Spoofing and phishing get used as if they mean the same thing, but they describe two different parts of an attack. Spoofing is the technique of forging a sender identity so a message looks like it came from someone it did not. Phishing is the goal of tricking a person into handing over credentials, approving a payment, or clicking a malicious link. One is the disguise, the other is the con, and knowing which one you face tells you exactly which defenses to deploy.
Reads public DNS only. Nothing is stored unless you save the domain to an account.
The core distinction
Think of spoofing as forgery and phishing as fraud. A spoofed email carries a fake sender identity in one or more places: the visible From header, the envelope sender, the display name, or a lookalike domain. Nothing about spoofing requires that the recipient be deceived into acting. It is purely impersonation at a technical level.
Phishing is the outcome the attacker actually wants. A phishing message uses social engineering to make you act against your own interest: enter your password on a fake login page, wire money to a new account, or open an attachment that installs malware. Phishing can succeed with or without spoofing. An attacker can register paypa1-security.com, send from a fully authenticated mailbox on that domain, and still run a convincing campaign because the fraud lives in the message content and the destination, not in a forged header.
| Attribute | Spoofing | Phishing |
|---|---|---|
| What it is | A technique that forges sender identity | A goal: fraud through deception |
| Layer | Technical (headers, domain, IP) | Human (social engineering) |
| Requires a victim to act? | No | Yes |
| Primary defense | Email authentication (SPF, DKIM, DMARC) | Training, content filtering, MFA |
| Example | Mail that appears to be from ceo@yourbank.com | An email urging a password reset on a fake site |
Where they overlap
In practice the two overlap constantly, because spoofing makes phishing more effective. If an attacker can put your bank's exact domain in the From field, the phishing message inherits the trust you already place in that brand. Domain spoofing is the delivery vehicle; phishing is the payload.
A classic business email compromise attack chains them together. The attacker spoofs the From address of a company executive, then sends a finance clerk an urgent request to change a supplier's bank details or push through a wire transfer. The spoof supplies credibility, and the phishing message supplies the fraudulent instruction. For a step-by-step defense playbook for exactly this scenario, see the business email compromise checklist.
Not every phishing attack relies on spoofing, though. Attackers increasingly use cousin domains (lookalikes such as rn in place of m), compromised legitimate accounts, or free webmail addresses with only a spoofed display name. These bypass domain-level authentication entirely, because the sending domain is technically genuine, which is why phishing needs a broader defense than spoofing does.
Types of spoofing you will encounter
Spoofing is not a single trick. Several distinct forgeries show up in email:
- Exact-domain spoofing. The
Fromheader shows your real domain,you@yourcompany.com. This is the type email authentication was built to stop. - Display-name spoofing. The
FromreadsYour CEO <attacker@gmail.com>. The domain is not yours, so authentication passes for the attacker's real domain and the forgery lives only in the friendly name most mail apps show by default. - Cousin or lookalike domains. A registered domain that resembles yours, such as
yourcompany-support.comoryourcornpany.com. Authentication passes because the attacker controls that domain. - Envelope spoofing. The hidden envelope sender (the
MAIL FROM, also called the Return-Path) differs from the visibleFrom. DMARC alignment checks are what catch the mismatch.
For a fuller breakdown of how forged headers are constructed and detected, read what is email spoofing.
Which defenses address which threat
This is where the distinction earns its keep. Because spoofing is technical, you fight it with technical controls. Because phishing is human, you fight it with human and content controls. Neither set fully covers the other.
