Someone is sending emails with my address: what to do

A client calls: they received an 'invoice' from your company… that you never sent. It is probably not a hack of your mailbox — it is domain spoofing, and it can be blocked.

In short: if your domain has no DMARC policy in blocking mode, anyone on the Internet can send emails displaying your address — without ever touching your accounts. Check for free in 15 seconds whether your domain is vulnerable, then follow the 3 steps below to close the door.

First: hacked account or spoofing?

Two very different situations:

  1. Spoofing (the most common case) — the fraudster has access to nothing of yours. They forge emails that display your address, like writing a fake sender name on the back of an envelope. Your accounts are not compromised; it is your domain that is unprotected.
  2. Hacked account — the fake emails really leave from your mailbox (you see them in your sent items). In that case: change the password immediately, enable two-factor authentication, check auto-forwarding rules.

Quick clue: if the fake emails are not in your sent items, it is almost certainly spoofing.

Why it is possible

Email, designed in the 1980s, does not verify the sender by default. Three modern protections close that hole: SPF (the list of servers allowed to send for you), DKIM (a digital signature) and above all DMARC — the instruction given to providers: "if an email claims to come from me but fails the checks, reject it". Without DMARC in blocking mode, fake emails get through.

"I already have SPF — I am protected, right?"

No, and it is the most widespread misunderstanding. An email actually has two senders: the envelope address (invisible, used by servers — like the return address on the back of a postal envelope) and the displayed address — the "From:" your client reads. SPF only checks the envelope. A fraudster therefore sends their message with an envelope pointing to their own domain (which passes SPF just fine) while displaying your address in the From field. DMARC is what closes that door, by requiring the verified domain to match the displayed one — and instructing receivers to reject otherwise. SPF is necessary, but on its own it does not stop someone from displaying your name.

The 3 steps to end it

  1. Measure your exposure — the free check tells you in 15 seconds whether your domain can be spoofed (the "spoofing risk" verdict at the top of the report).
  2. Put up the protections — the free action plan gives you the exact DNS records for your situation, to copy-paste or forward to your webmaster. Start with DMARC in monitoring mode (p=none), then move up to "quarantine" and "reject".
  3. Watch who sends in your name — DMARC reports reveal every server sending (or trying to send) for your domain. Our guides and our automatic analysis translate them into plain language: your real tools on one side, the spoofers on the other.

What to tell your clients in the meantime

Warn them without delay (a short email or a note on your site): "fraudulent emails are circulating in our name; we never request payment to a new account without phone confirmation." It is also good practice under privacy laws that require you to prevent this kind of incident.

Can it happen to us even though "we are too small"?

Small businesses are precisely who fraudsters target: large companies already have DMARC at "reject", small ones do not. Forging 500 fake invoices in your name costs a few dollars; dealing with them costs your reputation. Closing the door takes less than an hour — start with the test.

Check your setup for free

Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.

Run the free check
See also: the SPF, DKIM, DMARC guide, Microsoft 365, Google Workspace, securing your website.