Stopping AI-Enhanced Email Spoofing: 5 Practical Steps

Artificial-intelligence tooling has super-charged Business Email Compromise attacks, letting bad actors generate convincing phishing lures in seconds. Before you roll out expensive defenses, run a quick health check with —to see exactly where your authentication gaps are (SPF, DKIM, DMARC).

The threat to your company’s email is immediate and growing. Business Email Compromise (BEC) scams, often driven by email spoofing, surged by 37% between May and June 2025, according to Fortra’s June 2025 Global BEC Insights Report. Even well-resourced companies are at risk, with a new study finding that an alarming 56% of private equity firm domains remain completely vulnerable to spoofing.

Email spoofing occurs when a hacker forges an email’s “From“ address to make it look like it came from a trusted source—your company. This simple deception —now multiplied by AI-generated lures— is the cornerstone of phishing attacks, which can lead to catastrophic data breaches, financial fraud, and severe damage to your brand’s reputation.

With phishing accounting for 80–95% of all cyberattacks and over 2.6 billion phishing interactions detected by Comcast Business in 2023—more than 90% of which were attempts to lead users to malware sites—your business is under a relentless, daily assault. This threat vector initiates approximately two‑thirds of all confirmed breaches, underscoring the urgent need for robust, multilayered cyber defenses. 

However, you can regain control and fortify your defenses. This guide will describe a five-step process to lock down your email domain using three powerful security protocols: SPF, DKIM, and DMARC. You will have a complete roadmap to protect your business from impersonation by the end.

Step 1: Analyze Your Current Vulnerability

Why You Must Start with an Analysis

Before you can build a strong defense, you need to know exactly where the weaknesses are in your current setup. Many business owners and managers operate under the dangerous assumption that their email is secure by default, but this is rarely the case. Without proper email authentication protocols, your domain is an open invitation for cybercriminals to impersonate your brand, trick your employees, and defraud your customers. This is not just a problem for small businesses; it’s a widespread industry blind spot that attackers exploit daily.

Using PowerDMARC’s Domain Analyzer Tool

Using PowerAnalyzer a free, comprehensive tool is an effective way to get a clear, immediate picture of your security posture. A recommended starting point is to use PowerDMARC’s domain analyzer tool designed to analyze your domain’s core authentication records to check if it is protected against phishing, spoofing, and fraud. 

Enter your domain name, and the Domain Analyzer will instantly assess your email authentication status, including your DMARC, SPF, and DKIM configurations. The tool provides a simple, color-coded report highlighting any vulnerabilities and giving you a clear list of actions needed to improve your security. This critical first step takes all the guesswork out of the process. It gives you a concrete, actionable starting point for the following steps. As a company that secures over 10,000 organizations worldwide and is SOC 2 Type 2 certified, PowerDMARC provides the expertise to begin this process confidently.

Step 2: Create and Implement Your SPF Record (The Guest List)

What is SPF?

Think of your email domain as an exclusive party. SPF, or Sender Policy Framework, is the official guest list you post at the door. Your SPF record is a public list, published in your domain’s DNS (Domain Name System), that tells every email server in the world, “Only emails coming from these specific servers and IP addresses are my legitimate guests.“ If an email arrives claiming to be from you but its sending server is not on the list, the receiving server knows it’s an imposter and can treat it with suspicion.

How to Build Your SPF Record

You will create a TXT record in your domain’s DNS settings that lists all authorized sending services. This includes your primary email provider, like Google Workspace or Microsoft 365, and any third-party services that send emails on your behalf, like Mailchimp, Salesforce, or your accounting software.

A basic SPF record looks like this:

v=spf1 ip4:192.168.0.1 include:_spf.google.com -all

In this example, the record authorizes emails from a specific IP address (ip4:192.168.0.1) and all servers in Google’s SPF record (include:_spf.google.com). The final part (-all) instructs receiving servers on how to handle emails from unauthorized sources.

Crucial Tips for a Correct SPF Record:

• One Record Only: Your domain must have only one SPF record. Creating multiple records will confuse receiving servers and cause them both to fail.
• Stay Under the 10-Lookup Limit: SPF has a built-in limit of 10 DNS lookups per record. Exceeding this limit, often by including too many third-party services, will cause validation errors.

