Attackers committing email spoofing typically start by finding a mail server with poorly configured servers that likely lack SMTP protection. Therefore, the best protection against email spoofing are frameworks that have been developed to authenticate incoming messages, including SPF, DMARC, and DKIM.
With about 3 billion domain spoofing emails for the purpose of phishing being sent per day and phishing incidents almost doubling in frequency by the end of 2020, the FBI has recognized phishing to have become the most prevalent form of cybercrime today.
What is email spoofing?
Spoofing emails is a technique used by spammers and phishers to trick email users into thinking an email came from someone they know. Spoofers may forge the headers of the email so that client software shows the sender's address, leading recipients of the email to click the email and believe its contents without hesitation or suspicion.
Email spoofing is mainly carried out for phishing purposes, along with several other intentions. They include hiding the sender's true identity, committing identity theft, pretending to be a legitimate business to gain access to protected data, damaging the assumed sender's reputation, and avoiding spam blocklists.
Email Spoofing Prevention Tips
There are some things you can do as a user and administrator to help minimize email spoofing risks.
- For email users
Always be observant of the email address from the sender before clicking on any links or following any instructions in an email. If something seems suspicious, don't hesitate to contact your email providers or IT staff immediately, especially if they contain attachments often used for malware delivery.
- For IT staff and administrators
Attackers typically start by finding a mail server with an open Simple Mail Transfer Protocol (SMTP) port. Poorly configured servers likely lack SMTP protection, making them targets for cybercriminals. Therefore, the best protection against email spoofing are frameworks that have been developed to authenticate incoming messages, including SPF, DMARC, and DKIM.
The Email Authentication framework
- SPF - The SPF (Sender Policy Framework) checks whether the specific IP is authorized to send mail from a given domain. However, SPF still requires the receiving server to check the SPF record and validate the email sender.
- DMARC - The DMARC (Domain-Based Message Authentication, Reporting, and Conformance) method provides the sender with the option to notify the receiver whether its email is protected by SPF or DKIM. Because there is another step that still requires action on failed authentication, DMARC is considered an extra layer of protection and should not be used alone.
- DKIM - DomainKeys Identified Mail (DKIM) standard helps reduce the risks of email spoofing by giving senders a way to authenticate their messages. DKIM uses digital signatures to verify that emails come from specific servers and have not been tampered with en route. Google recommends increasing security for an outgoing email with DKIM, along with SPF and DMARC. While Google uses DKIM by default, it also recommends generating your own DKIM domain key and using it on all outgoing messages.