- Someone is sending emails that look like they are from your@company.com — but you never sent them.
- Your domain is being spoofed, your customers are being phished, and your brand reputation is taking damage every hour it is not fixed.
- Here is how to stop it completely.
Email domain spoofing — where attackers send emails that appear to come from your business domain — is one of the most damaging cybersecurity threats for Nepali businesses. Victims of spoofing receive fraudulent invoices, fake order confirmations, or credential-stealing messages that appear to be from trusted suppliers. The damage to brand trust is severe and often permanent.
The good news: three DNS-based email authentication standards completely stop spoofing when properly configured. They are called SPF, DKIM, and DMARC.
Understanding Email Authentication: The Three Pillars
1. SPF (Sender Policy Framework)
SPF is a DNS record that declares which servers are authorized to send email from your domain. When a receiving mail server gets an email claiming to be from info@yourcompany.com.np, it checks your SPF record to see if the sending server is on the authorized list.
Example SPF record:
v=spf1 include:mail.websnp.com include:_spf.google.com ~allThis says: "Only WebsNP mail servers and Google are authorized to send email for this domain. All others should be treated with suspicion (~all = softfail)."
2. DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email your server sends. The signature is verified by the receiving server using a public key published in your DNS. If the signature does not match, the email has been tampered with or forged.
DKIM prevents two things:
- Email forgery (attacker cannot send email that passes DKIM without your private key)
- Email tampering in transit (any modification of the email body breaks the signature)
In cPanel (WebsNP hosting): Email → Authentication → Enable DKIM → Save. Your key is automatically published to DNS.
3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC is the policy that tells receiving servers what to do when an email fails SPF or DKIM checks. It is the enforcement layer that makes SPF and DKIM actually prevent spoofing.
DMARC policy options:
p=none → Monitor only, do nothing (start here)
p=quarantine → Put failing emails in spam
p=reject → Block failing emails completely (target state)Example DMARC record:
v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com.np; pct=100The Spoofing Protection Setup Process
Phase 1: Deploy SPF and DKIM (Day 1)
- In WebsNP cPanel → Email → Email Deliverability
- Click "Repair" next to SPF and DKIM for each domain
- Verify DNS propagation at MXToolbox.com → SPF Lookup
Phase 2: Deploy DMARC in Monitor Mode (Week 1)
- Add a TXT record in DNS:
Name: _dmarc.yourcompany.com.np Value: v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com.np - Wait for DMARC aggregate reports (arrive weekly as XML files)
- Use a DMARC report analyzer (Postmark, dmarcian, or free at MXToolbox) to identify all legitimate sending sources
Phase 3: Tighten to Quarantine (Week 2–3)
Once you have confirmed all legitimate senders are passing DKIM/SPF, change to:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com.np; pct=50Phase 4: Full Enforcement (Week 4+)
v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com.np; pct=100At this point, any email that fails authentication is rejected outright. Your domain cannot be spoofed.
Additional Email Security Measures
MTA-STS (Mail Transfer Agent Strict Transport Security)
MTA-STS forces TLS encryption on all incoming email connections to your mail server. Without it, attackers can intercept email in transit by downgrading connections. Enable in WebsNP's email security settings.
BIMI (Brand Indicators for Message Identification)
BIMI is a newer standard that displays your company logo next to your email in Gmail, Apple Mail, and Yahoo when DMARC is at p=reject. It visually differentiates your legitimate emails from spoofed attempts in the recipient's inbox.
Email Encryption (S/MIME)
For sensitive financial or legal communications, S/MIME digital certificates encrypt email content end-to-end. Only the intended recipient can decrypt and read the message.
How to Check If Your Domain Is Already Being Spoofed
# Check MXToolbox for your domain
https://mxtoolbox.com/emailhealth/yourcompany.com.np
# Check DMARC reports for unauthorized senders
# Look for SPF=FAIL or DKIM=FAIL in aggregate reports| Security Check | Pass = Safe | Fail = Vulnerable |
|---|---|---|
| SPF Record | No unauthorized senders | Anyone can spoof you |
| DKIM Signing | Emails cryptographically verified | Email tampering undetected |
| DMARC Policy | p=reject stops all spoofing | p=none = zero protection |
| Reverse DNS (PTR) | IP maps to domain | Higher spam classification risk |
Email spoofing is not a technical problem — it is a trust problem. When an attacker convinces your supplier to wire NRS 5 lakh to a fraudulent account using an email that looks like it came from your CEO, the relationship damage is irreparable. Configure DMARC at p=reject before that happens.
WebsNP configures SPF, DKIM, and DMARC for all hosting clients on request — at no extra charge. Request a free email security audit for your domain today, or start with a hosting plan that includes email security setup.
