DEV Community


A simple guide to recognizing spoofed/unauthenticated mails

Linux Admin, Anime|| Currently working as Hosting support tech.
・3 min read

Hi there, todays guide is regarding Email Spoofing and Scamming. With tech getting more and more sophisticated its getting way harder to detect Spam and spoofed emails. Although major service providers such as Google and Microsoft have tons of Spam and Spoofing prevention methods, there is always a possibility that an email can be spoofed.
I want to make this guide accessible to non-tech people.

I've come across multiple clients who've become targets of such accounts, because the attackers craft such mails that change minor details such as bank details and it goes unnoticed.

Terms frequently used in this document:

  • SPF(Sender Policy Framework)
    Sender Policy Framework is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced.

  • DKIM
    DKIM stands for DomainKeys Identified Email. It provides a way to validate that an organization delivering an email has the right to do so.

    DMARC is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.

The most common way to check if a mail is sent from a spoofed account is to check the email headers. Now reading and understanding email headers is quite a complex task considering the amount of information present in those.

To make it easier there are tools such as MxToolbox, in case you have the header and want to read it MxToolbox Header Analyzer

Now that we have these tools, lets use them!
Firstly, I would like to share a screenshot of how GMail shows you if the mail is not authenticated.

As you can see here there is a question mark means the user sending the mail isn't authenticated.
Image of a mail from Gmail

To further verify this you can click on the 3-dot menu on the right hand side and select Show Original.

Image of a mail header from Gmail

Now if you scroll below you should see the Copy to Clipboard button

Clipboard Button

Take this header and copy paste it in MxToolbox Header Analyzer
alt text
Click Analyze Header.

Now you'll get a ton of information about the email.
alt text

alt text

SPF soft-fail mostly means that the email isn't sent from an authenticated IP, this could also mean that the SPF record for the domain is incorrect, you should always get in touch with the recipient through an official email to validate the email.

You can also see DKIM and DMARC parameters here, provided the domain has published them.
alt text

Note: SPF doesn't prevent incoming spam emails.

That's all, I might create a part 2 for this, Feel free to ask questions, since I may also be wrong about some things.

Discussion (0)