"Why Am I Getting Emails From Myself?" Understanding and Preventing Email Spoofing

Over the past few weeks, I've been asked a version of the same question by several colleagues and security-conscious peers...

"How am I receiving an email that looks like it's from my own email address? It even shows my name and domain, when I hover over the sender or look at the full message headers, it still looks like it came from me!"

If you've experienced this, you're not alone, and you're not imagining things. This is a classic email spoofing attack, and it works shockingly well against domains that aren't properly secured.

What’s Actually Happening?

Attackers are sending emails that pretend to be from your domain. They manipulate the "From" field to make the message appear as though it came from you, or someone in your organization.

Even if you're tech-savvy enough to inspect headers, spoofed emails can still appear totally legitimate on the surface. Why? Because unless you've put the right protections in place, email servers have no reason to doubt the message.

That’s where email authentication comes in, and it’s something many businesses still don’t have configured properly.

Three Tools You Should Be Using (But Might Not Be)

Let’s walk through the three DNS-based protections every domain should implement-->

SPF ... Sender Policy Framework

SPF allows domain owners to specify which mail servers are allowed to send email on their behalf. This is done via a DNS record.

• Example... If you're using Google Workspace or Microsoft 365, your SPF record should include their servers.

• Without it... Spammers can spoof your domain from anywhere on the internet.

Benefits: Reduces spam, blocks unauthorized servers, lowers phishing success.

DKIM --> Domain Keys Identified Mail

DKIM attaches a digital signature to each email, using a private key known only to the sender's system. Recipients verify this using the public key published in your DNS.

• It confirms that the message hasn’t been tampered with in transit.

• Without it... Even if SPF passes, attackers could alter the content of emails without being detected.

Benefits: Ensures message integrity and authenticity.

DMARC --> Domain-based Message Authentication, Reporting & Conformance

DMARC is the policy layer that tells receiving mail servers what to do if SPF or DKIM fail.

• Should the message be quarantined?

• Should it be rejected entirely?

• Should it be allowed but logged for review?

DMARC also enables reporting, giving you visibility into how your domain is being used, or abused.

• It protects your brand reputation and your customers.

• Without it.. Spoofed emails pretending to be from your CEO might still make it to inboxes.

Benefits: Enforces authentication, blocks impersonation, enables insight via reports.

So Let's Put It All Together !

SPF, DKIM, and DMARC aren’t optional anymore. They’re foundational for protecting your domain, your team, and your customers from fraud, phishing, and reputational damage.

When configured correctly:

• Attackers can’t spoof your domain.

• Spoofed messages get blocked or quarantined.

• You get reports showing who is trying to impersonate your domain.

• Check your current DNS records using free tools like MXToolbox or DMARC Analyzer.

• Publish an SPF record that matches your mail infrastructure.

• Enable DKIM signing through your email provider.

• Create a DMARC record with a policy of p=none to start monitoring.

• After monitoring, adjust to quarantine or reject based on confidence.

You can even set up aggregate reports to monitor spoofing attempts across the globe.

If you're receiving emails from “yourself,” it's not just weird, it’s a wake-up call that your domain is likely missing one or more of these critical protections.

Email remains one of the most commonly exploited vectors in cybersecurity. But the good news? This one is relatively easy to fix, f you take the time to configure these controls properly.