Who Is Really Sending Email in Your Name? Domain Spoofing Explained
A plain-English video guide to domain spoofing: how criminals send email in your name, why law and finance are prime targets, and how DMARC, SPF and DKIM stop it.
Do you actually know who is sending email in your name? For most UK businesses the honest answer is “no idea”, and that is exactly the gap criminals exploit. In this plain-English explainer we break down how domain spoofing works, why law firms and financial services are prime targets, what DMARC, SPF and DKIM actually do, and how to close the gap in minutes.
Prefer to read, or want it for reference? Here is the full walkthrough.
Welcome to the explainer. So today we're tackling a critical but honestly pretty invisible threat that modern businesses are facing right now. It's basically the silent hijacking of your professional digital identity. Just imagine if someone could send out a perfectly replicated email from your company, completely tricking your clients, your partners, or even your own staff into handing over sensitive data or authorising massive payments. Crazy, right? Well, it's not a hypothetical scenario. This is domain spoofing, and it is a massive, massive driver of fraud.
So in this explainer, we're going to look closely at how a service called SealedMail actually locks down professional domains, turning all that complex security data into clear, actionable intelligence. Okay, let's jump right in. Here's our roadmap for today. We'll start with the threat of email spoofing, look at the high stakes in law and finance, and decode that confusing security alphabet. Then we'll talk about getting protection in plain English and finish up with four simple steps to security.
Who is really sending your emails?
For a long time, tons of UK organisations have relied on a free service from the National Cyber Security Centre called Mail Check to sort of keep an eye on their domain security. But there is a massive shift happening literally right now. The NCSC is officially retiring that Mail Check service on 31 March 2026. And look, this is not just some minor administrative update. By their own figures, around 17,000 registered UK organisations rely on this free reporting. So with it going away, those thousands of orgs are suddenly left with this huge gap in their security posture, and they desperately need a new way to monitor their domains.
Which brings us to a really fundamental and honestly pretty unsettling question: do you know exactly who is sending email in your name? Because the scary truth is, without active monitoring, anyone could be sending an email that looks perfectly like it came from your domain, and you'd have zero idea. It doesn't show up in your sent folder. Your IT team doesn't get a little pop-up alert. It is an entirely invisible threat, right up until the exact moment a client calls you in a panic, asking why you suddenly changed your bank details or demanded an urgent invoice payment.
High stakes in law and finance
These are the businesses that absolutely cannot afford to get this wrong. Now, obviously, any business can have their domain spoofed, but the devastation isn't equal across the board. Professional services, they are the absolute primary targets for cyber criminals. Why? Because of the immense trust they command and the sheer volume of high-value transactions they are processing every single day.
Let's look at how this plays out in two very distinct, incredibly high-stakes scenarios. First up, law firms. For legal professionals, a spoofed email is basically ground zero for client account fraud. I mean, think about a standard property transaction. A fraudster spoofs the solicitor's email, fires off new bank details to the home buyer for their deposit, and boom - hundreds of thousands of pounds just vanish.
On the flip side, over in financial services, it's not just about that direct fraud. It's also about really strict regulatory compliance. Under Consumer Duty obligations, financial firms literally have to show hard evidence that they are taking reasonable steps to protect their clients. So leaving your domain wide open to impersonation, that is a massive compliance failure just waiting to happen. For both of these sectors, lacking email security isn't some annoying IT glitch. It is a full-blown existential threat to the business.
Decoding the security alphabet: DMARC, SPF and DKIM
So how do we actually stop this stuff? Look, if you've ever asked an IT provider about email security, you have almost certainly been hit with that terrifying alphabet soup of acronyms. But don't worry, we're going to translate that right now. No computer science degree required.
So the foundational piece of this whole puzzle is DMARC. It technically stands for Domain-based Message Authentication, Reporting and Conformance. But practically speaking, it's just the standard that lets you see and ultimately stop anyone sending an email that's pretending to be you. It gives strict instructions to receiving mail servers, like Google or Microsoft, telling them exactly what to do if an email fails your security checks. You know, should they deliver it anyway? Chuck it in the spam folder? Reject it completely? Crucially, it also sends reports back to you so you can actually see who is trying to use your identity.
But DMARC doesn't work alone. Now what's really interesting is how perfectly these highly technical protocols map onto physical, real-world security concepts. Think of your email domain as a highly secure building. First up, we've got SPF and DKIM. These are the locks. SPF acts like a guest list, verifying that the server sending the email is actually allowed to do so. DKIM is basically a tamper-proof wax seal on the envelope. It mathematically proves the message wasn't messed with in transit. Next, we have DMARC. In our building analogy, DMARC is the CCTV and the rulebook. It tells the security guards - the receiving servers - what to do with mail that doesn't have the right locks, and it sends CCTV footage back to you so you can see exactly who tried to break in. Finally, TLS and MTA-STS are the delivery van. They just ensure those emails travel from server to server inside a secure, encrypted tunnel so nobody can intercept or read them while they're out on the road. Put it all together and you've built a fortress around your email.
