I got an email the other day warning me that a message I sent could not be delivered. The problem was, I never sent it. Then I got another one. And another. All bounce-backs for emails I never wrote, sent to addresses I have never heard of.

My first instinct was to assume someone had hacked my Microsoft 365 account. That is the scary scenario. But before you panic, and before you call your IT person and start changing everything, you need to understand what is actually happening. In most cases, the answer is not a hack. It is something called email spoofing.

What Is Email Spoofing?

Email spoofing is when someone sends an email that looks like it came from your address, but it did not. They did not break into your account. They did not guess your password. They simply put your email address in the “from” field of a message sent from their own server. It is the digital equivalent of someone writing your return address on an envelope they mailed from across the country.

This is possible because the basic email protocol, SMTP, was designed decades ago without built-in authentication. It trusts whatever the sender says. If someone tells a mail server that the message is from you, the server believes it. That is not a bug in your system. It is a flaw in the way email was built.

Spoofing is annoying. It can damage your reputation if recipients think you are sending spam. But it does not mean someone is in your account reading your email. So, take a deep breath. Your emails are still as safe as they ever were. (Which I am sorry to say, is not very.)

How to Tell the Difference Between Spoofing and a Hack

If you are getting bounce-back messages for emails you did not send, the first thing to do is check whether someone actually got into your account. Here is what to look at:

Note: I will provide instructions for Microsoft 365 because that is what I use. If you are using another platform, you will be looking for similar items.

Check your sign-in history. In Microsoft 365 go to mysignins.microsoft.com. Look for logins from unfamiliar locations, devices, or times when you were not online. A login from a city you have never been to on a device you do not own is a red flag. A login from a Microsoft data center while you were poking around in your admin settings is probably you.

Check your Sent and Deleted Items folders. If someone got in and sent messages, there may be traces. Look through both folders for anything you did not write.

Check your mail rules. This is a big one. Attackers often create rules that automatically forward your incoming email to an outside address, or rules that delete sent messages to cover their tracks. In the Exchange admin center, go to Mail flow and then Rules. Delete anything you did not create.

Check email forwarding. In the Exchange admin center, click on your mailbox under Mailboxes (or Recipients). Look for email forwarding settings and make sure forwarding is turned off, or at least not pointed to an address you do not recognize.

Check mailbox delegation. In the same mailbox settings, look for delegation or mailbox permissions. There are three types: Full Access, Send As, and Send on Behalf. All three should show zero unless you have intentionally granted someone access.

If all of that checks out, your account is almost certainly fine. What you are dealing with is spoofing, not a breach.

What to Do Right Now (Either Way)

Whether you think it is spoofing or a hack, there are a few things you should do immediately.

Change your password. Make it long, make it new, and do not reuse it from anywhere else. You can change it at myaccount.microsoft.com.

Turn on multi-factor authentication. If you have not already done this, do it now. MFA means that even if someone gets your password, they still cannot get into your account without a second form of verification. This is the single most important thing you can do to protect your account.

Revoke active sessions. You can sign out of all devices from myaccount.microsoft.com. This kicks out anyone who might currently be logged in.

The Real Fix: SPF, DKIM, and DMARC

If your account is secure and you are dealing with spoofing, the fix is not in your mailbox. It is in your domain’s DNS records. There are three records that work together to tell the rest of the internet which servers are authorized to send email on behalf of your domain. Without them, anyone can claim to be you and most mail servers will just accept it.

SPF (Sender Policy Framework)

SPF is a TXT record in your DNS that lists the servers authorized to send email for your domain. When a receiving mail server gets a message claiming to be from you, it checks your SPF record. If the sending server is not on the list, the message fails the check.

For Microsoft 365, the SPF record should be:

v=spf1 include:spf.protection.outlook.com -all

Make sure you only use the above if you are using Microsoft 365 and make sure to copy it exactly. The “-all” at the end is important. It tells receiving servers to reject anything that does not match. Some configurations use “~all” (with a tilde), which is softer and only flags failures rather than rejecting them. Use the hard fail (“-all”) if you can.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The receiving server checks that signature against a public key published in your DNS. If the signature matches, the server knows the email actually came from your server and was not altered in transit. Think of SPF as saying “only these servers can send for me” and DKIM as saying “and here is proof this specific email is legitimate.”

