Email Spoofing Explained: How to Protect Your Domain from Deceptive Attacks

Last updated: 2025-05-20

Email remains one of the most widely used communication tools for both businesses and individuals. Unfortunately, this also makes it a common target for cybercriminals. One of the most pervasive threats is email spoofing, where attackers forge sender information to impersonate trusted sources.

Despite its prevalence, many organisations still lack adequate defences. This article explains how spoofing works, highlights real-world attack examples, and outlines effective detection and prevention strategies.

What It Is #

Email spoofing is a form of impersonation attack in which an attacker falsifies the sender address to make a message appear as if it originates from a legitimate source.This tactic is frequently employed in:

Phishing and spear-phishing attacks
Malware distribution
Business Email Compromise (BEC)

By exploiting trust in recognised identities, spoofed emails increase the likelihood of successful social engineering.

How It Works #

Exploiting Vulnerabilities #

The Simple Mail Transfer Protocol (SMTP), the standard for sending email, does not include native sender authentication. Without additional safeguards, attackers can:

Forge the “From” header field
Send messages through open relays or compromised servers
Deliver deceptive messages that appear legitimate to recipients

Unless the recipient’s mail server uses email authentication methods (like SPF, DKIM, and DMARC), it cannot verify whether the sender’s address is genuine.

Techniques #

1. Lookalike Domains

Attackers subtly modify email addresses to resemble legitimate ones, often by changing a single character:

Legitimate Address	Spoofed Address	Trick Used
[email protected]	[email protected]	Capital "I" instead of lowercase "l"
[email protected]	[email protected]	Zero instead of "o"
[email protected]	[email protected]	Double "l"

These subtle alterations can fool recipients into trusting the source and clicking malicious links or sharing sensitive information.

2. Spoofing Real Addresses

Attackers can also spoof valid email addresses (e.g. [email protected]) without needing access to the account:

SMTP lacks built-in sender verification
Attackers can use their own mail server or scripts to craft deceptive headers

This is known as header spoofing. To users, the email appears authentic, but technically originates from an unauthorised source.

Understanding Email Headers #

Email headers contain metadata that tracks the journey of an email from sender to recipient. While end users typically see only the subject line, sender, and timestamp, full headers reveal critical technical details used in identifying spoofed or malicious messages.

Key Header Fields #

From: Sender address displayed in the email client. Can be forged.
To: Intended recipient.
Subject: Email subject line.
Date: Timestamp of when the message was sent.
Return-Path: Address for bounce messages. May differ from “From”.
Received: Logs each mail server that handled the message, in reverse order.
Message-ID: Unique identifier assigned by the originating server.
DKIM-Signature (if present): Cryptographic proof of message authenticity.
Authentication-Results (if present): Shows SPF, DKIM, and DMARC status as evaluated by the receiving server.

Relevance to Spoofing #

Analysing email headers is essential for identifying spoofed messages. Red flags include:

From field mismatches the sending server in the Received chain.
SPF/DKIM/DMARC failures or absence in Authentication-Results.
Unusual sending servers or IPs that do not match the domain’s expected infrastructure.

How to View Full Headers #

Email Client	How to Access Headers
Apple Mail	View → Message → All Headers
Gmail	Click `⋮` → Show original
Outlook (Desktop)	File → Properties → Internet headers
Outlook (Web)	Click `⋮` → View message details
ProtonMail	Click `⋮` (in message view) → View headers

Examples

Valid Email Headers

text

Return-Path: <[email protected]>
Received: from mail.paypal.com (mail.paypal.com [64.4.248.10])
    by mail.yourdomain.com with ESMTP; Mon, 6 May 2025 12:00:00 +0000
From: "PayPal" <[email protected]>
To: [email protected]
Subject: Your Recent Payment
Date: Mon, 6 May 2025 12:00:00 +0000
Reply-To: [email protected]
Message-ID: <[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal.com; s=mail;
    bh=8qQ7xX+XYs9vQfUyU6ofw06HkI+ktZ2Qwn9sBjfblTc=;
    b=YjJt2kfj8ho9NMYpZHHlxdJzCFi1GgN5k0U9HYBjhWsqyRHh8q6IqJbKDlMNpR9ZRIp4kLO5LwscV9M+0qg==;
SPF: PASS (sender is authorized)
DMARC: PASS (message aligned with domain policies)

Explanation:

Return-Path: Legitimate [email protected]; undeliverable emails go here.
Received: Sent through a trusted server (paypal.com).
From: Genuine PayPal address, [email protected].
Reply-To: Matches the "From" address, confirming PayPal’s domain.
DKIM-Signature: Valid DKIM, ensuring email integrity.
SPF: Passed SPF, sent from an authorised PayPal server.
DMARC: Passed DMARC, aligns with PayPal’s policy.

