Phishing
Phishing is a form of email fraud in which an attacker impersonates a person or brand the recipient trusts in order to trick them into handing over credentials, money, or sensitive data, or into installing malware. Email is its primary channel, and exact-domain spoofing is one of its most effective tactics, which is exactly what DMARC at enforcement is designed to stop.
- Fraud that impersonates a trusted sender to steal credentials, money, or data
- Email is the dominant channel; spoofing your domain damages your brand and reputation
- Variants include spear phishing, whaling, clone phishing, and BEC
-
A DMARC policy of
p=rejectis the strongest defence against exact-domain spoofing
From: domain
p=reject
How phishing works
Phishing exploits trust rather than a technical flaw. The attacker crafts a message that looks like it comes from a source the target already believes in (a bank, a colleague, a well-known brand) and adds urgency or fear to short-circuit careful thinking: your account is locked, an invoice is overdue, a delivery has failed. The payload is usually a link to a fake login page that captures whatever the victim types, an attachment carrying malware, or a request to wire money or share data.
The reason email is such fertile ground is that the original SMTP protocol does nothing to verify who a message is really from. Without authentication, an attacker can forge the visible From: address to read as your exact domain, and the message will look authentic to a recipient who only glances at the sender name. That is why email authentication and phishing are two sides of the same coin.
Common types of phishing
Phishing ranges from mass, untargeted blasts to precise, researched attacks:
- Bulk phishing casts a wide net with a generic lure sent to huge numbers of recipients.
- Spear phishing targets a specific individual or company with a tailored message built from prior research, which makes it far more convincing.
- Whaling is spear phishing aimed at senior executives, where a single success can be highly lucrative.
- Clone phishing copies a real message the victim already received and swaps in a malicious link or attachment.
- Business Email Compromise (BEC) impersonates an executive or supplier to authorise fraudulent payments, often with no malicious link at all.
Two relatives move off email entirely: smishing (phishing by SMS) and vishing (phishing by voice call). The lure changes channel, but the social-engineering playbook is the same.
How DMARC defends against phishing
The most damaging phishing against a brand uses exact-domain spoofing: the forged From: address is your real domain, character for character. The only layer that stops this is the authentication stack, and specifically DMARC at an enforcing policy. SPF and DKIM authenticate a message, and DMARC requires that a passing check align with the visible From: domain, then tells receivers to quarantine or reject anything that fails.
With p=reject published, a spoofed message claiming to be from your domain is blocked at the receiving server before it can reach an inbox. A policy of p=none does not stop the spoof, it only reports it. This is why publishing and enforcing DMARC is both a deliverability measure and a brand-protection measure: it defends your customers from impersonation and protects the domain reputation your own mail depends on. Confirm your policy with the DMARC checker.
How DMARC blocks a spoofed phishing email
From: domainnone: still delivered
reject: blocked
p=reject the spoof never reaches the inboxPhishing vs spam
| Phishing | Spam | |
|---|---|---|
| Goal | Defraud or steal from the recipient | Push unwanted bulk messages |
| Impersonates a trusted sender? | Yes, central to it | Sometimes, not required |
| Primary harm | Stolen credentials, money, malware | Nuisance and wasted attention |
| Main defence | Authentication + DMARC | Spam filters + blocklists |
| Always malicious? | Yes | Not necessarily |
By the numbers
quarantine and reject stop a spoof, while none merely reports it.Common mistakes
From: on its own, and an attacker can send unsigned mail. Only DMARC alignment binds the result to the address your recipient actually sees.p=nonequarantine or reject, attackers can still impersonate you in your customers’ inboxes.Frequently asked questions
From: address. It requires that a passing SPF or DKIM check align with that visible domain and, at p=quarantine or p=reject, tells receivers to filter or block messages that fail. A policy of p=none only reports the abuse without preventing it.