Email spoofing is the falsification of an email's sender address. Because the original Simple Mail Transfer Protocol (SMTP) has no built-in authentication, any mail server can claim to send email from any address. Attackers exploit this to impersonate banks, executives, or trusted colleagues to trick recipients into taking action.
How Email Spoofing Works
SMTP defines two different "from" addresses:
- Envelope From (MAIL FROM) — Used by mail servers for bounce handling. Not shown to the recipient.
- Header From (From:) — Displayed in your email client. This is the address attackers forge.
A spoofed email sets From: [email protected] in the headers while actually being sent from an attacker-controlled server. Basic mail clients display only the Header From, making the deception invisible without inspecting raw headers.
Email Authentication Protocols That Stop Spoofing
| Protocol | How It Works | What It Prevents |
|---|---|---|
| SPF | DNS record listing which servers may send email for a domain | Envelope spoofing from unauthorized servers |
| DKIM | Cryptographic signature on outgoing emails verifiable via DNS | Content tampering and sender forgery |
| DMARC | Policy that ties SPF and DKIM together; instructs receivers to reject or quarantine failures | Header spoofing; reports of abuse attempts |
Real-World Attack Scenarios
- CEO fraud (BEC) — Attacker spoofs the CEO's email address asking finance to wire funds urgently
- Bank impersonation — Spoofed email from "[email protected]" asking you to confirm your password
- Vendor fraud — Spoofed supplier email with updated banking details for invoice payment
- IT helpdesk impersonation — Spoofed internal IT email asking for VPN credentials
How to Check If an Email Is Spoofed
- Open the email's raw headers ("Show original" in Gmail, "View source" in Outlook)
- Check the
Received:chain — it shows the actual path the email traveled - Look for
Authentication-Results:— it shows SPF, DKIM, and DMARC pass/fail - Compare the
Return-Path:with the displayedFrom:— a mismatch is suspicious
People Also Ask
- Can my domain be spoofed without my knowledge?
- Yes — if your domain lacks DMARC with a reject policy, anyone can forge email appearing to come from your domain. You would not know unless you publish DMARC with reporting enabled (rua= tag), which sends you XML reports of all spoofing attempts against your domain. Publishing
v=DMARC1; p=reject;instructs receiving mail servers to discard spoofed emails. - Is email spoofing illegal?
- Yes, in most jurisdictions. In the US, the CAN-SPAM Act prohibits falsified header information. When combined with fraud (business email compromise), spoofing carries significant criminal penalties. The FBI's IC3 reports billions of dollars in BEC losses annually — it is the most financially damaging cybercrime category year after year.
Related: SPF records | DKIM explained | DMARC policy