Email spoofing is when attackers tamper with emails to disguise themselves as legitimate senders. This tactic is common in phishing attacks.
In email spoofing, an attacker uses an email header to mask their own identity and impersonate a legitimate sender. (An email header is a code snippet that contains important details about the message such as the sender, the recipient, and tracking data.)
While email spoofing is a specific tactic involving the forging of email header information, attackers can use other means to achieve similar results. For example, attackers may use slight misspellings of the domain: “Jane Executive” email@example.com. Alternatively, attackers will change their display name to impersonate a sender but not the domain part of the email address. In this case, the display name and email might look something like this: “Jane Executive” firstname.lastname@example.org.
The key difference between these techniques is that successful email spoofing attempts will present as legitimate domains — like cloudflare.com — as opposed to a misspelled domain (email@example.com) or an address not associated with the domain at all (firstname.lastname@example.org). This article will focus specifically on emails with forged headers.
Email spoofing falls under the larger domain spoofing umbrella. In domain spoofing, attackers will attempt to fake a website name (or email address), generally as part of phishing attacks. Domain spoofing extends beyond email and can be used to create fake websites or fraudulent advertisements.
Attackers use scripts to forge the fields an email recipient can see. These fields are found within the email header and include the “from” address and the “reply-to” address. Here’s an example of what these fields could look like in a spoofed email:
Forging these fields is possible because the email transmission protocol Simple Mail Transfer Protocol (SMTP) does not have a built-in method for authenticating email addresses. In fact, the sender’s and recipient's email addresses exist in two places within an email: the header and the SMTP envelope. The email header includes the fields that the recipient sees. The SMTP envelope, however, contains the information servers use to deliver an email to the correct address. But these fields do not have to match for an email to send successfully. Because the SMTP envelope never checks the header and the recipient cannot see the information in the envelope, email spoofing is relatively easy.
Because a spoofed email appears to come from a legitimate sender, recipients may be tricked into divulging sensitive information, clicking malicious links, or taking other actions they otherwise would not. For this reason, email spoofing is commonly used in phishing attacks.
In some cases, attackers will use other tactics to bolster the credibility of a spoofed email domain. This may include copying a company’s logo, branded art, and other design elements, or using messages and language that feel relevant to the imitated company.
Email recipients can follow these steps to ensure they do not fall for email spoofing:
Domain owners can also take action to prevent attackers from sending messages from their domain. To do so, organizations can create Domain Name System (DNS) records specifically for authentication. These include:
At the organizational level, security leaders can also take steps to protect employees from email spoofing by implementing phishing and malware protection.
While email authentication can help protect against email spoofing, it is not a comprehensive email security solution. For example, email authentication does not account for other common phishing techniques like lookalike domains or emails sent from legitimate domains that have been compromised.
Cloudflare Area 1 Email Security offers a more holistic approach. It preemptively crawls the Internet to identify attacker infrastructure, thereby preventing phishing attacks and securing inboxes.