Why Your Business Email Might Be Sending Spam — And What You Can Do About It

If your business uses its own domain name — like yourbusiness.com — you probably take pride in having a professional-looking email address. But what many small businesses don’t realise is that your domain could be abused by hackers to send spam, scams, or phishing emails, without ever breaching your email account.

This type of attack is called domain spoofing. It’s frighteningly common and painfully simple for attackers to do if your domain hasn’t been protected with the right email security measures. Thankfully, those protections — DMARC, SPF, and DKIM — are free and easy to set up.

How Attackers Exploit Unprotected Domains

Without these protections in place, a criminal can send emails that look like they’re coming from your business. They could send a fake invoice from accounts@yourbusiness.com requesting payment to a fraudulent bank account. They could send password reset links pretending to be from your support team. Or they might impersonate your business when contacting your suppliers, asking them to update bank details for the next payment.

In one real-world example, a small Australian non-profit had its domain impersonated in a scam. Attackers sent emails from their domain, asking supporters to purchase gift cards as a donation. The organisation hadn’t been hacked, but their brand was abused to steal from kind-hearted people.

The Hidden Cost to Your Business Reputation

Whether or not your email accounts are compromised, your brand takes the hit when attackers impersonate you. Customers who receive fake emails won’t know the difference. They may believe you’ve been hacked and lose trust in your brand.

For example, one local business saw a drop in bookings after their domain was used in phishing emails. Even after fixing the issue, they had to publicly reassure their customers and rebuild their reputation.

Once trust is broken, it’s hard to win back.

It’s Not Just About Scams — Your Legitimate Emails May Stop Working

Email providers like Google, Outlook, and Yahoo look for these protections before deciding whether to accept your emails. If your domain isn’t protected, your real emails — like customer support replies, order confirmations, or newsletters — could end up in spam folders. In some cases, they may be rejected altogether.

This means your customers might never see important updates, your sales proposals may be ignored, and your partners could miss out on key communications. These technical issues can quickly turn into lost revenue and frustrated customers.

Legal and Compliance Expectations

For some industries, email authentication is not just best practice — it’s required.

In Australia, the Australian Cyber Security Centre (ACSC) recommends DMARC as part of its Essential Eight guidelines. Sectors like finance, healthcare, and government may require you to implement these protections to meet regulatory obligations.

Even if you aren’t legally required to do so, securing your email domain is an essential step in protecting your business’s reputation.

Are There Any Reasons Not to Use DMARC?

In today’s business world, it’s rare to find a legitimate reason not to implement DMARC, SPF, and DKIM.

The only exceptions might be for domains that don’t send email at all. Even then, you should publish a DMARC record instructing email servers to reject any emails claiming to come from your domain.

Internal-only domains that never send emails outside your company might not need full protections, but this is uncommon for most businesses.

For nearly every other use case, setting up DMARC, SPF, and DKIM is essential.

What Really Happens Without These Protections?

If you skip SPF, attackers can send fake emails using your domain, and recipients will have no way of knowing they’re fake. Without DKIM, attackers could alter your legitimate emails during transit, swapping out safe links for malicious ones. Without DMARC, there’s no clear instruction for email providers on what to do with suspicious messages, meaning fake emails might go straight to your customers’ inboxes.

Even your legitimate emails can be affected. If your domain has no protections at all, spam filters may mark your real business emails as suspicious. Your invoices, booking confirmations, and support responses might quietly disappear into spam folders — without you even knowing it.

The Impact Goes Beyond Hackers

The problems of not protecting your email domain aren’t limited to cyber attacks. When your emails start going to spam, your marketing performance drops. Your newsletter open rates decline. Your customer service team wastes time responding to people confused about fake emails.

Even your internal team may struggle to communicate if their emails aren’t reliably delivered. Worse still, payment providers, partners, and other businesses may stop trusting your communications if your domain becomes known for spam.

Should Every Business Set This Up?

Yes — without question.

Setting up SPF, DKIM, and DMARC is one of the simplest, fastest, and most affordable security improvements you can make. If you use Google Workspace or Microsoft 365, they have step-by-step guides to help you configure these protections. Most web hosting providers and domain registrars also offer easy instructions, or your IT support can help you set it up in under an hour.

For small businesses and non-profits, this one-time setup can protect your brand, your customers, and your future business.

Want Help?

If you’re not sure whether your domain is protected, I’ll check it for you — no charge, no obligation. It only takes a few minutes to find out if your domain is wide open to abuse.

Securing your domain now means you won’t have to explain to your customers later why they received a scam email pretending to be you.

Reach out any time — I’m happy to help.