Blog

How We Stopped Email Spoofing with SPF, DKIM & DMARC (Real Case Study)

February 23, 2026 · By Hardik Raval

February 23rd, 2026
By Hardik Raval
By Hardik Raval

Case Study: How We Prevented Email Spoofing Using SPF, DKIM & DMARC

February 2026 | By Hardik Raval

Email spoofing is one of the most common cybersecurity threats today. Attackers send emails that appear to come from your domain. Customers and partners may trust those emails, which can damage your brand reputation.

In this case study, we explain how we identified and stopped an email spoofing issue for a client’s domain using proper SPF, DKIM, and DMARC configuration.

The Problem: DMARC Was Set to Monitoring Mode

The client’s domain had SPF and DKIM configured correctly. However, the DMARC policy was set to p=none.

This means the system was only monitoring suspicious emails but not blocking them.

  • Multiple non-compliant email attempts were detected
  • Unauthorized sources attempted to send emails
  • The domain was being used in “From” addresses

Although emails were not always delivered, spoofing attempts were clearly happening.

Tools Used for Investigation

  • EasyDMARC – For monitoring DMARC reports
  • Microsoft 365 – Official email infrastructure
  • DNS verification tools – For checking SPF, DKIM, and DMARC records

The reports showed failed authentication attempts from sources that were not authorized.

Step 1: Monitor Before Enforcing

Before making any changes, we carefully monitored DMARC reports for several days.

  • Verified all legitimate email senders
  • Ensured SPF and DKIM alignment was correct
  • Confirmed no valid emails were failing authentication

This step was important to prevent accidental blocking of legitimate business emails.

Step 2: Verify Email Infrastructure

The client officially used Microsoft 365 for sending emails.

However, some reports showed email attempts appearing through Google infrastructure. After verification:

  • No Google Workspace account was active
  • The attempts were unauthorized spoofing activity

This confirmed it was safe to move to strict enforcement.

Step 3: Update DMARC Policy to Reject

We updated the DMARC policy from:

v=DMARC1; p=none;

To:

v=DMARC1; p=reject;

Now, any email failing SPF or DKIM alignment is automatically rejected by receiving servers.

Testing After Implementation

  • Sent test emails to Gmail and work accounts
  • All legitimate emails were delivered successfully
  • No valid email was blocked
  • Spoofed attempts are now rejected automatically

Final Results

  • Domain spoofing attempts blocked
  • Email authentication fully enforced
  • Improved domain reputation
  • Reduced phishing risk

Key Takeaways for Businesses

If your DMARC policy is set to p=none, your domain is not fully protected.

  1. Configure SPF correctly
  2. Enable DKIM signing
  3. Start DMARC with p=none for monitoring
  4. Review reports carefully
  5. Move to quarantine or reject after validation

Email spoofing is not optional to address. Every growing business should secure its domain authentication properly.

Conclusion

Early monitoring helped us detect suspicious activity before it became a serious issue. By properly configuring SPF, DKIM, and DMARC — and moving from monitoring mode to enforcement — we secured the client’s domain successfully.

If your business relies on email communication, domain protection should be mandatory.

Need Help Securing Your Domain?

We help businesses implement proper email authentication and domain security.

Contact Us

Ready to Transform Your Infrastructure?

Feel the difference our quality makes! Reach out today, and let us show you what we can do!

Let's Talk

Related Posts

Streamline business with bespoke software product

Let's Talk