Phishing

Definition

Phishing is a form of email fraud in which an attacker impersonates a person or brand the recipient trusts in order to trick them into handing over credentials, money, or sensitive data, or into installing malware. Email is its primary channel, and exact-domain spoofing is one of its most effective tactics, which is exactly what DMARC at enforcement is designed to stop.

  • Fraud that impersonates a trusted sender to steal credentials, money, or data
  • Email is the dominant channel; spoofing your domain damages your brand and reputation
  • Variants include spear phishing, whaling, clone phishing, and BEC
  • A DMARC policy of p=reject is the strongest defence against exact-domain spoofing
At a glance
Category Email-borne fraud / social engineering
Main channel Email (plus SMS and voice variants)
Common goal Steal credentials, money, or data
Key tactic Spoofing a trusted From: domain
Primary defence DMARC at p=reject

How phishing works

Phishing exploits trust rather than a technical flaw. The attacker crafts a message that looks like it comes from a source the target already believes in (a bank, a colleague, a well-known brand) and adds urgency or fear to short-circuit careful thinking: your account is locked, an invoice is overdue, a delivery has failed. The payload is usually a link to a fake login page that captures whatever the victim types, an attachment carrying malware, or a request to wire money or share data.

The reason email is such fertile ground is that the original SMTP protocol does nothing to verify who a message is really from. Without authentication, an attacker can forge the visible From: address to read as your exact domain, and the message will look authentic to a recipient who only glances at the sender name. That is why email authentication and phishing are two sides of the same coin.

Common types of phishing

Phishing ranges from mass, untargeted blasts to precise, researched attacks:

  • Bulk phishing casts a wide net with a generic lure sent to huge numbers of recipients.
  • Spear phishing targets a specific individual or company with a tailored message built from prior research, which makes it far more convincing.
  • Whaling is spear phishing aimed at senior executives, where a single success can be highly lucrative.
  • Clone phishing copies a real message the victim already received and swaps in a malicious link or attachment.
  • Business Email Compromise (BEC) impersonates an executive or supplier to authorise fraudulent payments, often with no malicious link at all.

Two relatives move off email entirely: smishing (phishing by SMS) and vishing (phishing by voice call). The lure changes channel, but the social-engineering playbook is the same.

How DMARC defends against phishing

The most damaging phishing against a brand uses exact-domain spoofing: the forged From: address is your real domain, character for character. The only layer that stops this is the authentication stack, and specifically DMARC at an enforcing policy. SPF and DKIM authenticate a message, and DMARC requires that a passing check align with the visible From: domain, then tells receivers to quarantine or reject anything that fails.

With p=reject published, a spoofed message claiming to be from your domain is blocked at the receiving server before it can reach an inbox. A policy of p=none does not stop the spoof, it only reports it. This is why publishing and enforcing DMARC is both a deliverability measure and a brand-protection measure: it defends your customers from impersonation and protects the domain reputation your own mail depends on. Confirm your policy with the DMARC checker.

How DMARC blocks a spoofed phishing email

An attacker forges your exact From: domain
The receiver runs SPF and DKIM and checks alignment
SPF: from your IPs? DKIM: signed by you?
Neither passing check aligns with your domain
Your published DMARC policy decides
none: still delivered reject: blocked
At p=reject the spoof never reaches the inbox

Phishing vs spam

Phishing Spam
Goal Defraud or steal from the recipient Push unwanted bulk messages
Impersonates a trusted sender? Yes, central to it Sometimes, not required
Primary harm Stolen credentials, money, malware Nuisance and wasted attention
Main defence Authentication + DMARC Spam filters + blocklists
Always malicious? Yes Not necessarily

By the numbers

3
DMARC policies; only quarantine and reject stop a spoof, while none merely reports it.
p=reject
The enforcing DMARC policy that blocks exact-domain spoofing of your brand before it reaches the inbox.
5,000+/day
The volume at which Gmail and Yahoo have required DMARC since February 2024, partly to curb spoofing.

Common mistakes

Believing SPF and DKIM alone stop spoofing
Both authenticate a domain, but neither checks the visible From: on its own, and an attacker can send unsigned mail. Only DMARC alignment binds the result to the address your recipient actually sees.
Leaving DMARC at p=none
A monitoring policy reports spoofing of your domain but does nothing to block it. Until you reach quarantine or reject, attackers can still impersonate you in your customers’ inboxes.
Assuming the spam filter will catch it
A well-crafted, authenticated-looking spear-phishing or BEC message often has no spammy hallmarks at all and can sail past content filters. Authentication, not content scoring, is what stops domain impersonation.
Trusting the display name
Recipients judge a sender by the friendly name, which an attacker can set to anything. Train people to check the full address and rely on enforced DMARC rather than on the name shown.

Frequently asked questions

What is phishing in email?
Phishing is email fraud in which an attacker pretends to be a person or brand you trust to trick you into giving up credentials, money, or sensitive data, or into running malware. It usually relies on a convincing lure with urgency, plus a fake login page, a malicious attachment, or a fraudulent request, and it often spoofs a trusted sender’s domain to look legitimate.
How does DMARC stop phishing?
DMARC stops the most dangerous form, exact-domain spoofing, where the attacker forges your real domain in the From: address. It requires that a passing SPF or DKIM check align with that visible domain and, at p=quarantine or p=reject, tells receivers to filter or block messages that fail. A policy of p=none only reports the abuse without preventing it.
What is the difference between phishing and spam?
Spam is unwanted bulk email, often just a nuisance, and is not always malicious. Phishing is always malicious: its goal is to defraud the recipient by impersonating a trusted sender to steal credentials, money, or data. Spam is fought mainly with content filters and blocklists; phishing that spoofs your domain is fought with email authentication and an enforcing DMARC policy.
What are the main types of phishing?
Bulk phishing blasts a generic lure widely; spear phishing targets a specific person or company with a researched, tailored message; whaling targets senior executives; clone phishing copies a real message and swaps in a malicious link; and Business Email Compromise impersonates an executive or supplier to authorise fraudulent payments. Smishing and vishing move the same tactics to SMS and phone calls.
Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary