20 June 2026 · 4 min read
Anyone can send email as your business — here's how to stop it
Your customers trust email from your domain. So do scammers.
If your domain isn't locked down, anyone can send an email that looks like it's from you — to your clients, your suppliers, your staff — asking them to pay a "new" bank account or click a dodgy link. When it works, it's your name and your reputation on the line. This is called email spoofing, and it's the engine behind most fake-invoice scams.
The good news: stopping it is a known, finite job. Here's how it works in plain English.
The three settings that decide it
Whether someone can spoof your domain comes down to three email-authentication records — SPF, DKIM and DMARC — and one policy setting that climbs a ladder:
- p=none — watching, doing nothing. This is where most domains are stuck. It feels safe, but it isn't: spoofed mail still lands.
- p=quarantine — spoofed mail gets sent to junk. Better, but the spoof still reaches the recipient's mailbox.
- p=reject — spoofed mail is blocked outright. This is the protection.
It's essentially a single DNS record, walked up the ladder carefully so you don't
accidentally bounce your own legitimate mail along the way. Done properly, it's
about 20 minutes of work — but the "done properly" part matters, because rushing
straight to p=reject can stop your real invoices and newsletters from arriving.
What I'll do — free
I'll run a free health check on your domain and send you a one-page action list: exactly what's exposed, in priority order, written so you (or whoever looks after your IT) can knock it over.
If you'd rather I just fix the biggest one, I'll do that too — the first hour's on me.
Why this matters now
Fake-invoice fraud doesn't need to hack anything. It just needs your domain to be open, and one busy person to glance at an email that looks exactly like it came from you. Locking down SPF, DKIM and DMARC closes that door — quietly, in the background, for good.
It's the cheapest, highest-leverage security fix most small businesses are still missing. Worth 20 minutes.
Want me to check your domain?
Free health check, plain-English action list, yours to keep.