To set up DKIM in Microsoft 365, go to the Security portal (you can get there from Admin centers in the Microsoft 365 admin center). Navigate to Email and collaboration, then Policies and rules, then Threat policies, then DKIM. Click on your domain. Microsoft will show you two CNAME records you need to add to your DNS. They will look something like this:

selector1._domainkey → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

selector2._domainkey → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Add both CNAME records to your DNS, then go back to the DKIM page and enable signing for your domain. Sometimes it takes a few minutes for the DNS changes to propagate, but it often works right away.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails those checks. It is another TXT record. A good starting point is:

v=DMARC1; p=quarantine; rua=mailto:you@yourdomain.com

The “p=quarantine” tells receiving servers to send failed messages to spam rather than the inbox. You can also set it to “p=reject” once you are confident everything is configured correctly, which tells servers to refuse the message entirely. The “rua” part means you will receive reports about authentication failures, which lets you see who is trying to spoof your domain.

Where to Add These Records

Where you add these records depends on where your DNS is managed. If you are on Microsoft 365 and your domain’s nameservers point to Microsoft, you will add them through the Microsoft 365 admin center. Go to Settings, then Domains, click on your domain, and you will see your DNS records. Click “Add record” to add new TXT and CNAME records.

If your DNS is managed by your web host (like Bluehost, GoDaddy, or Namecheap), you will add the records there instead, in the DNS zone editor or advanced DNS settings for your domain.

Not sure where your DNS lives? Look up your domain at lookup.icann.org. It will show you the registrar and nameservers, which should point you in the right direction.

If You Use a Third-Party Email Tool

Here is something that catches people. If you use a service like MailerLite, Mailchimp, Constant Contact, or any other tool that sends email on your behalf, perhaps from your website, you need to include that service in your SPF record. Otherwise, the protections you just set up will flag your own legitimate email as suspicious.

For example, if you use Microsoft 365 for your regular email and MailerLite for your newsletter, your SPF record should include both:

v=spf1 include:spf.protection.outlook.com include:mlsend.com -all

Each email service will have its own include value. Check the service’s documentation for the correct one. Common examples include mlsend.com for MailerLite, servers.mcsv.net for Mailchimp, and spf.protection.outlook.com for Microsoft 365.

Most of these services will also have their own DKIM setup process. Check your account settings for domain authentication or email authentication and follow their instructions. If you skip this step, your newsletters may end up in spam or not delivered at all.

What These Records Will Not Do

I want to be honest about this. SPF, DKIM, and DMARC do not stop someone from sending spoofed email. Anyone can still put your address in the “from” field. What these records do is tell the receiving mail server that the message is not legitimate. A well-configured receiving server will then quarantine or reject it.

The key word there is “well-configured.” Not every mail server checks these records. Not every server enforces them. But the major providers, including Gmail, Outlook/Microsoft, Yahoo, and most corporate systems, do. So, while you cannot eliminate spoofing entirely, you can dramatically reduce the damage it causes.

Why Lawyers Should Care

If you are a lawyer running your own domain for email, this is not optional. Your email address is your professional identity. If someone is spoofing it and sending spam or phishing messages to your clients, opposing counsel, or the court, that is a reputational problem. If those messages contain malicious links and someone clicks one, you could find yourself explaining why your domain was used in a phishing attack.

Beyond reputation, there is an ethical dimension. Lawyers have a duty of competence that includes understanding the technology they use. Rule 1.1 and the comments to it make clear that lawyers must keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. Configuring basic email authentication for your domain falls squarely within that obligation.

This is not difficult. It is not expensive. And now you know how to do it. But if you are concerned about changing these records yourself, ask your web host or IT person for assistance.