Email Spoofing

Tram Ho


Hello, to continue this series on basic security, this time I will introduce you to Email Spoofing, it means sending email with a fake address. I will show you how email spoofing can be dangerous for users.

Email is sent through Simple Mail Tranfer Protocol (SMTP) , SMTP does not have an authentication mechanism, so hackers often send emails by using fake addresses to trick the recipient of the email sender.

A common attack method is phishing – an attempt to trick users into sharing their login information. Phishing emails will often warn users that someone tried to access their account and ask them to change their password immediately.

However, the password change link redirects the user to the malicious website with a gmail-like interface.

The user will then need to enter the old password, and it will be saved in the hacker database. The site will then redirect to the real password reset page, so the user is not in doubt.

Protection against phishing emails is largely due to your email service provider. Email service providers devote a lot of resources to trying to detect spam and malicious email.

Risks due to

In general, this is a very common and dangerous form of fraud. More than 95% of emails sent over the internet are email spam. Most spam uses fake addresses. If your domain is being used in spam messages, spammers may be using your users to:

  • Stealing their login information by sending “phishing” messages.
  • Taking advantage of users’ trust in our website to commit fraud.
  • Distributing malware by sharing malicious files.
  • And so forth and clouds …


As the website owner, you should prevent your domain’s use in spam by using both of the following methods:

1. Deploy Sender Policy Framework (SPF) :

Publish DNS records to specify which servers are allowed to send emails from your domain.

By changing your DNS records to the Sender Policy Framework (SPF) , you can specify which servers are allowed to send emails from your domain. This will help flag fake emails sent by scammers. For example:

2. Deploy Domain Key Identified Mail (DKIM) :

By using Domain Key Identified Mail (DKIM) , you can prove that the email is properly sent from your domain and that the email hasn’t been modified in transit.

DKIM adds a digital signature to the email header. The recipient of the message will check the signature upon receipt to verify that the message is authentic and has not been tampered with.

There is also a standard called Domain-based Message Authentication, Reporting & Conformance (DMARC ) that you should know. Read more here

Applying these technologies makes the email you send less likely to be marked as spam.


Implementing SPF and DKIM requires publush new DNS records and make configurations to your technology stack – refer to the email service or software documentation for details. Below are related documents for some of the more common email delivery methods.

Transactional Email Services

Transaction Email is sent programmatically in response to web or app actions. If your website uses transaction email (for example, during registration or password reset), you need to make sure that you are sending authenticated emails. Here’s how to set up authenticated email in the top transactional email services.

Email Marketing Services

Email Marketing Services allows to send mass emails to mailing list. If you use this type of service, you need to ensure that the email sent is authenticated.

Mail Transfer Agents

System administrators use the software “Mail Transfer Agent.” The most common MTAs are Microsoft Exchange (on Windows) and SendMail / Postfix (on Linux).


Above is the basic introduction to Email Spoofing, hopefully it will be useful for you. Happy coding !!!

Share the news now

Source : Viblo