• Use ~all or -all Carefully: ~all (SoftFail) tells servers to mark unauthorized emails as suspicious but likely deliver them. -all (Fail) tells them to reject the email outright. It is best to start with ~all until you are certain all your legitimate sending sources are included.
• Update It Regularly: Whenever you start using a new service that sends email for your company, you must remember to update your SPF record to include it.

Step 3: Set Up DKIM for Message Integrity (The Tamper-Proof Seal)

What is DKIM?

If SPF acts as your guest list, DKIM (DomainKeys Identified Mail) is the tamper-proof wax seal on every letter you send. DKIM uses a digital signature to cryptographically verify two critical things: that the email truly originated from your domain and that its content has not been altered in transit. According to a recent global AI-Threat Intelligence report, this is essential in an age where AI can augment phishing emails to make over 80% appear more convincing and legitimate.

How to Publish Your DKIM Key

The process begins with your email service provider, such as Google Workspace or Microsoft 365. Your provider will generate a unique pair of cryptographic keys: a private key that stays on its servers and a public key that you will publish. You will first navigate to your provider’s admin panel and enable DKIM signing for your domain.

Once enabled, the provider will give you the public key. You will then publish this key as a new TXT record in your domain’s DNS. A typical DKIM record will look something like this:

v=DKIM1; k=rsa; p=PUBLICKEYSTRINGGOESHERE

While this may sound highly technical, providers like Google and Microsoft have made the process straightforward. They offer step-by-step instructions in their help documentation to guide you through correctly generating and publishing your DKIM key.

Step 4: Deploy DMARC to Enforce Your Policies (The Security Guard)

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is the security guard that enforces your rules. It checks an incoming email against your SPF “guest list“ and its DKIM “tamper-proof seal.“ After checking, it follows the precise instructions you have laid out on what to do with unverified visitors. Leading AI-security experts agree that implementing DMARC is a key part of the multilayered defense necessary to combat modern email threats. DMARC also sends you detailed reports on all email activity, giving you full visibility into who is sending emails from your domain and who is trying to impersonate them.

How to Phase Your DMARC Rollout

You should never immediately start blocking emails when you first set up DMARC. The rollout is a deliberate, phased process designed to prevent disruption to your legitimate email flow: you start by monitoring, then move to quarantining, and finally progress to rejecting fraudulent emails.

You will start by creating a DMARC record with a p=none policy. Your initial record should look like this:

v=DMARC1; p=none; rua=mailto:[email protected];.

The rua tag specifies the email address where you will receive your aggregate activity reports.

Step 5: Monitor, Analyze, and Achieve Full Enforcement

Making Sense of DMARC Reports

Once your DMARC record is published, you will begin receiving daily reports. These reports are sent as XML files, which are difficult for humans to read and analyze directly. This is where a service becomes invaluable for turning raw data into actionable intelligence. A platform like PowerDMARC ingests these complex reports. It transforms them into human-readable dashboards, featuring seven distinct report views to clarify email traffic. This lets you easily see which emails pass or fail SPF and DKIM, identify the sending sources, and spot unauthorized activity.

The Path to p=reject

During the initial p=none monitoring phase, your primary goal is to use the reporting data to find and fix legitimate email sources failing authentication checks. You may discover a third-party marketing tool or a departmental server that was forgotten in your SPF record. Once you have adjusted your SPF and DKIM records, you can confidently move your policy and see that nearly 100% of your legitimate mail consistently passes DMARC checks. First, you will change the record to p=quarantine for a period of observation, and then, finally, to p=reject. This completes the process, slamming the door shut on hackers trying to spoof your domain.

Your Brand’s Digital Identity is Now Protected

By methodically analyzing your vulnerabilities and implementing SPF, DKIM, and a phased DMARC policy, you have moved your organization from a state of high risk to one of control and security. You have built a robust, industry-standard defense that protects your finances, data, and brand’s invaluable reputation.

Email authentication is not a technical luxury but a fundamental business necessity. These five steps ensure your email identity is yours, building trust with every single message you send.

Disclaimer: Editing DNS records requires care. Consult an IT professional if you are uncertain. AIjourn is not liable for any system or email deliverability issues arising from these changes.