Email spoofing is when the email header's "From:" line is modified to something other than the actual original sender. A common sign that your email address is being spoofed is getting tons of spam return messages (like Failure Notification or Mailer Daemon) for emails you never sent.
One of the features of a standard SMTP server is the ability to modify the email header to be from any address. This is a convenience built in so the address is easy to read (like "sample@aeserver.com"). This feature is often exploited by spammers trying to mask where they are sending from.
The Mechanisms of Spoofed Emails
There are two common impersonation methods frequently used by cybercriminals. For illustrative purposes, let us say our person in a position of authority we wish to impersonate is John Joe
, and his email address is johnjoe@aeserver.com
:
- Method #1 – Email Address Spoofing: John’s email address and his name are spoofed on an incoming email so that the sender appears to be:
John Joe <johnjoe@aeserver.com>
. - Method #2 – Display Name Spoofing: Only John’s name is spoofed, but not the email address:
John Joe <randomemail@gmail.com>
.
How Do I Stop Someone From Spoofing My Domain?
Unfortunately, it will not be possible to stop someone from using your email address as the from address. The reason for this is that the from address on an email works similarly to a physically mailed letter or package. You can physically put any "from" address on a letter sent via the normal post office. The post office does not even check if the return address is real. It is similar to email.
Email Spoofing doesn't mean your email has been compromised. They are using another server to send the email other than the actual server where your email is hosted. They only make it look like a legit email and doing a close observation of the email header, you'll realize that it is a fake or spoofed email.
The first and last line of defence is your users. They need to be vigilant and be prepared to identify emails using the Display Name Spoofing technique. Sadly, this is prone to human error as your users may not verify the full details of every single incoming email under certain circumstances – like in stressful situations such as fast-approaching deadlines or lack of attention to detail.
Here are the recommendations to secure your accounts, devices and avoid being a victim of spoofed emails:
- Change your password frequently, all email account passwords. Ensure your new password has a minimum length of eight characters and uses a mixture of upper and lower case letters, numbers, and special characters.
- Verify that your operating system is running with the latest security updates. Avoid using operating systems that have reached the end of life such as Windows 7, Windows XP, etc.
- Update your anti-virus software and conduct a full scan of your system to ensure that your device is safe from malware.
- Make sure to use SSL in email programs
- Don't click to any links when you receive emails saying they are from Webmail/cPanel. Educate users about spam or phishing emails and how to check which is legit and which is not.
- Avoid connecting to public Wifi connections as they are usually unsafe
- Users can verify using other means of communication to confirm that the sender really sent the email by using SMS, phone call, social media, etc.
There are methods to help alleviate the issue, that will be discussed below.
What Happens When an Email is Spoofed?
When emails are set to be from an email address on your domain and bounce, they are sent to our servers, attempting to deliver themselves to that mailbox. Generally, you will never see these emails; however, if the email spoofer happens to configure the "From:" header to be a real email box, the bounce will come back to your mailbox and you will receive the email.
Luckily spam filters and ISPs know that and do not penalize people based on the from address. They instead use IP addresses and other indicators to decide who to ban. So unless the spam is coming from your email account, server or hosting account, you would not be penalized for someone spoofing your email address. Individual users can still filter or block your email address, but modern spam filters do not work that way.
These email spoofers are tracked down from the server that is used to authenticate from originally. That server gets reported to ISPs and Email Realtime Black Lists (RBLs), and the spoofing emails stop.
How to Minimize the Email Spoofing
To resolve email spoofing there are two methods, creating a catchall or an SPF record. The catchall (Default Address) can resolve the issue only on a short term basis and is not recommended to be used otherwise. Creating an SPF record would be best for a long term solution as the DNS would catch unverified users trying to send an email for your domain and prevent it from being sent out.
Partial Solution
If you have Default Address enabled, you can set every catchall to :fail: no such address here. This will stop you from getting the bounceback, but the real problem may not be solved.
If you do not have Default Address enabled, you will not need to worry about making this adjustment since our system is automatically set to return messages with the :fail: no such address here response.
Full Solution
You will need to create an SPF record to resolve the issue fully. An SPF record is an entry added to the DNS zone for a domain. This record verifies that a user has permission to send mail from a domain, preventing email from being spoofed for your domain.
How to Create an SPF Record
Creating an SPF record will verify that a user has permission to send mail from a domain. This is used to prevent email spoofing for your domain. There are several methods for having this record created regardless of if you are using cPanel or WHM.
cPanel and Plesk Hosting Users
SPF is automatically added in cPanel and Plesk hosting. You can confirm this in your cPanel > Email Deliverability or Plesk > DNS Settings.
Dubai Based Zimbra
TXT Record: @ or domain name pointing to v=spf1 ip4:185.93.245.35 ~all
Microsoft 365 (formerly called Office 365)
TXT Record: @ or domain name pointing to v=spf1 include:spf.protection.outlook.com -all
GSuite
TXT Record: @ or domain name pointing to v=spf1 include:_spf.google.com ~all
Creating DKIM Record
cPanel and Plesk users automatically have DKIM Records by default. For other email solutions, please check guides below:
- G Suite instructions
- Office 365 instructions
- Other mail solution: There are many DKIM Generators online that you can use to generate DKIM. Add the DKIM records in the DNS Management/Zone Editor of your domain.
Creating DMARC Record
You can use an online DMARC generator to craft the perfect DMARC record for your organization. Add the DKIM records in the DNS Management/Zone Editor of your domain.