All About Email Spoofing

Understanding and Preventing Email Spoofing

Email spoofing is when the email header's "From:" line is modified to something other than the actual original sender. A common sign that your email address is being spoofed is getting tons of spam return messages (like Failure Notification or Mailer Daemon) for emails you never sent.

One of the features of a standard SMTP server is the ability to modify the email header to be from any address. This is a convenience built in so the address is easy to read (like "sample@stcikyhosting.com"). This feature is often exploited by spammers trying to mask where they are sending from.

 The Mechanisms of Spoofed Emails

There are two common impersonation methods frequently used by cybercriminals. For illustrative purposes, let us say our person in a position of authority we wish to impersonate is John Joe, and his email address is johnjoe@stickyhosting.com:

  1. Method #1 – Email Address Spoofing: John’s email address and his name are spoofed on an incoming email so that the sender appears to be: John Joe <johnjoe@stickyhosting.com>.
  2. Method #2 – Display Name Spoofing: Only John’s name is spoofed, but not the email address: John Joe <randomemail@gmail.com>.

How Do I Stop Someone From Spoofing My Domain?

Unfortunately, it will not be possible to stop someone from using your email address as the "From" address. The reason for this is that the "From" address on an email works similarly to a physically mailed letter or package. The postal system doesn’t check if the return address is real, and email systems don’t verify the "From" address either.

Email spoofing doesn’t mean your email has been compromised. The spoofer is using another server to send the email rather than the server where your email is hosted. By closely examining the email header, you’ll be able to identify that the email is fake or spoofed.

The first and last line of defense is your users. They need to be vigilant and prepared to identify emails using the Display Name Spoofing technique. However, this is prone to human error, especially in stressful situations such as fast-approaching deadlines or lack of attention to detail.

✅ Recommendations to Secure Your Accounts and Avoid Email Spoofing

  • Change your email account passwords frequently. Use strong passwords with a mix of uppercase, lowercase, numbers, and special characters (at least 8 characters long).
  • Ensure your operating system is running the latest security updates. Avoid using outdated systems like Windows 7 or Windows XP.
  • Update your antivirus software and conduct a full scan to ensure your device is free from malware.
  • Enable SSL for email communications to secure your connections.
  • Educate users about phishing or spam emails and how to spot suspicious emails. Always verify emails from Webmail/cPanel using other means (SMS, phone call, social media).
  • Avoid connecting to public Wi-Fi as it is often unsafe.
  • Encourage users to verify emails through alternative communication channels to confirm authenticity.

⚠️ What Happens When an Email is Spoofed?

When emails are set to be from an email address on your domain and bounce, they are sent to our servers, attempting to deliver themselves to that mailbox. Generally, you will never see these emails. However, if the spoofer configures the "From" header to be a real email box, the bounce-back will come to your mailbox, and you’ll receive the email.

Thankfully, modern spam filters and ISPs know how to identify spoofed emails, and they won’t penalize your domain just because someone is using your "From" address. They rely on the sender’s IP address and other indicators to determine the origin of the email.

These spoofers are tracked down based on the server used to authenticate the email. They get reported to ISPs and Real-time Black Lists (RBLs), and once flagged, the spoofing will stop.

How to Minimize Email Spoofing

There are two key methods for resolving email spoofing: using a catchall (Default Address) or creating an SPF record. While the catchall method can temporarily reduce the issue, it’s better to create an SPF record for a long-term solution. An SPF record verifies that a user has permission to send email on behalf of your domain and prevents unauthorized users from sending spoofed emails.

⚙️ Partial Solution: Catchall (Default Address)

If you have Default Address enabled, you can set every catchall to :fail: no such address here. This will prevent you from receiving bounce-back messages. However, it doesn’t address the root cause of the issue.

If Default Address isn’t enabled, our system will automatically return messages with the :fail: no such address here response, which is effective at minimizing bounces.

✔️ Full Solution: Creating an SPF Record

To resolve the spoofing issue fully, you’ll need to create an SPF record in your DNS settings. An SPF record is an entry added to the DNS zone for your domain to verify that only authorized users can send mail from your domain.

Note: Sticky Hosting automatically creates an SPF record for all our web hosting accounts. You can verify the existence of your SPF record by using a DNS lookup tool like nwtools.com. Enter your domain name and check for a TXT record with v=spf1 ... as the value.

How to Create an SPF Record

Creating an SPF record helps ensure that only authorized mail servers can send email on behalf of your domain, preventing email spoofing. Here’s how to create an SPF record based on your email product:

cPanel & Plesk Hosting Users

SPF records are automatically created in cPanel and Plesk hosting. You can confirm this by navigating to cPanel > Email Deliverability or Plesk > DNS Settings.

Other Email Solutions

  • Microsoft 365 (formerly Office 365): TXT Record: @ or domain name pointing to v=spf1 include:spf.protection.outlook.com -all
  • GSuite: TXT Record: @ or domain name pointing to v=spf1 include:_spf.google.com ~all

Creating DKIM and DMARC Records

cPanel and Plesk users automatically have DKIM records by default. For other email solutions, please follow the specific instructions for G Suite or Office 365.

You can also create a DMARC record to further improve your email security. Use an online DMARC generator to craft the perfect record and add it to your DNS settings.

If you need assistance with creating SPF, DKIM, or DMARC records, feel free to contact Sticky Hosting support. We’re here to help!

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Can't Send Emails But Can Receive? Read This First

Can't Send Emails But Can Receive? Read This First Did your email work fine in the UAE, but...

Email Security Warning When Using SSL

Due to the Heartbleed bug we have changed the SSL certificates used on all our servers recently....

What is the difference between POP3 & IMAP?

POP vs IMAP IMAP (Internet Message Access Protocol) IMAP4 allows you to read emails as they...

How to Sync Sent Mail across devices

Syncing Your Sent Mail Across Devices This tutorial will guide you on how to sync your sent...

What do I put for both incoming and outgoing mail server?

Email Client Settings Incoming Mail Server (IMAP):mail.yourdomain.com(Replace yourdomain.com...