How do spammers fake sender identities?

Spammers exploit domains lacking DMARC enforcement. Without policies rejecting failed authentication, they can claim any identity. They configure their servers to use victim domains in From headers.

Display name manipulation works regardless of authentication. Spammers use names like "Amazon Support" or "Your Bank" with their own email addresses. Recipients often don't notice the actual address differs from the display name.

Lookalike domains evade authentication entirely. Spammers register domains similar to targets (amaz0n.com, paypa1.com) and send authenticated email from those domains. The messages are technically legitimate from the spoofed domain but visually deceptive.