Understanding Email Authentication: Why are customers receiving fake emails from my business?
You probably haven’t been hacked. That’s the good news.
The bad news? Hackers can send emails that look like they come from your business without ever gaining access to your systems. We call that email spoofing.
That’s where email authentication comes in.
Unfortunately, email authentication is something many small businesses either don’t fully understand, don’t fully implement, or don’t configure correctly. And it’s not a one-and-done setup, but requires ongoing monitoring and attention.
In this blog, we’ll break down email spoofing and how to stop it.
Key takeaways
- Spoofing is when bad actors disguise themselves as trusted parties to deliver malware or steal sensitive information.
- Email authentication was designed to verify an email sender’s identity.
- Email authentication is built around three pillars: SPF, DKIM, and DMARC.
- Small businesses often fall short when configuring their email authentication.
- Managed service providers help small businesses configure email authentication while providing critical ongoing support.
Understanding Spoofing
You’ve probably heard about spoofing before – heck, you’ve probably been spoofed. Spoofing is a social engineering tactic where cybercriminals disguise themselves as trusted parties to deliver malware or steal sensitive information.
In this case, attackers are impersonating your business, your domain, or your employees.
For example, a client might receive an email that appears to come from your company:
“Click here to view our latest promotion before it expires!”
Because this message looks like it came from you, it’s easy to fall for. One click later, and they’ve downloaded a virus or accidentally handed over sensitive information.
Why Spoofing Is So Easy
Email has been around for decades, and its core design hasn’t changed much. It was never built with strong identity verification in mind, and attackers have learned how to take advantage of that.
The thing is, your inbox will usually display whatever “From” name and address it’s given. In many cases, it doesn’t automatically verify that the sender is actually who they say they are.
All a cybercriminal has to do is make an email look like it’s coming from a trusted source, even though it very much isn’t.
A hacker can:
- Pretend to send emails from your domain (your official email address, like “@company.com”).
- Use lookalike domains (e.g., company-co.com).
- Copy employee names or email formats from websites, social media, or data breaches.
They don’t need access to your systems to impersonate you or your business.
What Is Email Authentication?
Email authentication helps confirm that a sender is who they say they are, protecting both the recipient and the sender’s brand. With email authentication, you:
- Better secure your company from spoofed and phishing emails.
- Improve email deliverability (your emails are more likely to reach inboxes instead of spam folders).
- Protect your brand reputation by reducing the risk of bad actors using your brand to spoof clients.
- Support compliance and cybersecurity requirements such as HIPAA, SOC 2, PCI DSS, and more.
- Provide visibility into suspicious email activity.
To understand this system, you need to know the three pillars email authentication is built around and how they prevent spoofing.
The Pillars of Email Authentication
SPF (Sender Policy Framework)
SPF tells email systems who can use your email address.
Why does that matter?
Because a lot of your emails don’t come directly from you. Tools like QuickBooks, HubSpot, or Salesforce can send out invoices, marketing emails, and support tickets on your behalf. SPF simply lists these tools as “approved senders.”
When an email comes in, the system checks if the sender is on the approved list. If yes, it’s more likely to be trusted. If not, it raises a red flag. This helps email systems tell the difference between your real emails and a hacker’s spoof attempt.
DKIM (DomainKeys Identified Mail)
While SPF checks the sender, DKIM checks the message itself.
Think of it like adding a wax seal on an envelope. This prevents a common hacker tactic known as a “man-in-the-middle” attack, where a hacker intercepts your email and changes its content (like bank details or replacing a safe link with a malicious one) before it reaches the recipient.
Because the “seal” is unique to your domain, if a hacker tries to impersonate you, they won’t have your specific digital seal. When the email arrives in an inbox, if the seal doesn’t match, it’s thrown out.
DMARC (Domain-Based Message Authentication, Reporting, and Conformance)
DMARC is the “enforcement layer” that ties everything together. It tells receiving systems what to do if an email sender isn’t on your approved list (SPF) or has a broken seal (DKIM). Depending on your settings, it can:
- Reject the email entirely so it never reaches the recipient.
- Send it to spam or quarantine to keep it out of the main inbox.
- Deliver it normally if the activity was suspicious but ultimately determined to be safe.
It also provides reports that show you exactly who is trying to use your domain, helping you spot spoofing attempts and unauthorized senders.
The Look-alike Email
There’s one thing we’ve only touched on, and the eagle-eyed readers may be wondering: What about look-alike emails?
Let’s say your email is me@me.com. If a hacker purchases the domain, @me1.com, they can technically set up their own “approved list” (SPF) and “wax seal” (DKIM) for that new domain. Because me1.com is a real domain they own, the standard checks will pass it through.
So, what’s the answer? In truth, there really isn’t one “silver bullet” for these impersonators. Stopping them requires a combination of automated systems, constant traffic monitoring, and trained eyes to spot when a “me1.com” hits your client’s inboxes.
Where Small Businesses Go Wrong
Despite being available for years, many businesses have struggled with proper email authentication, and some fail to implement it altogether. This is often due to misconfiguring one of the key components (SPF, DKIM, DMARC) or skipping email authentication entirely.
Even when it is set up, many businesses don’t continue to monitor or adjust their authentication over time.
One of the most common mistakes is not fully implementing DMARC. Businesses tend to leave it in “monitoring mode,” which only reports who is sending emails using your domain, but doesn’t actually block anything. It’s like having a security guard who only records break-ins, but doesn’t stop them.
Why Having a Trusted Partner Is Key
Most small businesses simply don’t have the time or expertise to manage heavy email authentication, let alone comb through logs for look-alike domains. That’s where a managed service provider (MSP) comes in.
An MSP does far more than just configure your SPF, DKIM, and DMARC. Because as your business grows, new tools will need to be added to your SPF list, DMARC rules will need adjusting, and someone needs to look through all of those spoofing reports while shutting down look-alike attempts.
With 24/7/365 monitoring, you’ll have eyes in the digital skies, stopping the “me1.coms,” “me2.coms,” and “me3.coms” before they land in your client’s or employee’s inboxes. Beyond security, an MSP will make sure your email systems align with evolving regulatory frameworks, so you don’t have to stay up at night wondering about new email policies or legal requirements.
An MSP has the bandwidth, the expertise, and the tools to make sure your email authentication never skips a beat.
Get Authenticated with The 20 MSP
Not all MSPs are created equal, so we’re cutting in line to introduce ourselves.
Hi, we’re The 20 MSP, and we’ve been helping our clients keep their inbox spoof-free for over three decades now. We’ve got the tools, the know-how, and the talent to keep your systems safe and humming happily. The best part? It’s all for one predictable, flat-rate fee.
Want to chat email? Reach out today to start the conversation.
Want more tips like this?
Subscribe using the form on the right and get our latest insights delivered straight to your inbox.
About The 20 MSP
As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, including single and multi-location organizations, delivering white-glove service, secure and streamlined IT infrastructure, and 24/7/365 support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our clients’ success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth.
