When a Donegal restaurant's customers started receiving emails claiming to be from the business and asking for payment details to confirm a reservation, the restaurant owner discovered the problem in the worst possible way: a long-standing customer called to ask why they were being asked for their credit card number over email. The restaurant had sent no such email. An attacker had spoofed the restaurant's email address — using the domain name without any legitimate access to the domain itself — and sent fraudulent messages to a list of contacts scraped from the restaurant's public website and social media. Three customers made payments before the fraud was identified. The restaurant's reputation in the local community took months to recover.
Email spoofing exploits a fundamental weakness in the original email protocol: by default, any server can send an email claiming to come from any address. Without technical countermeasures in place, there is nothing stopping an attacker from sending messages that appear to originate from your domain. Your customers see your business name and email address. The email comes from a criminal's server. Cloudflare helps fix this, alongside the three technical standards — SPF, DKIM, and DMARC — that together make email spoofing significantly harder to execute.
WHAT: The Two Threats to Your Domain and Email Reputation
Domain hijacking is when an attacker gains control of your domain name itself. This typically happens through your domain registrar account — if an attacker obtains your registrar credentials, either through phishing or credential stuffing, they can change your domain's nameservers, redirect your website to a malicious server, and cause your email to stop working. For a Donegal business that depends on its website for bookings and its email for client communication, domain hijacking is an operational emergency. Recovery can take days and causes significant reputational damage.
DNSSEC — DNS Security Extensions — protects against one form of domain attack called DNS cache poisoning, where attackers manipulate DNS records to redirect your visitors to malicious servers without actually controlling your domain registrar account. Cloudflare enables DNSSEC with a single click in its dashboard, adding cryptographic signatures to your DNS records that verify their authenticity. Any manipulated record that lacks the correct cryptographic signature is rejected by DNSSEC-aware resolvers.
Email spoofing — sending emails that appear to come from your domain — is the more common threat for small Irish businesses. Unlike domain hijacking, email spoofing does not require access to your systems. The attacker simply configures their own email server to use your domain name in the "From" field. Without SPF, DKIM, and DMARC records on your domain, email providers have no reliable way to distinguish your legitimate emails from a spoofer's messages.
Are your customers potentially receiving emails that appear to come from your business but were sent by criminals? Book a free 20-minute strategy call — we help Irish businesses configure SPF, DKIM, DMARC, and DNSSEC to protect their email reputation and their customers.
WHAT NOW: SPF, DKIM, and DMARC Explained
SPF — Sender Policy Framework — is a DNS record that lists the mail servers authorised to send email on behalf of your domain. When an email arrives claiming to be from your domain, the receiving mail server checks your SPF record to see whether the sending server is on your approved list. If it is not, the email fails the SPF check. SPF alone does not stop spoofed emails from reaching inboxes — it depends on how receiving servers handle failures — but it is the foundation on which DMARC builds.
DKIM — DomainKeys Identified Mail — adds a cryptographic signature to emails sent from your domain. Your email provider generates a private key that signs outgoing messages. A corresponding public key published in your DNS records allows receiving servers to verify that the email genuinely came from your authorised provider and has not been tampered with in transit. NCSC Ireland recommends DKIM as a baseline email authentication standard for all organisations.[^1]
DMARC — Domain-based Message Authentication, Reporting and Conformance — combines SPF and DKIM and adds a policy that tells receiving mail servers what to do with messages that fail authentication. A DMARC policy set to "reject" tells mail servers to discard emails that fail both SPF and DKIM checks — the emails simply do not reach the recipient. A policy set to "quarantine" puts suspect messages in spam. Crucially, DMARC also sends you reports showing what email is being sent in your name, so you can identify spoofing attempts before your customers are affected. The Data Protection Commission has noted that email authentication failures that allow customer data to be phished via spoofed domains constitute a data protection concern under GDPR.[^3]
Cloudflare manages all of these records through its DNS dashboard. Setting up SPF, DKIM, and DMARC requires adding specific DNS text records — Cloudflare's interface makes this straightforward, with guidance for the major email providers including Microsoft 365, Google Workspace, and others. DNSSEC activation in Cloudflare is a single toggle.
WHY IT MATTERS: Irish Businesses Are Being Spoofed Regularly
An Garda Síochána's National Cyber Crime Bureau regularly investigates frauds in which criminals impersonate legitimate Irish businesses to extract money from their customers.[^2] The mechanism is almost always the same: a spoofed email from the target business's domain, a convincing request for payment or credentials, and customers who trust the sender because the email address looks genuine. The businesses whose domains are being spoofed are often the last to know, because the fraudulent emails are not sent through their systems and leave no trace in their outgoing mail logs.
Configuring SPF, DKIM, and DMARC does not require technical expertise beyond what a competent IT provider can handle in an afternoon. For businesses using Microsoft 365 or Google Workspace, the providers publish specific instructions for each record. Cloudflare's DNS dashboard simplifies the implementation. The time investment is small. The protection is significant: a well-configured DMARC policy set to "reject" makes it materially harder for criminals to spoof your domain in a way that reaches your customers' inboxes.
If you do not have DMARC configured on your domain, criminals can send email that appears to come from your business to anyone in the world. Your customers cannot tell the difference.
WHAT NEXT: Three Actions This Week
Check your domain's current email authentication status. Use MXToolbox or a similar free tool to check whether your domain has SPF, DKIM, and DMARC records configured. Enter your domain name and run the checks. If any are missing, you have identified a gap that needs to be closed.
If you are on Cloudflare, enable DNSSEC in your DNS dashboard. It is a single toggle and takes effect within minutes. If you are not yet on Cloudflare, this is a good moment to move your domain's DNS management to Cloudflare — it is free, it provides DNSSEC, and it gives you a single dashboard for managing all your domain security records.
Ask your email provider or IT support contact to implement SPF and DKIM for your domain. Once those are in place, add a DMARC record starting with a "none" policy so you can review reports of who is sending email in your name before moving to enforcement mode. The transition from monitoring to enforcement should take four to eight weeks once you have verified that all legitimate email sources are covered by your SPF and DKIM records.
Related Reading
- Card Payment Security for Donegal Restaurants and Bars
- Cloudflare Free SSL/TLS Certificates: Why Your Site Needs HTTPS
- Bot Traffic and Fake Bookings: How Cloudflare Stops Fraudulent Reservations
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.