What are the different types of spoofing (header, display name, domain)?

Header spoofing manipulates the From header to show a fake sender address. The full email address appears as something like ceo@company.com when it's actually from attacker@malicious.com. DMARC enforcement can prevent this.

Display name spoofing changes the friendly name while keeping a different address. Recipients see "CEO John Smith" but the actual address is attacker@gmail.com. This bypasses domain authentication since the real sending domain is authenticated.

Domain spoofing uses the victim's actual domain in the From address. This is what DMARC directly prevents. Without DMARC enforcement, attackers can send as anyone@yourdomain.com from their own infrastructure.