Is This Email Real? How to Spot Email Spoofing in 2026

Phishing emails steal $3.5 billion from businesses every year, and most of them look convincing at first glance. The sender name says "PayPal Support," the formatting is professional, the branding matches. What gives it away is the actual sender domain — which most email apps hide by default.

What Is Email Spoofing?

Email spoofing is when an attacker forges the From address or display name to make a message appear to come from a trusted source. The technique works because the display name and the actual sending domain are two completely separate fields in the email protocol. Anyone can set the display name to "Amazon Order Confirmation" while sending from a Gmail account or a throwaway domain registered yesterday. Your inbox shows the display name. The actual domain is one click away.

The goal is always the same: get the recipient to click a link, enter credentials, download a file, or transfer money.

5 Signs an Email Is Spoofed

1. The display name and actual email domain don't match

This is the most common tell. Your email app shows "PayPal Support" in bold, but clicking on the sender name reveals the actual address: [email protected] or [email protected]. Legitimate PayPal emails come from @paypal.com only. No exceptions. Any company you actually do business with sends from their own verified domain.

2. The domain is one or two characters off

Attackers register lookalike domains by swapping a letter, adding a word, or replacing a character with a number. Common examples: paypa1.com (number 1 instead of lowercase L), amazon-secure-login.com, microsofft.com, appleid-verify.net. Any domain that is not the exact official domain of the brand should be treated as suspicious, regardless of how professional the email content looks.

3. The Reply-To address is different from the sender

Check the Reply-To header. If it differs from the From domain, your reply goes to the attacker while the From address remains spoofed. This lets attackers use a convincing From address for delivery while intercepting responses through a completely different domain. Most phishing attacks targeting business email compromise use exactly this approach.

4. SPF or DKIM fails in the email headers

Every major email provider runs SPF and DKIM checks automatically. SPF verifies the sending server is authorised for the domain. DKIM verifies the email was not tampered with in transit. Both results appear in the raw headers.

To check in Gmail: open the email, click the three-dot menu, then "Show original." Look for lines like "spf=pass" or "spf=fail" and "dkim=pass" or "dkim=fail." A fail on either is a red flag. If DMARC also fails, the email almost certainly did not come from who it claims.

5. The sender domain has no mail servers

Legitimate email domains have MX records — DNS entries that specify which mail servers handle that domain. A domain registered purely for phishing often has no MX records at all, because the attacker only needs it to send, not receive. You can check this with any DNS lookup tool.

How to Check Any Suspicious Email in Seconds

The quickest way is the free Email Spoof Checker tool. Paste the sender display name, the actual email address, and optionally the Reply-To address. It checks for lookalike domains across 30+ known brands (PayPal, Amazon, Google, Microsoft, Apple, Chase, FedEx, GitHub, Stripe, and more), display name mismatches, suspicious TLDs like .tk and .ml, and runs a live MX record check via Cloudflare DNS. No data is stored — it runs entirely in your browser.

For a deeper check, paste the raw email headers into the advanced section. The tool parses SPF, DKIM, and DMARC results and shows which checks passed or failed with plain-language explanations.

What to Do If You Suspect Phishing

Don't click any links. Don't download attachments. If the email claims to be from a company you use, go to that company's website directly by typing the URL yourself — never through the link in the email. Report phishing to your email provider and to the relevant national authority: IC3.gov (USA), NCSC (UK), cybercrime.gov.in (India).

Key Takeaways

• $3.5 billion lost to phishing in 2023 per FBI IC3 — the majority start with a spoofed sender
• Display name and sending domain are completely separate fields in the email protocol — no verification required to set a fake name
• SPF=fail or DKIM=fail in raw headers is the strongest technical indicator of a spoofed email
• 30+ known brand domains covered in lookalike detection — including banks, couriers, payment providers, and cloud platforms
• For developers: always validate Reply-To and Return-Path domains server-side in any email-driven auth or notification flow — do not trust display names
• What to watch: Gmail and Yahoo now require DMARC p=quarantine or p=reject for bulk senders; phishing domains typically have no DMARC policy, making detection easier with header analysis