What it costs to let anyone email as you
Email was never built to prove who a message comes from. Until you close that gap, attackers can send mail that looks exactly like yours - and the damage lands on your business, your staff and your customers.
can email as an unprotected domain
the average domain's security score
the common setting that stops nothing
The gap that makes it possible
When an email arrives, nothing in the basic protocol forces the sender to prove they’re really you. The “From” address is just text – anyone can type yours. SPF, DKIM and DMARC exist to close that gap, but only once they’re set up and enforced. Until then, your domain is an open identity for anyone to borrow.
This isn’t a rare, sophisticated attack. Spoofing your domain takes minutes and no special access – which is exactly why it’s so common.
Why “we’ve never had a problem” isn’t reassuring
The attacks that use your domain mostly land in other people’s inboxes – your customers, your suppliers, your staff. You often don’t see them at all, which is precisely why the first sign is frequently an angry customer or a fraudulent payment.
What an attacker does with your domain
Four patterns we see again and again – all of them trading on the trust in your name.
Invoice & payment fraud
A supplier or customer gets an email that looks like yours, with new bank details. The money goes to the attacker – and the awkward conversation comes to you.
CEO / executive scams
Staff receive an urgent request “from the boss” to pay an invoice or buy gift cards. The address is perfect because it really is your domain.
Phishing your people & customers
A convincing “reset your password” or “confirm your account” email harvests credentials – from your employees or the customers who trust your name.
Brand impersonation at scale
Spam and scams sent in your name reach thousands of inboxes, dragging down how everyone – and every mailbox provider – sees your domain.
The cost is more than the fraud itself
A successful spoofing attack rarely costs you once. The direct loss is just the start – the lasting damage is to the trust your business runs on, and even to the deliverability of your own legitimate email.
- Direct financial loss – fraudulent payments and the cost of unwinding them
- Customer & partner trust – people who were scammed in your name don’t forget it
- Your real mail’s deliverability – abuse of your domain hurts your sending reputation
- Regulatory & contractual exposure – data breaches and due-diligence questions follow
Most businesses are wide open – is yours?
This isn’t scaremongering; it’s measurable. Across the 17 million domains in our benchmark, the average email-security score is only around 21 out of 100, and the most common pattern is a domain sitting at p=none – reporting, but stopping nothing. The good news: because so few have finished the job, getting protected is a genuine advantage. See the benchmark →
How does your industry compare?
Email-security maturity varies a lot by sector – and so does how often a sector is targeted. Some industries are well ahead; others, often those handling the most sensitive data or money, lag behind the average and make especially attractive targets.
Knowing where your sector sits tells you whether the bar in your market is high or low – and how far you are from clearing it.
See how your industry scores →Put a number on your own risk
A free check scores your domain out of 100 and shows it against your industry – so “are we exposed?” becomes a question you can actually answer, in seconds.
What actually stops it
Getting DMARC to enforcement (p=reject) tells the world’s mailbox providers to refuse mail that fails authentication for your domain – so messages spoofing your exact domain simply don’t get delivered. That’s the single biggest step you can take, and DMARCER gets you there safely, without blocking your own mail.
An honest caveat: enforcement stops spoofing of your exact domain. It doesn’t stop look-alike domains (like your-company-support.com) – those need monitoring and takedowns, which is a separate piece of the puzzle. We’d rather tell you that up front.
- See exactly who’s sending as you today
- Fix SPF, DKIM and DMARC – in a click
- Advance to
p=rejectwhen it’s safe - Stay protected with continuous monitoring
For business →
How DMARCER protects your domain.
By industry →
How your sector scores.
Get to enforcement →
Reach p=reject without breaking mail.
Pricing →
Plans for businesses, with a free trial.
Find out if your domain is exposed
Run a free check – get your score out of 100 and see exactly what an attacker could exploit today.
Check your domain