Is Someone Spoofing My Email Domain?
If customers or staff are getting emails that look like they came from your company but did not, you are right to take it seriously. Before you can fix it, you need to know which of two very different problems you have, because the solution for one does almost nothing for the other.
The crucial difference: exact spoofing vs lookalike
There are two ways a scammer pretends to be your email:
- Exact-domain spoofing. The email claims to come from your real address, for example [email protected]. The scammer forges your actual domain.
- Lookalike-domain email. The email comes from an address that is almost yours but not quite, such as yourcompany-billing.com or yourcompany.net. To a busy reader it looks right, but it is a different domain that the scammer genuinely owns.
This distinction is the whole game. The defenses that stop one do nothing for the other, so identifying which you face is the first real step.
How to check which one it is
You do not need technical tools to start:
- Ask whoever received the email to read the real sending address carefully. Not the display name (which is easy to fake), but the actual address after the @ sign. On a phone, tap the sender name to reveal it.
- Compare it letter by letter to your real domain. If it matches exactly, you are likely dealing with exact-domain spoofing. If there is any difference, an added word, a hyphen, a different ending, it is a lookalike.
- Check your email protections. Three settings, called SPF, DKIM, and DMARC, tell the world which servers may send email as you. We explain them in plain language in SPF, DKIM, and DMARC explained.
What actually stops each type
| Problem | What stops it |
|---|---|
| Exact-domain spoofing (your real address forged) | A DMARC policy set to reject, backed by SPF and DKIM. This tells receiving mail systems to refuse forged messages. |
| Lookalike-domain email (a similar address) | DMARC does nothing here. The only defense is finding the lookalike domain and getting it removed. |
Read that table twice, because it is the point most people miss. Setting your DMARC policy to reject is the single best move against someone forging your exact address, and you should do it. But it cannot touch a lookalike domain, because that domain is not yours and the scammer is sending legitimate email from a domain they truly control. No email setting on your side can block another person's domain.
Catching mail-capable lookalikes
So how do you defend against lookalike email? You find the lookalike domains before they are used. A domain that is set up to send email leaves visible signs, and a near-copy of your name that is mail-capable is a strong warning that a scam is being prepared. Watching for these continuously is the only reliable way to get ahead of it. VigilDNS monitors for lookalike domains around the clock and specifically flags the ones that are configured to send email as you, so you can report them before your customers are targeted. Plans start at $79 per month on the pricing page.
Your action plan
- Set DMARC to reject (with SPF and DKIM in place) to shut down exact-domain spoofing. See SPF, DKIM, and DMARC explained.
- Check for lookalike domains that could be sending mail as you. Our free typosquat checker shows the close variations of your domain in seconds.
- Report any lookalike you find to its host and registrar. See how to report a copycat website.
- Warn customers with a brief, calm notice about what your real emails look like.
If the lookalike also hosts a fake site, read fake website using my business name for the full response.
Frequently asked questions
Will DMARC stop all fake emails from my company?
No. DMARC at a reject policy stops messages that forge your exact domain, but it cannot stop email from a lookalike domain, which is a different domain the scammer owns.
How can I tell if it is my real domain or a lookalike?
Have the recipient read the actual address after the @ sign and compare it letter by letter to yours. Any difference, even a hyphen or different ending, means it is a lookalike.
Can I block someone else's lookalike domain from my settings?
No. You cannot control a domain you do not own. The fix is to find the lookalike and have it taken down, which is why continuous monitoring matters.
Check the lookalike versions of your domain that could send email as you with our free typosquat checker, then explore monitoring on the pricing page.