How email spoofing targets small businesses — and how to stop it

March 27, 2026 · 6 min read · Threat Awareness

Here's the threat model most small businesses don't know about: an attacker doesn't need to break into your email account to impersonate you. They don't need your password, your 2FA code, or access to your systems.

They just need your domain name — which is public — and the knowledge that you haven't set up three free DNS records.

That's it. That's the entire attack.

How it actually works

Email was invented in the 1970s, before the internet became a hostile place. The original protocol (SMTP) has no built-in way to verify that an email is actually from who it claims to be from.

When someone sends you an email, the "From" address you see in your inbox is just a string of text. Any mail server can put anything in that field. There's no cryptographic verification — unless the domain owner has set up SPF, DKIM, and DMARC.

If those three records aren't in place, anyone can spin up a mail server and send emails that display your domain in the From field. Your clients see your company name and email address. They have no way to know it's not from you.

Real-world scenarios

Law Firm — Wire Fraud

A client is in the middle of a real estate closing. They receive an email from what appears to be their attorney's domain, updating wire transfer instructions. The email looks identical to previous correspondence. They wire $280,000 to a fraudulent account. By the time anyone notices, the money is gone.

Dental Practice — Fake Invoice

A dental office's office manager receives an invoice from what appears to be their equipment supplier's domain. The amount is slightly different from usual. She pays it. The supplier's domain had no DMARC record, and the spoofed invoice went directly to a fraudulent account.

Medical Clinic — Patient Trust Attack

Patients receive emails appearing to come from their doctor's office, asking them to update payment information before their next appointment. The clinic's domain had no email authentication. Patients' credit card numbers are harvested.

These aren't hypotheticals. Business Email Compromise (BEC) — the umbrella term for these attacks — is the most financially damaging cybercrime category tracked by the FBI.

$2.7B

BEC losses in the U.S. in 2022 (FBI)

73%

of SMB domains scanned have no DMARC enforcement

30 min

to fix it for most domains

Why small businesses are the target

Large enterprises have security teams, email gateways, and vendor relationships that enforce email authentication. When an attacker spoofs a Fortune 500 domain, there's usually some detection in place.

Small businesses — dental practices, law firms, medical clinics, accounting firms, real estate agents — are softer targets. They:

Have client relationships that involve financial transactions
Are trusted by name, making spoofing more convincing
Often don't have dedicated IT staff reviewing security configurations
Handle sensitive data (health records, legal documents, financial information) that makes them attractive

An attacker doesn't need to target a specific business. They can simply scan thousands of domains for missing DMARC records, compile a target list, and run campaigns against the unprotected ones.

Why so many businesses are still vulnerable

SPF, DKIM, and DMARC aren't configured automatically. When you buy a domain or set up Microsoft 365, nobody says "by the way, you need these three DNS records or your domain can be spoofed." It's a known gap that falls between domain registrars, email providers, and IT consultants.

The businesses that have it usually got it because someone proactively checked — or because they got hit first.

How to protect your domain

The fix involves three DNS records: SPF, DKIM, and DMARC. They're free. They don't require software. An IT provider or your registrar can add them in under an hour.

Step 1 — Find out if you're exposed. Run a free scan at sentryscore.com. You'll see your SPF, DKIM, and DMARC status in 60 seconds — and whether your DMARC policy is actually enforcing or just monitoring.

If you're missing records or have a weak policy (p=none), the action plan in the full report tells your IT team exactly what to add and where.

The fix order:

SPF: Add a TXT record at your domain listing authorized sending services (Google Workspace, Microsoft 365, Mailchimp, etc.)
DKIM: Enable it through your email provider — they'll give you a TXT record to add
DMARC: Start with p=none for 2–4 weeks while you collect reports, then move to p=reject

What DMARC monitoring tells you

One underrated benefit of DMARC: the rua= field in your DMARC record instructs receiving servers to send you daily XML reports on all email sent using your domain — including unauthorized attempts.

Once you set up DMARC reporting, you'll see:

Which mail servers are sending email as your domain
How many spoofing attempts are being made
Whether your legitimate email is passing authentication
Which services you've forgotten to add to SPF

For most small businesses, the first few weeks of DMARC reports are eye-opening. It's common to see dozens of spoofing attempts you had no idea were happening.

The bottom line

Email spoofing is one of the highest-ROI attacks against small businesses — cheap to execute, potentially devastating, and entirely preventable with three free DNS records.

The reason it keeps working is that most businesses don't know they're vulnerable. Now you do.

Is your domain spoofable right now?

Free scan — checks SPF, DKIM, DMARC, SSL, breach history, and more. Results in 60 seconds. No account needed.

Scan my domain →