Someone Is Sending Email From My Domain — How to Stop It

TL;DR: If people are getting spam or phishing "from you", or you're receiving bounce-backs for mail you never sent, your domain is almost certainly being spoofed — because it has no enforced DMARC policy. The fix is to publish SPF, DKIM and a DMARC policy at p=reject, which tells the world's mail servers to throw away fakes. Scan your domain free to confirm whether you're currently spoofable.

The signs you're being spoofed

• Customers or contacts tell you they got a strange email "from you" that you never sent.
• You receive bounce-backs (mailer-daemon replies) for messages you didn't send — known as backscatter.
• Your domain shows up in spam complaints or a sudden reputation drop.

Importantly, this usually does not mean your account was hacked. The attacker isn't logging into your mail — they're simply forging your address, which is trivial unless you've locked it down.

Why it happens

Email's base protocol lets anyone write anything in the "From" field. The only thing that stops it is DMARC set to enforce — quarantine or reject. If your domain has no DMARC record, or it's stuck at p=none (monitoring only), receivers have no instruction to block the fake, so it lands in inboxes wearing your name.

How to confirm it

1. Scan your domain — Kalenfy shows in seconds whether you have an enforced DMARC policy or are spoofable. Run a free scan.
2. Get a copy of the fake and view its full headers; check the Authentication-Results for spf=fail / dmarc=fail — that confirms it's a forgery, not a real send.
3. Turn on DMARC reporting (a rua address) to see the scale of the spoofing.

How to stop it fast

1. Make sure SPF and DKIM are valid for your real mail (so your legitimate email keeps passing).
2. Publish a DMARC record. Start at p=none with reporting for a few days to confirm your real senders pass, then move to p=quarantine and finally p=reject.
3. At p=reject, mail servers worldwide discard messages that fail — the spoofing stops reaching inboxes.

If the spoofing is active and causing damage, this is the one time it's worth moving to enforcement quickly — just verify your own senders first so you don't block real mail.

FAQ

Does this mean I've been hacked?

Usually no. Spoofing forges your address without any access to your account. Still, change passwords and enable 2FA as a precaution, then lock the domain down with DMARC.

How fast does DMARC stop it?

As soon as the record propagates (minutes to hours), receivers begin applying your policy. Reach p=reject once you're confident in your legitimate senders.

What about look-alike domains (kalenfy-support.com)?

DMARC protects your exact domain. Look-alikes are a separate problem handled by monitoring and takedowns — but locking your real domain is the essential first step.

Being spoofed right now? Scan your domain, then reply to your report — we're developers and we'll deploy DMARC to reject safely and shut the spoofing down for you.