But wait, here's the real danger. Just setting this up once? Not enough. Because things silently break. Take SPF, for instance. There's this deeply technical but absolutely critical rule called the 10 DNS lookup limit. Every single time your marketing team adds a new newsletter platform, or sales adds a new CRM or invoicing tool, they add lookups to your SPF record. The very second you go over 10 lookups, your SPF silently breaks for everything. Legitimate emails from your actual staff suddenly start failing security checks and landing straight in your clients' spam folders, and you will have absolutely no idea why. We call this configuration drift, and honestly, it happens all the time in growing businesses.
Protection in plain English
Okay, so this brings us to a massive pain point. Say you've set up DMARC, and it's dutifully sending those CCTV reports back to you. Awesome, right? Well, the problem is DMARC reports are sent in raw XML data. They are utterly unreadable to a normal human being. Without a proper tool to interpret them, they just pile up as totally useless digital clutter. And that is exactly where SealedMail steps in, transforming all that raw data into an actionable, plain-English solution.
I absolutely love this quote from Shaun Cooke, the founder of SealedMail. He says: "You are not buying software. You are hiring me." I mean, how refreshing is that? SealedMail isn't just some faceless automated dashboard you have to spend hours learning how to use. It's an actual service where a dedicated UK email security specialist is personally reviewing your domain data. You're not battling a call centre or sitting in a massive ticket queue or dealing with some inexperienced junior analyst. You get direct, hands-on expertise reviewing your specific domain's health.
Let's look at exactly what this service delivers. Every single Monday, you get a single, super easy-to-read report delivered straight to your inbox. It gives you plain-English analysis. It tells you exactly who sent email as your domain, whether it passed authentication, and if you actually need to do anything about it. Best part: there's zero new software to install, no annoying passwords to remember, and absolutely no staff training required. It just shows up in your email. Plus, it's compliance-ready right out of the box. For those finance firms and law practices we talked about earlier, this report acts as instant, properly formatted audit evidence, proving your domain is actively monitored. It even automatically checks your domain against major blacklists and catches that dangerous configuration drift - like that pesky 10-lookup limit - in a matter of days instead of months.
So, the crucial point is the cost. For all this expert analysis, the continuous monitoring, and the plain-English reporting, SealedMail charges a remarkably simple flat fee of £39 per domain, per month. That's literally it. There are no volume limits on how many emails you send, zero surprise charges, and absolutely no annual locking contracts. You can cancel whenever you want. It's basically enterprise-grade security, completely stripped of all the usual enterprise software headaches.
Four steps to security
Now, right about now, you might be thinking, "Okay, this sounds amazing, but implementing new security protocols is always just a massive IT headache." Well, let me thoroughly reassure you. Despite the incredibly complex cryptography and tech operating behind the scenes here, onboarding with SealedMail is astonishingly straightforward. You can literally be up and running in minutes. It's a quick four-step process.
Step one: just request a free health check on their site. This does a full audit of your domain's current setup and gives you a scored certificate, so you know exactly where you stand today, totally obligation-free.
Step two: you subscribe via Stripe. It takes maybe two minutes.
Step three: this is the only slightly technical part, and it is tiny. You just update two DNS records, basically adding SealedMail's reporting addresses to your DMARC and TLS-RPT records. If you manage your own domain, it's literally a five-minute job. If you don't, just forward the welcome email straight to your IT provider.
Step four: your plain-English reports start arriving the very next Monday. That's the whole shebang. You've closed the gap, secured your domain, and gained total visibility.
The one question to ask yourself
All right, I want to leave you with one final, vital question to think about when it comes to your own business. If a cyber criminal perfectly spoofed your professional domain right now, today, and tried to defraud your most important client, exactly how long would it take you to find out? Because without active monitoring, the answer is almost always far too late. Taking just a few minutes to request that free health check could literally be the difference between stopping a massive fraud attempt dead in its tracks and dealing with a devastating loss.
Thanks so much for joining me on this explainer, and we'll see you next time.
See where your domain stands
The quickest way to find out whether your domain can be spoofed is a free health check. It scores your SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI and emails you a clear, plain-English result. No sign-up, no sales call.
Prefer the written version? Read the deep-dive: Domain spoofing explained: how anyone can send email as you.