To check if an email domain is legitimate, compare the sender’s full email address against the company’s official website, look for subtle misspellings or extra characters, and run a free WHOIS lookup on the domain. These three steps catch the vast majority of fake email domains before they cause damage.
That said, scammers are getting smarter. A fake domain that once looked obviously wrong now looks nearly identical to the real thing. The difference between support@pattersondental.com and support@pattersondentalinc.com is easy to miss when you’re busy and your inbox has 200 messages.
We see this constantly with the small businesses and dental offices we support across Chattanooga. One wrong click on a convincing fake email can hand a criminal your login credentials, your banking information, or access to your entire network.
This guide breaks down exactly how to check if an email domain is legitimate, what tricks scammers use, and what to do if you’re already worried you clicked something you shouldn’t have.
Key Takeaways
– Always read the full email address, not just the display name — scammers use real company names in the display field while hiding a fake domain behind it.
– A free WHOIS lookup at who.is reveals when a domain was registered; domains created within the last 30-90 days are a major red flag.
– Common spoofing tricks include adding words like “inc,” “support,” or “help” to real brand names, or swapping letters (rn for m, 0 for o).
– If you clicked a suspicious link, change your passwords immediately and contact your IT provider — the first 30 minutes matter.
– SPF, DKIM, and DMARC email authentication records stop most spoofed emails from reaching your inbox when properly configured.
Why Fake Email Domains Are So Dangerous for Small Businesses
Phishing emails cost businesses an average of $4.91 million per breach, according to IBM’s 2023 Cost of a Data Breach Report. But statistics don’t tell the real story as well as a single example.
Last spring, a dental office manager in Cleveland, TN received an email that appeared to come from their practice management software vendor. The email said their license was expiring and included a link to “renew” their subscription. The logo looked right. The email tone matched. She clicked the link, entered her username and password, and thought nothing of it.
Two days later, she got a call from the real vendor asking why her account had been accessed from Eastern Europe.
The fake domain was pattersondental-support.com. The real domain is pattersondental.com. One extra word — that’s all it took.
Small businesses get targeted specifically because they don’t have a dedicated IT security team watching for this. If you’re running a business in Chattanooga with 5 to 50 employees, you are exactly the target these attacks are designed for.
Want to make sure your business email is protected? Our cybersecurity services in Chattanooga include email filtering and threat monitoring that catches these attacks before they reach your inbox.
How to Check If an Email Domain Is Legitimate: 7 Steps
1. Read the Full Email Address, Not Just the Display Name
This is the most important step and the most overlooked.
Email clients like Outlook and Gmail display a “friendly name” in the From field. A scammer can set that friendly name to anything — including “Patterson Dental Support” or “Microsoft Security Team.” What matters is the actual email address hidden behind that name.
To see the real address:
– Outlook: Click the sender’s name to expand the full address
– Gmail: Click the small dropdown arrow next to the sender’s name
– iPhone Mail: Tap the sender’s name to reveal the full address
If the display name says “Bank of America” but the email address is noreply@boa-secure-alert.net, that’s not Bank of America.
2. Compare the Domain to the Official Company Website
Once you have the full email address, look at everything after the @ symbol. That’s the domain.
Open a new browser tab and type the company’s name into Google. Find their official website. The domain in the email should match the domain of the website exactly.
support@microsoft.com— legitimate (matches microsoft.com)support@microsoft-helpdesk.com— fake (microsoft-helpdesk.com is not Microsoft’s domain)billing@quickbooks-online-support.net— fake (Intuit’s real domain is intuit.com or quickbooks.intuit.com)
Simple, but effective. Most phishing attempts fail this one check.
3. Look for Common Email Domain Spoofing Tricks
Scammers are creative. Here are the most common ways they make fake domains look real:
Adding words to the brand name:
– Real: dell.com
– Fake: dell-support.com, dellhelp.com, dell-customer-service.net
Swapping similar-looking characters:
– Real: microsoft.com
– Fake: rnicrosof t.com (r+n looks like m), micros0ft.com (zero instead of o)
Using a different top-level domain:
– Real: datto.com
– Fake: datto.net, datto.org, datto.us
Adding your company’s name to their fake domain:
– Real vendor email: support@ninjaone.com
– Fake: ninjaone-support-yourcompanyname.com
Using subdomains:
– Fake: microsoft.com.phishing-site.com (the actual domain is phishing-site.com, not microsoft.com)
Train your team to spot these patterns. It takes two minutes and can prevent a very expensive mistake.
