01603 980260 Get started
What we do
Accountants
Solicitors
Recruitment Agencies
Estate Agents
Manufacturing
Norwich
HQ · 15-min average drive time
Ipswich
45 mins down the A140
Cambridge
Cloud-first · scheduled on-site
King’s Lynn
West Norfolk · in home territory
Colchester
75 mins down the A12
London
Remote-first · scheduled on-site
All locations
Everywhere we cover
Cyber Score
How secure is your business?
Email Security Check
Can attackers spoof your domain?
About
Who we are & how we work
Blog
Tips, guides & updates
Events
Webinars & meetups
Calculators
Work out your costs & risks
Contact Get started
Cyber Security

How anyone can email as you — and how to stop them

Alex HarveyAlex Harvey · 29 Jun 2026

Picture this. One of your customers gets an email from your address — your name, your company, a perfectly normal-looking message — saying your bank details have changed and asking them to pay the next invoice to a new account. They pay it. The money’s gone. The catch? You never sent that email. A criminal did, using your address. And unless you’ve taken a specific step to stop it, it’s frighteningly easy to do.

Why anyone can pretend to be you

Here’s the uncomfortable truth: email was designed in a more trusting era, with no built-in way to check who actually sent a message. The “From” address you see is just a label — a bit like the sender’s name written on the back of an envelope. Nothing about the postal system stops someone writing your name there.

That means a scammer can send an email that says it’s from you@yourcompany.co.uk without ever touching your account, your password or your computer. They don’t need to hack anything. They just forge the label. This is called email spoofing, and it’s the engine behind invoice fraud, CEO fraud and a huge share of the phishing that lands in your customers’ inboxes.

Why this is so dangerous for a business

When the spoofed email carries your name, it borrows your trust. That’s exactly why it works:

  • Invoice and payment fraud. A fake “our bank details have changed” email to a customer or supplier can redirect a real payment straight to a criminal — one of the most common and costly scams hitting UK businesses.
  • CEO fraud. A message that looks like it’s from the boss asking a staff member to buy gift cards or make an urgent transfer — people act fast when the “sender” is the MD.
  • Phishing in your name. Criminals use your domain to send convincing scam emails to your clients, partners and the wider public — and your brand wears the damage.
  • Reputation you can’t easily win back. Once a customer has been stung by an email “from you,” the trust is hard to rebuild — even though the breach was never on your side.

The fix: tell the world which emails are really yours

The good news is that this is a solved problem — you just have to switch the protection on. It rests on three DNS records that work together to prove a message genuinely came from you:

  • SPF — a published list of the servers allowed to send email for your domain. Think of it as the guest list on the door.
  • DKIM — a tamper-proof digital seal on every message, so the receiver can confirm it really came from your domain and wasn’t altered in transit.
  • DMARC — the rule that ties the two together and, crucially, tells the receiving server what to do with mail that fails the checks. This is the one that actually stops spoofing.

DMARC is the star of the show. With it set to an enforcement policy, you’re effectively telling Microsoft, Google and every other mail provider: “If a message claims to be from my domain but can’t prove it, reject it.” The forged email never reaches your customer’s inbox — it’s binned before it’s seen.

Why most businesses are still wide open

Here’s the part that catches people out: simply having a DMARC record isn’t the same as being protected. DMARC has three settings, and the difference between them is everything:

  1. p=none — “monitor only.” You get reports on who’s sending as you, but spoofed mail is still delivered. A useful starting point — and where a surprising number of businesses get stuck, thinking they’re covered when they aren’t.
  2. p=quarantine — failing mail is sent to junk.
  3. p=reject — failing mail is blocked outright. This is the goal: full protection.

Plenty of domains have SPF and DKIM but no DMARC at all, or a DMARC record sat on p=none for years. In both cases, a criminal can still email as you. The protection only bites once you move to enforcement.

Since 2024, Microsoft, Google and Yahoo have required proper authentication from anyone sending business email — so getting this right now protects your deliverability and your customers at the same time.

How to check whether you’re exposed

You don’t have to guess, and you don’t need to be technical. Your SPF, DKIM and DMARC records are public — anyone can look them up, including you.

We built a free email security checker that does it in seconds: pop in your domain and it reads your records and tells you, in plain English, whether someone could currently spoof your domain — and exactly which gap is leaving the door open. No jargon, no sign-up.

How to lock it down properly

Once you know where you stand, shutting the door is a methodical job:

  1. Get SPF and DKIM right first — making sure every legitimate service that sends on your behalf (Microsoft 365, your CRM, accounting and marketing tools) is properly authorised.
  2. Turn on DMARC in monitor mode (p=none) and read the reports, so you can see every source sending as you — the good and the bad.
  3. Fix any legitimate senders that are failing, so nothing real gets caught when you tighten up.
  4. Move to enforcement — step up to p=quarantine and then p=reject, at which point forged email in your name stops reaching anyone.
  5. Keep monitoring. New tools get added over time, so it’s worth keeping an eye on the reports to make sure protection stays watertight.

Done carefully, this stops criminals using your domain and helps your genuine email land in the inbox — the same records do both jobs.

The bottom line

Email spoofing isn’t a hack — it’s an open door, and most businesses are leaving it open without realising. The fix is a one-off, behind-the-scenes job that pays off every single day: your customers stop receiving scams in your name, and your real emails get trusted. If you’re not certain your domain is protected, it’s well worth the ten seconds it takes to find out, and if there’s a gap, we’ll help you close it properly.

Could someone spoof your domain right now?

Run your domain through our free email security checker — it reads your SPF, DKIM and DMARC records and tells you, in plain English, whether a criminal could currently email as you, and where you’re exposed.

Check my domain

← Back to all posts

Alex Harvey
Written by
Alex Harvey
CEO & Founder, Snap IT
See the team
Keep reading

Related from the team.

Guides4 min read

Why your emails may be going to junk

If your emails keep landing in customers' junk folders, it's usually down to a handful of fixable settings — and authentication is nearly always at the heart of it.

Alex Harvey · Jun 2026
Cyber Security3 min read

Why anything less than Business Premium is a breach waiting to happen

Business Premium costs only a few pounds more per user than Standard — but it's the difference between "we've got email" and "we're actually defended." Here's the maths, and why it's usually a no-brainer.

Alex Harvey · Jun 2026
Cyber Security5 min read

Spotting and stopping Adversary-in-the-Middle attacks — lessons from a lunch & learn

We recently ran a lunch & learn for a structural engineering client on Adversary-in-the-Middle attacks — the phishing technique that quietly walks straight past MFA. Here's what we covered, and how to defend your business.

Alex Harvey · Jun 2026