Imagine sending a letter through the post office. You put your return address in the top-left corner — but here's the thing: nobody verifies that the address you claim is actually yours. You could write anything there, and the recipient would see that as the sender.
Email works the same way. When you send an email, the "From" name and address are whatever your email client was configured to display. You could set that to anything. Scammers know this and use it to impersonate people you trust.
They might send an email that appears to come from your boss, a coworker, or a vendor — complete with a copied email signature — asking you to transfer funds, share credentials, or take some other damaging action. One common scam sends an email from "you" to "you," claiming a hacker has collected compromising material and demanding cryptocurrency. These emails are safe to delete — no hacking has actually occurred.
SPF Records: A Partial Solution
There is a protocol called SPF (Sender Policy Framework) that helps mitigate spoofing. An SPF record tells receiving mail servers which servers are authorized to send email on behalf of your domain. If an email claims to be from your domain but comes from an unauthorized server, receiving systems can flag or reject it.
It's not foolproof — enforcement is up to the receiving server — but as more organizations enforce SPF (and DMARC, its companion protocol), spoofing becomes increasingly difficult.
If you host email with Hyperion Works and want to review your SPF configuration, or if you'd like help protecting your domain, contact us.