4. Run a WHOIS Domain Lookup
A WHOIS lookup tells you who registered a domain and when. Legitimate companies have domains that are years old. Scammers register new domains right before they launch a campaign.
Go to who.is or whois.domaintools.com and enter the domain from the suspicious email.
Look for:
– Creation date: If the domain was registered within the last 90 days, be very suspicious
– Registrant information: Legitimate businesses are usually identifiable; scam domains are often registered through privacy protection services
– Registrar country: Mismatches between the company’s known location and the registrar’s country are a warning sign
This step takes 30 seconds and provides hard evidence about whether a domain is what it claims to be.
5. Check the Email Headers
Email headers are the hidden metadata attached to every email. They show the actual path the email traveled to reach you, including the real sending server.
In Gmail, open the email, click the three-dot menu, and select “Show original.” In Outlook, open the email, go to File, then Properties, and look at the Internet Headers box.
You’re looking for the Return-Path and Received fields. If an email claims to come from @microsoft.com but the Return-Path shows a completely different domain, it’s spoofed.
This step is more technical, but it’s definitive. If you’re not comfortable reading headers, forward the suspicious email to your IT provider and ask them to check it.
Not sure who your IT provider should be? If you’re in the Chattanooga area, reach out to our team at ETTC — we’re happy to check a suspicious email at no charge.
6. Verify SPF, DKIM, and DMARC Records
These three email authentication standards are the technical backbone of email legitimacy. They’re configured on the sending domain’s DNS records and tell receiving servers whether an email is authorized.
- SPF (Sender Policy Framework): Specifies which servers are allowed to send email from the domain
- DKIM (DomainKeys Identified Mail): Adds a digital signature to verify the email wasn’t tampered with
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tells receiving servers what to do if SPF or DKIM fails
You can check whether a domain has these records using MXToolbox (mxtoolbox.com). Enter the domain and run SPF, DKIM, and DMARC lookups.
Legitimate companies — especially large ones — almost always have all three configured. A domain missing all three authentication records is a strong signal something is wrong.
For your own business, make sure your IT provider has SPF, DKIM, and DMARC set up on your domain. This protects your clients from receiving spoofed emails that appear to come from you.
7. Use a Free Email Verification Tool
Several free tools let you verify whether an email address is real:
- Hunter.io (hunter.io/email-verifier) — checks if an email address exists on a domain
- NeverBounce — bulk and single email verification
- EmailRep.io — checks a sender’s reputation and flags suspicious addresses
These tools won’t replace the steps above, but they add another layer of confirmation for questionable senders.
Red Flags That Almost Always Mean a Fake Domain
Even without running all seven steps above, these warning signs should make you stop immediately:
- Urgency language: “Your account will be suspended in 24 hours” — legitimate companies give you time to respond
- Unexpected requests: A vendor you’ve never emailed suddenly needs your login credentials
- Grammar and spacing issues: Inconsistent formatting, odd punctuation, or awkward phrasing
- Generic greetings: “Dear Valued Customer” instead of your actual name
- Mismatched branding: The logo looks slightly off, or the email font doesn’t match the company’s website
- Requests for payment via wire transfer or gift cards: No legitimate vendor asks for gift cards
Consider what happened to a bookkeeper for a small manufacturing company near Ringgold, GA in early 2025. She received an email from what appeared to be her company’s bank, warning of “unusual activity” and asking her to verify the company’s wire transfer limit. The domain was firsttennessee-secure.com. The real domain is firsthorizon.com (First Tennessee rebranded years ago). She almost didn’t notice — the email template was nearly perfect. Her IT provider’s email filtering caught it before she clicked. Without that protection in place, the outcome could have been very different.
What to Do If You’ve Already Clicked a Suspicious Link
If you clicked a link and something felt wrong afterward, don’t wait. The first 30 minutes matter.
