What is Email Spoofing anyway?

Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Spammers spoof mail headers in emails to increase the spam message’s seeming legitimacy: you’re more likely to open email that purports to come from a person or a company you know than email that comes from a total stranger.

It’s a real nuisance.

If your email has been spoofed, there is a chance you would not even realize it. However, it’s more likely that you will know because any bounced emails will come back to your inbox – and they could come by the hundreds. This does not necessarily mean your computer or email account has been compromised — no one has actually logged in and sent an email from it in this case (although that does happen as well) – the spammer is “spoofing” your account.

What can be done about it?

Email spoofing is a growing problem and has reached the point where you cannot rely on the information displayed in your email to tell you who really sent a message. Some jurisdictions have enacted laws against this form of “email identity theft,” but the more effective solution is apt to be a technological one that makes it possible to authenticate the senders of email messages.

The technologies listed below all seek to verify that every email message originates from the Internet domain from which it claims to have been sent. This is accomplished by checking the address of the server that sent the mail against a registered list of servers that the domain owner has authorized to send email. This is performed by the Internet Service Provider (ISP) and can be incorporated into the filtering tasks that are already performed by the mail server.

  • Sender Policy Framework (SPF)
  • Sender ID Framework (SIDF)
  • DomainKeys Identified Mail (DKIM)
  • Author Domain Signing Practices (ADSP)

Using these methods, emails can still be forged but they are much less effective because they are not getting through to the recipients. However, they only work if the recipient’s mail server checks for these protection mechanisms.

What should you do?

-> If you own a domain (website address) and send emails from that domain, you should communicate with your domain name registrar and/or DNS provider to determine what strategies are in place to protect you against email spoofers.

-> If you are the recipient of the email, you can write to the administrator or contact the owner of the domain and ask them to implement a protection strategy, but ultimately you need to rely on SPAM filtering, because it is the domain owners responsibility to use these technologies, not the recipients.

These protection strategies are all optional, and somewhat new technologies. Not everyone uses them, so they cannot be required. Plus, it doesn’t matter how much a sender does to protect himself, if the recipient’s mail server isn’t looking for these specific things.

However, these technologies are just more tools in the toolbox to fight email spammers. Our recommendation is to use as many as you have access to and can afford. Let us help you put measures in place to protect your email communications as much as possible. Your company’s reputation and credibility could be at risk. Give us a call at 888.323.3066.