without proper protection, scammers can send emails that appear to come from your bank, your boss, or any company they choose.

The Scary Part

Basic email spoofing requires zero technical skill. There are websites where anyone can send emails appearing to come from any address. That's why email authentication protocols (SPF, DKIM, DMARC) were created.

Why Do Scammers Spoof Emails?

Spoofing makes scam emails more believable. If you receive an email from "no-reply@yourbank.com" about a security issue, you're more likely to click than if it came from "xyzscammer@random.com".

Common spoofing scams include:

  • Fake invoices - "Your invoice from [Supplier] is attached" with malware
  • Bank alerts - "Your account has been compromised, click here to secure it"
  • Delivery notices - "Your package couldn't be delivered, pay $2 to reschedule"
  • CEO fraud - "This is urgent, wire $50,000 to this account immediately"

How Can Businesses Prevent Spoofing?

Legitimate businesses can (and should) set up email authentication: SPF, DKIM, and DMARC. These are like digital signatures that prove an email actually came from the claimed sender.

When properly configured, these protocols tell email providers: "Only accept emails from our domain if they pass these checks. Block or quarantine everything else."

That's What TrustNope Checks

When you enter a domain in TrustNope, we check whether these protections are in place. A "Trust" verdict means the domain is well-protected against spoofing. A "Nope" means it's wide open.

What You Can Do

  1. 1 Check the domain - Use TrustNope (when available) to see if a domain can be easily spoofed
  2. 2 Verify through official channels - If an email asks for action, go to the company's website directly (don't click the link)
  3. 3 Look for red flags - Urgency, unusual requests, and threats are warning signs
  4. 4 When in doubt, call - Use a phone number from the official website, not from the email

The Bottom Line

Email spoofing is surprisingly easy - and that's exactly why email authentication exists. Legitimate businesses protect their domains. When they don't, anyone can send emails in their name.

TrustNope helps you see at a glance whether a domain is protected. But remember: even protected domains can have compromised accounts, so always verify unusual requests.

Learn More

Want to understand SPF, DKIM, and DMARC in detail?

Read the Technical Guide