Email spoofing lets attackers send fake invoices and instructions that appear to come from your domain โ without ever touching your systems. Here's the three-record fix most Brisbane businesses haven't implemented.
Last month, a Brisbane accounting firm discovered that their clients had been receiving invoices โ apparently from them โ asking for urgent payment to a new bank account. Except the firm never sent them. No system was hacked. No password was stolen. The attacker never even touched their network. They just spoofed the domain.
Email spoofing is when someone sends an email that appears to come from your domain โ your business address โ without ever having access to your email account or servers. It exploits gaps in how email was originally designed, and it's one of the most common techniques used in business email compromise (BEC) attacks.
The result? Your clients, suppliers, and partners receive emails that look exactly like they came from you. Fake invoices. Fraudulent payment requests. Urgent 'CEO' instructions. All appearing to be from your trusted domain. In Australia, BEC is consistently among the top reported cybercrime categories โ and the majority of victims are small and medium businesses.
Whether your domain can be spoofed comes down to three DNS records most businesses have never heard of:
SPF tells the world which mail servers are authorised to send email on behalf of your domain. If it's missing or misconfigured, anyone can send email claiming to be from you@yourbusiness.com.au.
DKIM adds a cryptographic signature to your outgoing emails. Receiving mail servers use it to verify the message actually came from you and wasn't tampered with in transit. Without it, your emails carry no authentication stamp.
DMARC is the enforcement layer. It tells receiving servers what to do when an email fails SPF or DKIM checks โ quarantine it, reject it, or let it through. Without DMARC, even if you have SPF and DKIM, there's no instruction to act on failures.
Most Brisbane SMBs have SPF partially configured. Very few have DKIM set up correctly. Almost none have DMARC enforced.
You can check your own domain in under two minutes using a free tool like MXToolbox (mxtoolbox.com). Search for your domain and run the SPF, DKIM, and DMARC lookups. If any show as missing, failing, or set to 'p=none' (DMARC with no enforcement), your domain is open.
A correctly configured DMARC record set to 'p=reject' means unauthenticated emails claiming to be from your domain are automatically rejected before they reach anyone's inbox.
The consequences of email spoofing aren't just reputational. When a client transfers money based on a fraudulent invoice that appeared to come from you, the relationship is damaged โ even though you did nothing wrong. In some cases, businesses have faced legal disputes over losses they didn't cause. The fix isn't expensive or complex. It's a configuration task. But it needs to be done correctly โ partial implementation creates a false sense of security.
Email domain hardening is one of the first things De4Sec checks in any IT assessment โ because it's one of the easiest wins with the highest real-world impact.
We identify your top 3 risks and tell you exactly what to fix โ no jargon, no obligation.
