Emails are sent via the Simple Mail Transfer Protocol. SMTP does not have a mechanism for authentication, so malicious actors often send emails using a spoofed “from” address to mislead the recipient about the sender of the message.
A common method of attack is “phishing” - sending emails that attempt to trick a user into sharing their login credentials. Phishing emails will often warn a user that somebody has tried to access their account, and suggest they change their password immediately.
However, the “password change” link will take the user to a malicious site owned by the phisher - but one that looks completely authentic.
Your user will be asked to enter their old authentication details - which will be saved off to a database of stolen passwords.
Then the site will then redirect to the legitimate password reset page for your site, so the user does not suspect anything.
Protecting against phishing emails is largely in the hands of the email service provider. Email service providers spend a great deal of resources trying to detect spam and malicious emails - you can help them protect your users in a couple of ways.
By changing your DNS records to list a Sender Policy Framework (SPF), you can explicitly state which servers are allowed to send email from your domain. This will help flag spoofed emails sent by malicious actors.
By implementing Domain Key Identified Mail (DKIM), you can prove that an email was legitimately sent from you domain, and that it wasn’t modified in transit.
DKIM adds a digital signature to the email header. The mail receiving program will recalculate the signature on receipt to verify the mail is authentic and has not been tampered with.
Edit the email below and watch how the DKIM signature changes.