Defenses that stop domain spoofing
Email authentication is the answer to exact-domain spoofing of a domain you own. Three records work together:
- SPF publishes, in a DNS
TXTrecord, the IP addresses and hosts permitted to send for your domain. Receivers check the envelope sender against it. SPF allows at most 10 DNS lookups during evaluation; exceed that and the check returnsPermError, which receivers commonly treat as an authentication failure. - DKIM attaches a cryptographic signature to each message using a private key, and receivers verify it against a public key (2048-bit is the current recommended strength) published at a selector such as
selector1._domainkey.yourdomain.com. A valid signature proves the signed parts of the message were not altered in transit and genuinely came from the signing domain. - DMARC ties the two together with alignment. It requires that the domain in the visible
Fromheader match the domain validated by SPF or DKIM, and it tells receivers what to do on failure through its policy:p=none(monitor only),p=quarantine(send to spam), orp=reject(block outright). Only an enforced policy ofquarantineorrejectactually stops mail that forges yourFromdomain.
Published and enforced, DMARC is the single most effective control against someone spoofing your exact domain. It does not stop lookalike domains, display-name spoofing from foreign domains, or compromised legitimate accounts, because in each of those cases the sending domain is not yours and its own authentication passes cleanly. That limit matters enough that we cover it in depth in does DMARC stop phishing. If you have not published a policy yet, start with how to set up DMARC, and to block impersonation of your own domain specifically, how to stop email spoofing of your domain walks through the enforcement path.
Defenses that address phishing broadly
Because phishing can arrive without any domain spoofing, you need layers that inspect intent and behavior, not just identity:
- User awareness training. People who can spot urgency cues, mismatched links, and unusual payment requests catch the phishing that authentication never sees. This is the primary defense against display-name and cousin-domain attacks.
- Content and URL filtering. Secure email gateways scan links, attachments, and message patterns, rewriting or sandboxing suspicious URLs regardless of whether the sender authenticated.
- Multi-factor authentication. Even when a phish succeeds in stealing a password, MFA blocks the attacker from using it, breaking the most common credential-phishing outcome.
- Payment verification controls. Out-of-band confirmation for any change to banking details defeats the business email compromise variant even when the message looks flawless.
Authentication and human defenses are complementary, not interchangeable. DMARC removes the easiest and most convincing form of impersonation, which shrinks the attacker's options and forces them into weaker, more detectable tactics. Everything beyond that belongs to training, filtering, and process.
A quick decision guide
- If someone is forging your exact domain, publish and enforce DMARC. Verify SPF, DKIM, and alignment first.
- If someone is using a lookalike or cousin domain, consider registering common variants and monitor for new registrations. DMARC on your own domain will not help here.
- If the attack is display-name only from a foreign domain, rely on gateway rules and user training.
- If the goal is a fraudulent payment, add out-of-band verification and MFA regardless of how the mail authenticated.
Knowing whether you face a spoofing problem or a phishing problem tells you which lever to pull. Most real incidents involve both, so mature programs run authentication and human defenses in parallel rather than treating either as sufficient on its own.
Frequently asked questions
Is spoofing a type of phishing?
No, but they frequently appear together. Spoofing is the technique of forging a sender identity, while phishing is the fraudulent goal of deceiving a recipient. Attackers often spoof a trusted domain to make a phishing message more believable, but you can have one without the other.
Does DMARC stop phishing?
DMARC stops exact-domain spoofing of a domain you control, which removes one powerful phishing vector. It does not stop phishing that uses lookalike domains, display-name-only forgery from foreign domains, or compromised legitimate accounts, so it must be paired with user training and filtering.
Can an email pass SPF and DKIM and still be phishing?
Yes. If an attacker sends from a domain they legitimately control, such as a freshly registered cousin domain, their own SPF and DKIM records pass. Authentication proves the message came from that domain; it does not prove the sender is honest, which is why content-level defenses remain essential.
What is the difference between spoofing and impersonation?
Spoofing is a subset of impersonation carried out at the technical layer, such as forging the From header or envelope sender. Broader impersonation also includes non-technical tactics like display-name tricks or cousin domains that do not forge any authenticated field.
Want to know whether your own domain can be spoofed right now? Run a free SPFWise scan to check your SPF, DKIM, and DMARC records, confirm your alignment, and see whether your policy is actually enforced or still sitting at p=none.