Email Spoofing
Email spoofing refers to email messages that have a forged sender address, making it seem as if the message originated from a source that might not actually exist. Spammers often intercept user networks to gather information, and some of these messages may contain malware, posing security risks.
How to Prevent Email Spoofing
1. Sender Policy Framework (SPF)
SPF identifies which mail servers are authorized to send emails on behalf of your domain, preventing spammers from sending forged messages that appear to originate from your domain. When an SPF record is published, the receiving server can verify if an email is from an authorized server. The receiving mail server checks a specific TXT DNS entry in your domain, which contains a list of permitted IP addresses. Depending on the SPF policy, the email may pass (accepted), softfail (moved to spam), or fail (rejected).
2. DomainKeys Identified Mail (DKIM)
DKIM employs cryptographic keys to apply signatures to emails, which receiving mail servers can verify using a cryptographic public key in DNS. This verification process ensures that the message remains unaltered during transit. An email signed with DKIM features a DKIM-Signature in its headers, consisting of hashed values (header fields and message content). These hashed values are generated with the private key, known only to the owner of the sending domain. Once the recipient server verifies the hash created with the private key against the public key, the message is considered authentic.
3. Domain-based Message Authentication, Reporting & Conformance (DMARC)
DMARC provides anti-spoofing protection by building on SPF and DKIM, and it checks the header-from address of an email. It enables the domain owner to manage email for their domain by publishing a DMARC policy in DNS. This policy instructs a receiving server to either move the email to spam or reject it if validation fails. ISPs that support DMARC also create reports on sending activities for your domain, giving you comprehensive insights into who is sending emails on your behalf and whether they are signing with DKIM or passing SPF.
How to Identify Spoofing
The simplest way to recognize spoofing is by examining the email header. This header is crucial as it reveals the IP address of the computer that sent the email. To find the original sender's IP address, look at the first line of the Received header (HTTP). The Return-path or Reply-to fields also indicate the originating email address. An example is shown below:
From: Media Temple user (mt.kb.user@gmail.com)
Subject: article: How to Trace an Email
Date: January 25, 2011 3:30:58 PM PDT
To: user@example.com
Return-Path: <mt.kb.user@gmail.com>
Envelope-To: user@example.com
Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700
Received: from po-out-1718.google.com ([72.14.252.155]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from <mt.kb.user@gmail.com>) id 1KDoNH-0000f0-RL for user@example.com; Tue, 25 Jan 2011 15:31:01 -0700
Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for <user@example.com>; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.140.188.3 with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)