Phishing vs spoofing: what's the difference?

Spoofing is a technique — faking the identity attached to a message so it looks like it came from someone else. Phishing is a goal — tricking a person into handing over credentials, money, or access. They overlap constantly because attackers spoof a trusted sender to make phishing believable, but they are not the same thing: you can spoof without phishing, and you can phish without spoofing.
Quick Takeaways
- Spoofing forges an identity (a From address, a domain, an IP, a phone number); phishing manipulates a person into acting against their interest.
- Spoofing is one tool attackers use to make phishing convincing — it is a means, not the end.
- Not all spoofing is phishing: IP spoofing in a network attack fakes an identity without deceiving a human.
- Not all phishing uses spoofing: lookalike domains and compromised real accounts phish without forging anything.
- Email authentication — SPF, DKIM, and DMARC — stops attackers from spoofing a domain you own, which removes the most convincing phishing lure.
- No DNS record blocks phishing that arrives from a lookalike domain or a hacked mailbox; that gap needs filtering, MFA, and training.
What is spoofing?
Spoofing is the act of falsifying identifying information so a message or connection appears to originate from a source it did not. The point is to borrow trust: people and systems make decisions based on who they think they are dealing with, and spoofing attacks that assumption at the identity layer.
It comes in several forms. Email spoofing forges the From header or the envelope sender so a message looks like it came from a legitimate domain. Display-name spoofing keeps a real (attacker-controlled) address but sets the friendly name to something trusted, like "IT Support." Domain spoofing uses your exact domain in the header, while other techniques operate lower in the stack — IP spoofing falsifies the source address of network packets, and DNS spoofing poisons resolver caches to redirect traffic. What they share is a forged identity, not necessarily a human victim.
What is phishing?
Phishing is a social-engineering attack that tricks a person into revealing sensitive information, sending money, or granting access — usually by impersonating a trusted party and creating urgency. Where spoofing targets a trust signal, phishing targets a decision: click this link, enter your password, approve this invoice, install this update.
Phishing is delivered across channels. Email is the classic vector, but the same playbook runs over SMS (smishing), voice calls (vishing), and messaging apps. Variants scale the deception up or down: spear phishing targets a specific person with researched detail, while broad campaigns blast generic lures to thousands. The common thread is manipulation of a human, whatever the medium.
Spoofing vs phishing: how are they related?
They are related the way a lockpick relates to a burglary: spoofing is one of the tools, phishing is the crime. A phishing email is far more effective when the sender looks legitimate, so attackers spoof a trusted domain or display name to lower the target's guard. In that sense most high-quality email spoofing exists in service of phishing.
But the relationship is not one-to-one. Spoofing has uses that never touch a human — IP spoofing is common in denial-of-service floods, where the goal is to overwhelm infrastructure, not deceive a reader. And phishing does not require spoofing at all, which is the part defenders most often miss.
Can you have phishing without spoofing?
Yes, and it is increasingly common. An attacker who registers a lookalike domain — micros0ft-support.com or paypaI.com with a capital "I" — is not spoofing anything. The domain is genuinely theirs, it authenticates cleanly with its own SPF and DKIM, and a DMARC check on your domain never even applies to it. The deception lives entirely in the human misreading the name.
Compromised accounts are the other big example. When an attacker phishes a real employee and then sends from that person's genuine mailbox, every authentication check passes because the mail really is from that account. No identity is forged; a legitimate one has been hijacked. Both cases are pure phishing with zero spoofing, which is why authentication alone can never be the whole answer.
How do you defend against spoofing and phishing?
Defend against the two problems with two layers, because no single control covers both.
- Stop domain spoofing with authentication. Publish an SPF record listing who may send for your domain, sign outbound mail with DKIM, and enforce a DMARC policy at
p=reject. Together these stop attackers from putting your exact domain in the From header, which shuts down the most convincing spoofing. - Blunt phishing that gets through with human and technical controls. Require MFA so a stolen password is not enough, filter inbound mail for malicious links and attachments, and train staff to slow down on urgency and verify unusual requests out of band.
- Watch for lookalikes. Because DMARC only protects domains you own, monitor for cousin domains that impersonate your brand and report them for takedown.
- Verify your own posture first. Run your domain through Palisade's Email Security Score to confirm SPF, DKIM, and DMARC are actually enforcing rather than sitting in monitoring mode.
Common mistakes when telling them apart
Two errors trip teams up. The first is assuming DMARC "stops phishing." DMARC stops exact-domain spoofing — a specific and valuable slice — but it is blind to lookalike domains and compromised accounts, which remain phishing. Treating an enforced DMARC policy as a complete anti-phishing control leaves a real gap.
The second is treating every suspicious email as spoofing. If mail from a hijacked vendor mailbox passes authentication, chasing an SPF or DKIM misconfiguration wastes time — the fix is verifying the request through another channel, not adjusting DNS. Naming the problem correctly points you at the control that actually addresses it.
Frequently asked questions
Is spoofing illegal?
Spoofing itself sits in a legal grey area because it has legitimate uses (testing, privacy tooling), but spoofing done to defraud — the phishing case — is illegal in most jurisdictions. The intent behind it usually determines how the law treats it.
Does SPF, DKIM, or DMARC stop phishing?
They stop attackers from spoofing a domain you control, which removes a major phishing lure. They do not stop phishing from lookalike domains, free webmail accounts, or compromised legitimate mailboxes, because no identity is being forged in those cases.
What is the difference between spoofing and impersonation?
Impersonation is the broad goal of pretending to be someone trusted; spoofing is one technical method of achieving it by forging identity data. Display-name tricks and lookalike domains are impersonation without technical spoofing.
If an email passes authentication, is it safe?
Not necessarily. Passing SPF, DKIM, and DMARC proves the message really came from that domain — not that the domain is trustworthy or the account uncompromised. Authentication answers "who sent this," not "should you trust it."
Related reading

Written by
Samuel ChenardCEO & Co-Founder, Palisade
Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.
More from Samuel →


