Dealing with Email Spoofing
Email Spoofing is when a spammer forges your email address and uses it to send out emails FROM YOU that you didn’t send. It's also called Email Forgery and this article deals with how you can stop that from happening.
Imagine Email as Snailmail...
Is this letter really who it says it's from?
How do they do that?
Simple. They put YOUR email address down as the From:
address instead of their own! It works exactly the same way for traditional mail.
Why do they do that?
By using your respectable email address, they know that recipients are more likely to open the email. And, since it's from YOU and not them, they're less likely to be caught.
How do I know if my email address has been spoofed/forged?
You probably won't until some of these emails bounce back to you; and this will happen when someone on the spammer's address list has closed down their email address. Since the email can't be delivered, it's bounced back to the Sender as a "mail delivery failure". And that's YOU - because the forger used a small piece of code to insert your email address into the hidden From:
record which identifies the Sender in every email.
Another way you might find out that your email address has been forged is when someone you know is on the spammer’s address list and they ring you asking why you are sending them junk.
Has my email account been hacked?
It's unlikely because email forgery doesn’t require access to your email account.
It’s just a simple piece of code that puts a From:
email address into any email sent by anyone from anywhere. (With a physical letter, you could spoof the From:
address by just writing it out on the back of the envelope). Even a baby hacker would know how to do this.
A spoofed/forged account is very rarely a hacked account.
If your email has been hacked - well that's a different thing altogether. It means someone or something - person/virus/trojan/malware has gained physical access to your email account. You'll know because you'll either be locked out of your own account and/or EVERYONE in your address book will get in touch about the spyware, viruses, malware sent from your (hacked) account to theirs.
Is Spoofing a common problem?
Yes, especially if you have a domain email address - meaning your email and webhosting correspond to the same domain. In plain English - you have a domain like mysite.com
that you use for webhosting, and your email addresses also end with @mysite.com
. In general:
- Spoofed accounts are more common with domain email addresses and
- Hacked accounts are more common with hosted mail providers like gmail, yahoo and hotmail.
What can I do if my Email Address has been forged?
If you want to prevent your domain email address from being spoofed (forged), the first thing to do is to check if you have the following records set up on your domain:
- SPF (Sender Policy Framework) record
- DKIM (Domain Keys Identified Mail) record
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) record
Learn more about SPF, DKIM and DMARC records here
SPF, DKIM and DMARC records will prevent email forgery/spoofing. You should set up SPF and DKIM first. If all works well, then set up DMARC.
More about SPF
Emails are always routed through various mail servers to reach their final destination. Each mail server will automatically add it's host address and IP address to the email headers. That gives us a record that we can trace back to the originating mail server. Genuine mail servers will check the envelope From:
address, and ask for an SPF record from that email's domain. If an SPF record exists it will contain the address of the real mail server(s) that you approve to send your emails.
If there is no SPF record associated with your domain - then no test is made - and the forged email has a far greater chance of reaching its destination.
With an SPF record, the address of your stated, trusted originating mail server(s) is always compared against the originating mail server’s address information in the email headers. If they don't match (and they won't if they've been spoofed), it’s easy to spot and dump out a forged email. That email will not be delivered, thereby frustrating the spammer’s efforts.
More about DKIM
Whereas SPF checks the IP address of all allowed originating mail servers, DKIM places a cryptographic signature into the email itself (in the message headers which are not visible unless you view the message source code). If the signature is missing, or has been forged, the email will fail. This happens because when you set up DKIM on the mail server, 2 cryptographic keys are generated - a public and private key. The private key is used to generate and "sign" emails sent out by you. The receiver of the email then must check the cryptographic signature in the email received from you against the public key on your mail server. If all is well, the email succeeds in being delivered, otherwise it will fail. A spammer cannot generate the correct signature required by DKIM without access to the private key.
More about DMARC
Be sure to set up SPF and DKIM before you set up DMARC. DMARC is the simplest concept of the three. It just means - what should the receiving mail server do with the email if it fails either the SPF or DKIM checks? DMARC is your organisation's policy around email and it's purpose is to maintain a good domain reputation. What does that mean? Well if a spammer is regularly using your email addresses to deliver spam, you will lose domain reputation. Now when you try to send genuine emails, other mail servers may decide to deliver your mails to the junk folder of the recipients based on your domain's poor reputation. So DMARC really does matter. Using DMARC you can choose to:
- Do nothing
- Deliver the email, but to the spam folder of the recipient
- Don't deliver the email (bounce it back to yourself) - this is the best choice once you're sure everything is working as intended
Can I check if I have SPF, DKIM and DMARC records?
Sure! Go to https://www.learndmarc.com/ and you will be asked to send an email. Open your email program, and choose the domain email address that you want to test. Then in the To:
field, put in the address they ask you to send it to.
You may need to wait patiently, up to 2 minutes. The bot will then test your SPF, DKIM and DMARC records, explaining to you as it goes along and giving you instructions. It also teaches you a little about these records as you go along.
If you've failed the test, you can copy and paste the final result to the admin of your mail server asking them to create those records for you. If you are using the mail server associated with your web hosting account, then email the web host support. If your mail server is on the cloud (eg Microsoft365/Google Workspace), then ask your technical support to add the records. Once they do this for you, remember to wait 24h before using the learndmarc bot to check again as the domain name system (DNS) may not yet have updated your new records to other servers around the world.
Although webhosting companies will offer mail servers along with web hosting, a typical setup for businesses I work with is to have their website www.mysite.com
hosted by the webhosting company but their email @mysite.com
hosted by Microsoft365. In situations like these, the SPF, DKIM and DMARC records need to be set up on Microsoft365, because that's where their mail server is hosted.
Gotchas
The main gotchas are around SPF records. If you incorrectly set up SPF records, you could end up with none of your own emails being delivered! Get a professional to do it for you, and make sure you understand the gotchas below.
- An SPF record only protects emails from it's own domain
- If your domain is
mysite.com
, then only email addresses@mysite.com
are protected - The SPF record must include every mail server that handles your email
- That includes the address of the gmail smtp server if you happen to redirect domain email to your gmail account. If you think about that for a minute, it's easy to understand. You receive your domain email into your gmail account, and then you reply to it. Who's the originating mail server when you reply from gmail? Yes! the gmail mail server. So include that in your SPF record.
- Be sure you know which mail server(s) is responsible for sending your email
- This can be a real problem when people set up their email program on their laptop and unwittingly use their their broadband provider’s mail server (smtp) address instead of their domain mail server address. Another common problem is companies who use an Exchange Server in the office to send their email, or cloud hosted mail servers like Microsoft365 and Google Workspace. In those cases the SPF record needs to be where the mail server is, since that is the originating mail server address.
Some Q&A
No, individual free gmail accounts are not domain based email accounts, they are hosted email accounts. That means you have no access to add records. But, as it happens, all free gmail hosted accounts do have SPF and DKIM records built in.
Yes you should, if they are domain based emails (meaning: they don't end in gmail.com or outlook.com). Use the test at learndmarc.com and if it fails your admin/tech can follow these directions in Microsoft365 and these ones in Google Workspace.
Let's say you have a domain at mysite.com with 3 email addresses that only you use - eg you're a sole trader - then you only need to test one of them, assuming they've all been set up the same way. On the other hand, if three employees had an email address each, like