What is Email Spoofing?

Email spoofing is the forgery of an email header so that the message appears to have originated from a forged sender address other than the actual source. Email spoofing is commonly used in phishing and spam campaigns since people are more likely to open an email when they have no doubt looking at the source. The goal of email spoofing is to get recipients to open the email and possibly even respond to it.

Malicious spoofed emails can cause serious problems and pose security risks. For example, it may pretend to be from a famous shopping website in which it’s asking the recipient to provide password or credit card number. Besides, spoofed email may ask the recipient to click on a link that installs malware on recipient’s computing device.

How Can I Avoid It?

Sender Policy Framework (SPF)

SPF allows the receiver to check that an email claiming to come from a specific domain comes from an IP address authorized by that domain’s administrators.

ISPs (like Gmail, Yahoo, etc) verify that a mail server is authorized to send email for a domain by using SPF. It is a whitelist for the services who are allowed to send email on your behalf. If the you receive messages from a server that’s not on your list, then it can be consider as fake and will be treated accordingly. SPF has become extremely important to verify who can send email on behalf of your domain and directly impacts email delivery.

SPF does not validate against the from domain but it looks at the return path value in order to validate the original server. It’s the email address that receiving servers use to notify the sending mail server of delivery problems, like bounces. So, an email can pass SPF regardless of whether the from address is fake. The problem with this limitation is that the from address is what recipients see in their email clients. To determine whether an email should be delivered or not, SPF is just one of many factors that ISPs use. Since SPF has some shortcomings, DMARC is a relatively new standard when it comes to verifying the from address.


Domain Keys Identified Mail (DKIM)

DKIM is a method to validate the authenticity of email messages. When each email is sent, it is signed using a private key and then validated on the receiving mail server (or ISP) using a public key that is in DNS.It is an email security standard designed to make sure messages weren’t altered in transit between the sending and recipient servers.

Public-key cryptography is used by DKIM to sign email with a private key as it leaves a sending server. Then, public key published to a domain’s DNS will be used by recipient servers to verify the source of the message, and that the body of the message hasn’t changed during transit. The message passes DKIM and is considered authentic once the hash made with the private key is verified with the public key by the recipient server.


Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC acts to prevent spammers from sending your email using your domain without your permission. The from address messages can be forged by spammers so the spam appears to come from a user in your domain.

DMARC ensures these fraudulent emails get blocked before you even see them in your inbox. In addition, to ensure only legitimate email is received, DMARC gives you great visibility and reports into who is sending email on behalf of your domain.

What do DKIM and SPF have to do with DMARC

With SPF and DKIM, it is up to the ISP to decide what to do with the results. You can get full control to set a policy to reject or quarantine emails from sources you do not know or trust with DMARC but all based on the results of DKIM and SPF. If SPF and DKIM fail or are not present, DMARC lets you tell ISPs how you want them to behave.

Diagram below showing how SPF and DKIM work together with DMARC policy.


Below is and example of a spoofed email content.
How to Identify a spoofed email?

The fastest and the best way to identify a spoofed email is by looking at the respective email header. A normal email should have the same sender’s email for Return-path and From. Below is a sample of a spoofed email header.

Return-Path: <spammer@mail.com.cn>
Received: from m88102.mail.qiye.163.com (m88102.mail.qiye.163.com []) by net-w28.es2u.com with SMTP;
Fri, 8 Mar 2019 03:36:04 +0800
Received: from [KD-ChEMK-gw.rosprint.net] (unknown [])
by m88102.mail.qiye.163.com (Hmail) with ESMTPA id 560C742835
for <user@user.com>; Fri, 8 Mar 2019 03:35:54 +0800 (CST)
X-Abuse-Reports-To: <abuse@mailer.mail.com.cn>
Message-ID: <6qwiv13c-82k9qbik-1328371202-25478346@mail.sdu.edu.cn>
Date: Thu, 7 Mar 2019 20:35:54 +0100
Subject: SPAM-LOW: anthony
From: <user@user.com>
List-Help: <http://dgmqppgnh.com/jb/kseil/jidlczv>
List-Subscribe: <mailto:MEMBERS-subscribe-request@mail.sdu.edu.cn>
X-Complaints-To: <abuse@mail.mail.com.cn>
Errors-To: noreply@mail.com.cn
Content-Type: multipart/related;
MIME-Version: 1.0
Abuse-Reports-To: abuse@mail.com.cn