Why Your Business Emails Might Be Lying About You (and How to Fix It Before Scammers Do)

Have you ever gotten an email from yourself that you definitely didn’t send?

Or maybe a client forwarded you a weird message that “you” supposedly sent — but you had no idea it existed?

That’s not just weird. That’s a sign that someone out there might be pretending to be you.

Email impersonation is now one of the most common ways scammers trick people — and small businesses like ours are easy targets. To be clear, we're talking about the emails you send (or sometimes *don't* send).

But there’s a fix. It’s not glamorous and you don’t need to be a techie, but a quick behind-the-scenes setup can make your domain almost un-spoofable.

So grab your tea, and let’s look at the invisible shield that keeps your emails trustworthy: SPF, DKIM, DMARC, and BIMI.

Don’t worry — you won’t need to touch code, just learn how to ask for the right things.

The Problem: Scammers Love Your Name

Imagine this: A scammer sends your client an email that looks like it’s from you. Same name, same address, maybe even your logo in the signature.

Except…it isn’t you.

It’s someone asking them to pay an invoice, click a link, or “update their payment info.” And because it looks legit, your client might act fast.

This is a Business Email Compromise (BEC) or spoofing attack — pretending to be you, or anyone inside your company.

And here’s the kicker: they don’t need to hack your inbox. They just need your domain name.

If your domain isn’t protected, scammers can “spoof” it — and nobody will see it coming.

(Bookmark this post or →run a check now← — most issues go unnoticed until there’s real damage!)

The Hidden Layer: Who Gets to Send as You

Here’s a secret most small business owners don’t know:

Every domain name (like yourbusiness.com) has Domain Name System (DNS) settings. Think of them like your online control panel.

This is where you tell the internet:

• “This is where my website lives.”
  
• “This is where my emails come from.”
  
• “These are the tools allowed to send on my behalf.”
  

If you don’t set these rules, there are no rules — and that’s how scammers can send as you.

These settings live quietly in your domain’s records — usually wherever you bought your domain (GoDaddy, Google Domains, Squarespace, etc.) or a “traffic manager” like Cloudflare (Cloudflare does much more, but for our purposes right now, let’s focus on that).

You don’t have to change these yourself; you just need to know they’re there — and that protection starts here.

Meet the Alphabet Soup: SPF, DKIM, DMARC, and BIMI

SPF (Sender Policy Framework): Your Domain’s Guest List

SPF tells the world which email services are allowed to send as you. Say you send newsletters with ConvertKit and invoices with QuickBooks: SPF lists which platforms are ‘invited’ to send as you — everyone else, stay out.

Without SPF, anyone (including scammers) can send as you, and email servers won’t know it’s fake.

DKIM (DomainKeys Identified Mail): The Secret Handshake

DKIM gives every email a hidden, cryptographic signature added by your email provider. When your client’s system checks it, the signature must match your domain’s DKIM record — proving the message wasn’t tampered with.

DKIM uses cryptography to lock in authenticity and protect your good name.

DMARC (Domain-based Message Authentication, Reporting & Conformance): The Bouncer That Checks ID

DMARC checks if incoming emails follow both SPF and DKIM rules — and more importantly, that they align with your “From” domain (not just any allowed sender). If the message fails the check, DMARC decides what happens:

• Let it through,
• Send it to spam, or
• Block it completely.

(You may remember earlier this year, Google and others tightened their DMARC requirements for bulk email senders. Non-compliant emails risked being sent to spam or outright blocked. This move aimed to combat phishing and spoofing attacks while improving legitimate email deliverability.)

DMARC also sends special reports to the email address you specify in your DMARC record, so you (or your cybersecurity/IT support) can see who’s trying to send as you and spot risks early.

BIMI (Brand Indicators for Message Identification): Your VIP Badge

Once you’ve set up SPF, DKIM, and DMARC, BIMI lets your verified logo appear next to your emails in inboxes like Gmail and Yahoo. This matters for brand trust — instant “this is safe and real” recognition!

Just know: BIMI requires a special verified certificate and your logo must follow trademark and format guidelines. It only works if your domain is already authenticated. And, this one is not free. 

What You Might Not Realize

You may have some protections in place — but not all, or not correctly:

• Your email provider (like Google Workspace) might set up SPF and DKIM but leave DMARC to you.
• Marketing tools (Mailchimp, ConvertKit, etc.) might send as your domain, but not be listed in your SPF.
• If you switched providers, old records might still be active (and messy).
• A DMARC policy that isn’t blocking still lets scammers slip through.
• Also, a bad setup can send your real emails straight to spam.

“Why Do My Legit Emails Keep Going to Spam?”