- Disconnect from the internet immediately if you entered any credentials — unplug the ethernet cable or turn off Wi-Fi
- Change your passwords on any accounts you may have accessed from a different device
- Enable multi-factor authentication on your email and any sensitive accounts
- Call your IT provider — they can check your system for malware or unauthorized access
- Report it to the FBI’s Internet Crime Complaint Center at ic3.gov
- Notify your bank if any financial information was involved
Speed is everything. A credential stolen at 9 a.m. can be used to access a bank account by 9:15 a.m.
If your business is in the Chattanooga area and you’re worried about a suspicious click, call ETTC directly at (423) 779-8196. We can assess the situation quickly.
How to Protect Your Business From Fake Email Domains Long-Term
Checking emails manually is important, but the real protection comes from layers of automated security. Here’s what a properly protected small business email setup looks like:
Email filtering and anti-phishing: Tools like Microsoft Defender for Business or Sophos Email Security scan incoming messages before they hit your inbox. Suspicious links are blocked automatically.
Multi-factor authentication on all email accounts: Even if a password is stolen, MFA prevents the attacker from actually logging in.
Employee training: One 30-minute annual phishing simulation dramatically reduces click rates across your team. We’ve seen click rates on simulated phishing emails drop from 34% to under 5% after a single training session.
SPF, DKIM, and DMARC on your own domain: This prevents scammers from spoofing your company’s email address when targeting your clients.
Incident response plan: Know what to do before it happens. Who do you call? What gets shut down first? How do you notify clients?
At ETTC, we set up and monitor all of this for our managed IT clients. You shouldn’t have to think about it — that’s what we’re here for. Learn more about our managed IT services in Chattanooga and what’s included in a fully managed plan.
Frequently Asked Questions
How do I know if an email is really from who it says it’s from?
Check the full sender email address (not just the display name), compare the domain to the company’s official website, and look for authentication signals like DMARC. When in doubt, call the company directly using a phone number from their official site — not one from the email.
Can a legitimate company email come from a different domain than their website?
Occasionally. Large companies sometimes use third-party platforms like Salesforce, HubSpot, or Mailchimp to send marketing emails, which may show a different domain. But for billing, account security, or support emails, the domain should always match the company’s primary website. When unsure, call and verify.
What is domain spoofing?
Domain spoofing is when a scammer registers a domain that looks similar to a real company’s domain, then sends emails from it to trick recipients into thinking the message is legitimate. It’s different from email spoofing, where the attacker fakes the From address entirely without owning a matching domain.
Is there a tool that checks email legitimacy automatically?
Yes. MXToolbox, EmailRep.io, and Hunter.io all provide email verification features. For business-level protection, email security platforms like Microsoft Defender, Sophos, or Proofpoint scan every inbound message automatically.
My employee clicked a phishing link. What do I do?
Act immediately: disconnect the device from the internet, change all passwords from a separate device, enable MFA on all accounts, and call your IT provider. File a report at ic3.gov. Time is the critical variable — the faster you respond, the less damage gets done.
Conclusion: Don’t Let One Email Undo Your Business
Knowing how to check if an email domain is legitimate is one of the most practical cybersecurity skills any business owner or employee can have. It costs nothing, takes less than two minutes, and can prevent a breach that costs tens of thousands of dollars and months of recovery.
To recap what to do:
– Read the actual email address, not the display name
– Compare the domain to the official company website
– Spot spoofing tricks like added words, swapped characters, or different TLDs
– Run a WHOIS lookup for newly registered domains
– Check headers for mismatched sending servers
– Verify SPF, DKIM, and DMARC records
– Use email verification tools as an added layer
If you’re running a business in Chattanooga or East Tennessee and want someone to handle email security for you — including filtering, monitoring, and employee training — book a free consultation with ETTC. We’ve been protecting local businesses for 15 years, and we’d be glad to help.
Call us at (423) 779-8196 or email Helpdesk@etntech.com to get started.
Written by the ETTC Team — East Tennessee Technical Consultants, Chattanooga’s managed IT specialists since 2010.