Most people treat the "From" line of an email as a fact: if it says it is from your bank, it is from your bank. It is one of the most dangerous assumptions in everyday computing, because the sender address on an email is not a verified identity, it is a label the sender fills in, and forging it takes no special skill or access. This is email spoofing, and it sits beneath a large share of the phishing, fraud, and impersonation that lands in inboxes every day. Understanding why the "From" field can lie, what the email system added later to catch the lies, and how to read the signals yourself turns a convincing fake into an obvious one. This builds directly on how phishing emails work and how to spot them, and fits the wider picture in our email privacy guide.
Why the "From" Address Is So Easy to Fake
Email was designed in an era of mutual trust between a handful of computers, and the protocol that delivers it, SMTP, simply takes the sender at their word. The address you see in your mail app is part of the message's own headers, written by whoever composed it, much like the return address you scrawl on the back of an envelope, nothing about posting the letter proves you wrote a truthful one. A sender can put any address they like in the "From" header, and the basic delivery machinery will carry the message along without objecting.
To make matters more confusing, there are actually two senders in every email: the "envelope" sender the mail servers use to route and bounce the message, and the "header" sender your app displays. They do not have to match, and spoofing exploits exactly that gap, showing you a trustworthy name in the visible "From" while the real origin is something else entirely. This is why a scam can appear to come from a brand you trust, a colleague, or even your own address, and why the display name alone tells you almost nothing about who really sent the message.
The Three Checks Built to Stop It
Because the protocol itself cannot vouch for a sender, three layers of authentication were bolted on over the years, and together they are what modern mail providers use to judge whether a "From" address is genuine. SPF (Sender Policy Framework) lets a domain publish a list of servers allowed to send mail on its behalf, so the receiving server can check whether the message actually came from one of them. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to the message that proves it really came from the domain it claims and was not altered in transit. DMARC ties the two together, telling receivers what to do, deliver, quarantine, or reject, when a message fails those checks, and optionally reporting the failures back to the domain owner.
When these are configured and enforced, an attacker can no longer cheaply forge a well-protected domain, because their forged message fails SPF and DKIM and DMARC tells the receiver to reject it. This is also a large part of why your provider can sort mail so confidently, the same signals feed the filtering we describe in how email spam filters work. The catch is that not every domain publishes a strict DMARC policy, and attackers exploit the gaps, spoofing domains with weak or missing records, or sidestepping the checks entirely by registering a brand-new lookalike domain that passes authentication for itself while impersonating a brand by name.
How to Tell a Forged Sender From a Real One
You do not need to read raw headers to catch most spoofing, because the giveaways are usually visible with a little attention. Start by separating the display name from the actual address: a message that shows "PayPal Security" might sit on an address like alerts@paypa1-verify.com, and the mismatch between the friendly name and the real domain is the single most reliable tell. Hover over, or long-press on mobile, any link before clicking and read the real destination the same way; the visible text and the true URL are often different, which is the core phishing trick we break down in our phishing guide.
If you want to go deeper, most mail apps let you view the original message or its headers, where an Authentication-Results line records whether SPF, DKIM, and DMARC passed or failed; a failure on a message claiming to be from a major brand is a strong signal of forgery. Beyond the mechanics, trust the behavioral cues: real organizations do not create the artificial urgency, the threats of account closure, or the requests to "confirm" credentials that define these scams, and a sender's address can pass every check and still be a fraudster operating from a convincing lookalike domain. The durable defenses are the same ones that protect you regardless of how clever the forgery is: never act on an unsolicited email's links, navigate to the service directly instead, and protect the accounts behind it with strong, unique passwords and two-factor authentication, as covered in our guide to strong passwords.
Where a Disposable Inbox Fits
Spoofing thrives on knowing a real address to target and on that address being tied to your identity and your important accounts. A disposable inbox undercuts both. When you hand a throwaway address to low-trust sign-ups, contests, and one-off downloads instead of your primary email, you keep your real address out of the breach dumps and broker lists that supply attackers with targets in the first place, the supply chain we trace in how data brokers buy and sell your email. Fewer services holding your real address means fewer leaks pointing a spoofed message at you.