Invalid Email Headers

text

Return-Path: <[email protected]>
Received: from unknownserver.com (unknownserver.com [198.51.100.1])
    by mail.yourdomain.com with ESMTP; Mon, 6 May 2025 12:00:00 +0000
From: "PayPal" <[email protected]>
To: [email protected]
Subject: Urgent: Account Suspended
Date: Mon, 6 May 2025 12:00:00 +0000
Reply-To: [email protected]
Message-ID: <[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evil.com; s=mail;
    bh=xyz123abc+XYZ8900xyz12345==;
    b=INVALIDSIGNATURE==;
SPF: FAIL (sender not authorized)
DMARC: FAIL (message does not align with domain policies)

Explanation:

Return-Path: [email protected], not PayPal, indicating illegitimacy.
Received: From a suspicious server, unknownserver.com, not linked to PayPal.
From: Claims to be [email protected], but header shows it’s not from PayPal.
Reply-To: Set to [email protected], directing replies to the attacker.
DKIM-Signature: Invalid, signed by evil.com instead of PayPal.
SPF: Fails, sent from an unauthorized server.
DMARC: Fails, not aligned with PayPal’s domain policies.

Subject: Legal Action Notice  
From: [email protected]

You are named in an active investigation. Review the attached documents and respond today.

Goal: Install malware or pressure victims into clicking malicious links.

Detection Techniques #

Identifying spoofed emails can be challenging. Common red flags include:

Slight misspellings in email domains or display names.
Inconsistencies between the display name and the actual email address.
Unexpected tone or urgency, especially when requesting money or sensitive data.
Suspicious attachments or unfamiliar links.
Authentication failures in email headers (SPF, DKIM, or DMARC reports).

Technical users can inspect email headers to trace the true sending server and evaluate domain authentication results.

Prevention and Mitigation #

Technical Defences #

Pro tip: A great website to check for domain vulnerabilities is internet.nl. It evaluates your domain’s email security and encryption settings.

1. Implement SPF, DKIM, and DMARC

These protocols form the foundation of domain-based email authentication.

SPF: Verifies that the sending mail server is authorised to send on behalf of your domain.
DKIM: Adds a digital signature to prove the email hasn't been tampered with and was authorised by your domain.
DMARC: Provides instructions to receiving servers on how to handle unauthenticated mail (e.g. quarantine or reject) and sends reports about misuse of your domain.

Benefits:

Stops attackers from sending fake emails using your domain.
Increases the chance your legitimate emails reach the inbox (not spam).
Helps build trust with recipients and mail providers.
Gives visibility into who is sending on behalf of your domain.

2. Use DNSSEC

Adds digital signatures to your DNS records, preventing attackers from forging or modifying them.

Benefits:

Ensures your SPF, DKIM, and DMARC records can’t be tampered with.
Protects against DNS spoofing and redirection attacks.

3. Enable SMTP over TLS

Encrypts emails while they’re moving between mail servers.

Benefits:

Prevents attackers from reading or altering emails in transit.
Ensures confidentiality and integrity of your email traffic.

4. Adopt BIMI (Brand Indicators for Message Identification)

Displays your official logo next to authenticated emails in supported inboxes.

Benefits:

Makes your emails instantly recognisable and visually trusted
Reduces the risk of users falling for fake lookalike emails
Requires strong authentication (DMARC with enforcement), improving your overall email security

5. Deploy an Email Security Gateway

A filtering system that scans emails before they reach users.

Benefits:

Blocks phishing, malware, and suspicious content.
Detects threats even if the email passes authentication checks.
Adds an extra layer of protection using threat intelligence.

6. Set Strict DMARC Policies

Start with p=none (monitoring), then move to p=quarantine or p=reject once all sending sources are compliant.

Benefits:

Lets you monitor email flows before taking enforcement action.
Actively blocks unauthorised email once policy is enforced.
Ensures only approved senders can use your domain.

Organisational Measures #

Technical controls are essential, but human behaviour remains a major risk. The following organisational practices reduce the chance of user error and improve detection of malicious activity.

1. Multi-Factor Authentication (MFA)

Require users to verify identity using more than just a password (e.g. authenticator app).

Benefits:

Prevents unauthorised access even if passwords are stolen.
Protects email accounts and internal systems from compromise.

2. Employee Training

Conduct regular training on phishing, spoofing, and social engineering threats.

Benefits:

Reduces the chance of users clicking malicious links or sharing sensitive information.
Increases overall awareness and resilience to email-based attacks.

3. Simulated Phishing Exercises

Run internal fake phishing campaigns to test and reinforce staff awareness.

Benefits:

Identifies staff who need more training.
Strengthens real-world recognition of phishing tactics.

4. Clear Communication Protocols

Establish strict procedures for verifying sensitive or financial requests (e.g. via phone or in-person confirmation).

Benefits:

Prevents attackers from tricking staff into making payments or revealing credentials.
Ensures critical actions are verified through trusted, separate channels.

5. Email Tagging for External Messages

Automatically label emails from outside the organisation (e.g. add “[External]” to subject lines).

Benefits:

Warns staff that the message could be suspicious.
Encourages caution when interacting with links or attachments.

6. Audit and Monitor Email Activity

Log and review email usage to identify suspicious patterns or compromised accounts.

Benefits:

Detects early signs of account takeover or targeted attacks.
Helps investigate incidents and enforce policy.

7. Avoid Predictable Role-Based Addresses

Replace generic addresses like [email protected] with monitored aliases or rotating addresses.

Benefits:

Makes it harder for attackers to target high-risk roles.
Reduces exposure to spam, phishing, and automated attacks.