Skip to main content

As a business person, you know about phishing, of course. At first glance, the email looks like it comes from a recognized company, complete with a familiar logo, slogan, and URL. But it’s really from a cyber crook trying to con consumers out of account numbers, passwords, or cash. In addition to the serious injury these scams inflict on consumers, there’s another victim of phishing: the reputable business whose good name was stolen by the scammer.

FTC cybersecurity email authenticationFraudsters don’t just masquerade as global financial institutions or industry giants. They impersonate small businesses, too. But there is good news on the fraud-fighting front. There are steps you can take to make it harder for scammers to send phishing emails that look like they’re coming from your company. Tech types use the phrase “email authentication” to refer to tools that work behind the scenes to help a server verify that a message that says it’s from really is from you. Those tools also will block messages or send them to a quarantine folder if they bear the telltale signs of a phishing attempt.

When we sat down with small businesses to see how we can help your cybersecurity efforts, you asked for more information about email authentication. The FTC’s Cybersecurity for Small Business campaign features new resources designed to fill that need.


Some web host providers let you set up your company’s business email using your domain name. In other words, if your domain name is, your email will be name[at] Without email authentication, scammers can use your domain name to send emails that look like they’re from your business. To foil their efforts, make sure your email provider uses these three email authentication tools.

  • SPF (Sender Policy Framework).  SPF lets you choose specific IP addresses that are authorized to send emails using your domain. When a receiving server gets an email from name[at], it will check to see if the sending server is on that approved list. If it is, the receiving server lets the message through. If it isn’t, the email can be flagged as suspicious.
  • DKIM (Domain Keys Identified Mail).  DKIM puts a digital signature on your outgoing mail. Receiving servers can use it to verify that a message from your domain was actually sent from your company’s server and didn’t make any questionable detours in transit.
  • DMARC (Domain-based Message Authentication Reporting & Conformance).  DMARC is the essential third tool for email authentication. SPF and DKIM verify the address the server uses behind the scenes. DMARC verifies that it matches the “from” address the recipient will see. DMARC plays another key role. It lets you tell servers what to do if they get an email that looks like it came from your domain, but based on SFP and DKIM, they have reason to be suspicious. You can have other servers reject the email, flag it as spam, or take no action. You also can set up DMARC to notify you when this happens.

It can take some know-how to get SPF, DKIM, and DMARC up and running so they work as intended and don’t block legitimate emails. If you’re not sure you have the expertise, have your email hosting provider set them up. If they balk – or if they don’t include those fundamental protection tools in their service agreement – consider taking your business elsewhere.


If your email authentication tools are operating on all cylinders, you’ll get a notice if someone spoofs your email. Here’s how to respond:

Report the scam.  Contact local law enforcement, the FBI’s Internet Crime Complaint Center at, and the FTC at Forward phishing emails to, an address used by the FTC, and to, an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies.

Cybersecurity email authentication small logoNotify your customers.  Contact them ASAP by mail, email, or social media. (If you email them, don’t include hyperlinks. You wouldn’t want your notification message to look like another phishing attempt.) Remind customers not to share personal information through email or text. If their data was stolen, direct them to

Alert your staff.  Use the experience to update your security practices and train your staff about cyber threats. Distribute the FTC’s fact sheet on email authentication. Show this video at your next staff meeting for tips on how to respond if your email is spoofed. And here’s another video that takes a deeper dive into the technology behind email authentication.


It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.