Email providers look for authentication — SPF, DKIM, and DMARC — to judge trust. Missing or weak records signal “risk,” even if it’s really you, so your emails get filtered out.

It’s like trying to check into a hotel without ID. You might be the guest, but staff can’t confirm it — so, no key for you.

Strong authentication shows your credentials every time and boosts both deliverability and your credibility.

How to Check If You’re Protected

You don’t have to guess — check your domain in seconds:

1. Go to the →Domain Scanner on my Resources page←. It’s free. (You don’t even have to fork over your email to see your results!)
   
2. Enter your domain.
   
3. See at-a-glance results:
   
   • Green: All set, your SPF, DKIM, and DMARC are in place.
     
   • Yellow: Mostly set up, but needs tweaks.
     
   • Red: Key protections missing, fix ASAP.
     

Bonus: The checker also tells you if you’re ready for BIMI.

It takes about a minute to know if your domain is keeping the door shut on scammers (or leaving it wide open).

Managing Your DNS: Choose Your Comfort Zone

Now that you know your domain’s health, you’ve got a few ways to manage any needed changes:

• DIY in the dashboard: Log in to your DNS manager (like Cloudflare) and follow guides to update records—great if you like hands-on control.
• Use a simple tool or wizard: Many domain hosts offer step-by-step tools for common setups like email security records. There are tools out there, too. (I can recommend some. Reply and let me know.)
• Hire a pro: If you want a hands-off fix or have complex needs, a consultant or trusted expert can handle everything for you, including monitoring over time.

Pick the method that fits you best—there’s no wrong choice, just what makes you feel confident.

What to Do If You’re Not Protected

Don’t panic — this is fixable, and you do not have to be a DNS expert.

Follow these steps:

1. Find your domain registrar.
   Where did you buy or do you manage your domain? (GoDaddy, Squarespace, Cloudflare, etc.)
2. On their site, find DNS settings.
   Look for settings labeled “DNS” or “Domain Management.”
3. Grab your email platforms' guides.
   Your email senders (Google Workspace, Microsoft 365, MailChimp, etc.) has step-by-step instructions for adding SPF, DKIM, DMARC that allow them to send as you. Who sends email on your behalf? Your newsletter platform? Blog platform? Email platform? CRM? Anyone else?
4. Add or update the DNS records.
   SPF and DKIM come from your email sender. DMARC can be created with a free generator (or reach out and I’ll walk you through it).
5. Re-scan your domain.
   Wait a few minutes and run the Domain Scanner again to confirm your fixes worked.

Pro tip: Think of it like testing a smoke detector — it’s quick, not glamorous, but it protects everything you’ve built.

What if a scammer already tanked your reputation?

If a scammer sent bulk spam as you and got you blacklisted, can you fix it? Yes, you can fix it, but it involves a combination of technical and reputational recovery steps:

• Correct DNS Settings: First, you need to properly configure SPF, DKIM, and DMARC records to prevent further spoofing. This stops scammers from sending emails that look like they come from your domain.

• Monitor DMARC Reports: Use DMARC reports to watch for any suspicious activity and ensure no unauthorized sources are sending on your behalf.

• Request Blacklist Removal: If your domain or IP addresses have been blacklisted due to spam, you can submit removal requests to major blacklist providers once the problem is fixed, though this process can take time.

• Inform Your Clients: Communicate transparently with your clients and contacts about the issue and the steps you’ve taken to secure your domain, helping rebuild trust.

• Maintain Ongoing Security: Regularly audit your email authentication and security settings to prevent future attacks and quickly respond if they happen again. You can use a service to do this.

While the damage to reputation can be serious, setting up strong DNS protections combined with monitoring and communication can effectively restore your domain’s standing and protect your business over time. Recovery requires consistent effort but is fully achievable. (But the best thing to do is to prevent it in the first place.)

(Note that cybercriminals can also spoof your website domain by creating fake websites on lookalike addresses—so while SPF, DKIM, and DMARC protect your business email, it’s important to monitor for suspicious or similar domains to guard your wider online reputation. Yep, there are tools for that, too.)

Protecting Your Name Is Protecting Your Business

You’ve worked hard to build a brand your clients trust. Don’t let anyone borrow your credibility — or wreck your email reputation. Email security directly affects email deliverability.

Email authentication isn’t just tech stuff. At its core, it’s about your name, your business, and your livelihood. When your domain is locked down, everyone knows: emails really come from you — and land in the right inbox.

Before your next campaign or client email, take a minute:

👉Run the free Domain Scanner now — it only takes one minute. Stopping scammers has never been easier.

Your business deserves to be the only one using your good name.