It also limits the blast radius when a forged message does land. A spoofed email arriving in a disposable inbox that is connected to nothing of value is far less dangerous than the same email reaching the address tied to your bank, your primary accounts, and your recovery flows. Compartmentalizing this way, real address for the handful of accounts that matter, throwaway addresses for everything forgettable, is the same strategy we recommend throughout temporary email best practices and the broader toolkit in our complete guide to online privacy tools. Temp mail does not stop spoofing, which is a problem of how email itself works, but it shrinks both the odds that a forged message finds you and the damage it can do when one does.
The Short Version
The "From" address on an email is a label the sender writes, not a verified identity, and forging it is trivial because the underlying protocol takes senders at their word. Three authentication layers, SPF, DKIM, and DMARC, were added to catch forgeries, and they work well for domains that enforce them, but gaps remain and attackers exploit weak records or lookalike domains. You can catch most spoofing yourself by separating the display name from the real address, checking link destinations before clicking, and reading the authentication results when in doubt, while never acting on an unsolicited email's links. A disposable inbox does not fix the protocol, but by keeping your real address out of breaches and broker lists and isolating low-trust mail, it reduces both how often forged messages reach you and how much harm they can do when one does.
Frequently Asked Questions
How can an email pretend to be from someone else?
Because the "From" address is just a header the sender fills in, and the basic email protocol, SMTP, does not verify it, much like a return address on an envelope proves nothing about who wrote the letter. Every email also has two senders, an envelope sender used for routing and the header sender your app displays, and they need not match. Spoofing exploits that gap by showing you a trustworthy name while the real origin is something else, which is why a scam can appear to come from your bank, a colleague, or even your own address.
What are SPF, DKIM, and DMARC?
They are the three authentication layers added to email to catch forged senders. SPF lets a domain list which servers may send mail for it. DKIM attaches a cryptographic signature proving a message genuinely came from the claimed domain and was not altered. DMARC ties them together, telling receivers whether to deliver, quarantine, or reject mail that fails the checks, and reporting failures back. When a domain enforces all three, cheaply forging it becomes very hard, which is also why your provider can filter mail so confidently.
If those checks exist, why does spoofing still work?
Because not every domain enforces them. Many publish weak or missing DMARC policies, leaving room to forge their addresses, and attackers also sidestep the checks entirely by registering brand-new lookalike domains, something like paypa1-verify.com, that pass authentication for themselves while impersonating a brand by name. Authentication catches forgeries of well-protected domains, but it cannot stop a fraudster who controls a convincing imposter domain, which is why your own judgment about links and senders still matters.
How do I check if an email's sender is real?
Start by separating the display name from the actual address, a mismatch like "PayPal Security" sitting on an unfamiliar domain is the most reliable tell. Hover over or long-press links to read their true destination before clicking. For a deeper check, open the original message and look for the Authentication-Results header, where SPF, DKIM, and DMARC pass or fail; a failure on a message claiming to be from a major brand strongly suggests forgery. Above all, never act on an unsolicited email's links, navigate to the service directly instead.
Does using temp mail stop email spoofing?
No, spoofing is a flaw in how email itself works and no inbox can prevent a forged "From" line. What a disposable inbox does is reduce your exposure: keeping your real address out of low-trust sign-ups limits the breaches and broker lists that hand attackers their targets, and isolating low-trust mail in a throwaway inbox means a forged message that does arrive is connected to nothing valuable. Temp mail shrinks both the odds a spoofed message finds you and the damage it can do, but the durable defenses remain skepticism, direct navigation, and strong account security.
Sources & further reading
- RFC 5321 — Simple Mail Transfer Protocol (IETF)
- RFC 7208 — Sender Policy Framework (SPF)
- RFC 7489 — Domain-based Message Authentication (DMARC)
External links are provided for verification and are not endorsements. Reviewed against these sources per our editorial policy.
Achyuth Kumar
Founder & editor, TempMailKit
Achyuth builds privacy tools and writes TempMailKit’s guides on email security, spam, and online privacy. Every article is checked against primary sources and our editorial policy before it is published. Questions or a correction? Get in touch.