About Email Spoofing
Email spoofing is the practice of sending emails with a forged From address. A spoofed email looks to be from a legitimate contact and is often used in phishing emails that aim to extract personal data from recipients.
To combat spoofing, several standards have been developed including, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC).
Every email actually has two From addresses. There is the Header From or friendly from address and the Envelope From called the return-path address.
When we discuss spoofing in relation to SPF, DKIM, and DMARC, we are talking about attempts to prevent spoofing the Envelope From or return-path address.
Header From
The Header From or friendly From address is the one displayed in the From field of your email client. It is not used in delivering the email. It’s there as a friendly bit of information for the reader.
Spoofing the Header From address places false information in the From field of your email client, and it's called display name abuse. Display name abuse is a user interface change that isn’t handled by common methods of spoofing protection such as SPF, DKIM, and DMARC.
Envelope From
The Envelope From address informs receiving email servers where to deliver replies and where to send bounces. You can find the Envelope From address in your email client by selecting "Show Original," "View Message Source," "Show Headers," or a similar option depending on your email client. The Envelope From is not usually displayed to a message’s recipient by default.
Many existing email services already implement all three mechanisms. If you are not using a custom domain, then we recommend you implement all three mechanisms.
Important: Implementing SPF, DKIM, and DMARC require updating your domain DNS records. This is a fairly complicated task that’s best left to experienced network administrators.
Checking Your Set-up
Check the Status of your SPF here: https://mxtoolbox.com/spf.aspx
Check the Status of your DKIM here: https://mxtoolbox.com/dkim.aspx
Check the Status of your DMARC here: https://mxtoolbox.com/DMARC.aspx
Sender Policy Framework (SPF)
Sender Policy Framework (SPF) is an open standard aimed at preventing sender address forgery. SPF attempts to prevent email sending abuse by ensuring that the IP address from which a message was sent is authorized to send mail on behalf of the domain in the email’s Envelope From or return-path.
SPF is implemented by adding a TXT record to a domain’s DNS records. The TXT record specifies which IP addresses are allowed to send email for the domain.
SPF record Format
SPF records are defined as a single string of text. Here’s an example record:
|
Record Name |
Type |
Value |
TTL |
|
@ |
TXT |
v=spf1 include:_spf.google.com ~all |
Auto/1 hour |
Here are Links on How to set up your own SPF record:
GMail: https://support.google.com/a/answer/33786
Outlook/Office 365: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide
Zoho: https://www.zoho.com/mail/help/adminconsole/spf-configuration.html
ProtonMail: https://protonmail.com/support/knowledge-base/anti-spoofing/
If your email provider is not listed, please visit the Help section's respective website for information about setting up SPF.
Check the Status of your SPF here: https://mxtoolbox.com/spf.aspx