Protecting Against Email Spoofing

Email spoofing is the sending of email messages with a forged “from” address. Using a spoofed email address is common tactic email scammers use to gain the trust of their victims. You need to make sure the emails your website and organization sends are marked as authentic.

Risks

Prevalence Common
Exploitability Easy
Impact Worrying

Over 95% of email sent over the internet consists of unwanted email: “spam”. Most spam uses spoofed addresses. If your domains are being used in spam messages, spammers may be taking advantage of your users to:

  • Steal their credentials by sending “phishing” messages.
  • Trick them into falling for online scams by abusing the trust they have in your site.
  • Spread malware by sharing malicious attachments.

Protection

As a website owner you should prevent your domains being used in spam mail by adopting both of the following approaches:

  • Implement the Sender Policy Framework (SPF): publish a DNS record to explicitly state which servers are allowed to send email from your domain.
  • Implement Domain Key Identified Mail (DKIM): use a digital signature to prove that outgoing email was legitimately sent from your domain, and that it wasn’t modified in transit.

There is also an emerging umbrella standard called DMARC (“Domain-based Message Authentication, Reporting & Conformance”) that you should be aware of. Read more about DMARC here.

Adopting these technologies also has the benefit that the emails you send are less likely to be marked as spam.

Configuration

Implementing SPF and DKIM requires publishing new DNS records and making configuration changes to your technology stack - consult the documentation for your email sending service or software for details. Here are the relevant documentation links for some of the more common methods of sending email.

Transactional Email Services

Transaction emails are sent programmatically in response to actions on a website or application. If your site makes use of transactional email (during sign-ups or password resets, for example) you need to ensure you are sending authenticated mails. Here’s how to set up authenticated emails in the leading transactional email services.

Email Marketing Services

Email marketing services allow bulk-sending of emails to targeted mailing lists. If your sales and marketing staff make use of this kind of service, you need to ensure they are sending authenticated mails.

Mail Transfer Agents

If you organization hosts its own email servers, your system administrators will be making use of “Mail Transfer Agent” software. The most common MTAs are Microsoft Exchange (on Windows) and SendMail/Postfix (on Linux). Here’s how to implement authenticated email on those platforms: