Hi there, todays guide is regarding Email Spoofing and Scamming. With tech getting more and more sophisticated its getting way harder to detect Spam and spoofed emails. Although major service providers such as Google and Microsoft have tons of Spam and Spoofing prevention methods, there is always a possibility that an email can be spoofed.
I want to make this guide accessible to non-tech people.
I've come across multiple clients who've become targets of such accounts, because the attackers craft such mails that change minor details such as bank details and it goes unnoticed.
Terms frequently used in this document:
SPF(Sender Policy Framework)
Sender Policy Framework is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced.
DKIM stands for DomainKeys Identified Email. It provides a way to validate that an organization delivering an email has the right to do so.
DMARC is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.
The most common way to check if a mail is sent from a spoofed account is to check the email headers. Now reading and understanding email headers is quite a complex task considering the amount of information present in those.
Now that we have these tools, lets use them!
Firstly, I would like to share a screenshot of how GMail shows you if the mail is not authenticated.
To further verify this you can click on the 3-dot menu on the right hand side and select
Now if you scroll below you should see the Copy to Clipboard button
Take this header and copy paste it in MxToolbox Header Analyzer
SPF soft-fail mostly means that the email isn't sent from an authenticated IP, this could also mean that the SPF record for the domain is incorrect, you should always get in touch with the recipient through an official email to validate the email.
Note: SPF doesn't prevent incoming spam emails.
That's all, I might create a part 2 for this, Feel free to ask questions, since I may also be wrong about some things.