Protecting Against Email Spoofing

Email spoofing is the sending of email messages with a forged “from” address. Using a spoofed email address is common tactic email scammers use to gain the trust of their victims. You need to make sure the emails your website and organization sends are marked as authentic.

Risks

Prevalence Common
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Easy
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Worrying
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

Over 95% of email sent over the internet consists of unwanted email: “spam”. Most spam uses spoofed addresses. If your domains are being used in spam messages, spammers may be taking advantage of your users to:

  • Steal their credentials by sending “phishing” messages.
  • Trick them into falling for online scams by abusing the trust they have in your site.
  • Spread malware by sharing malicious attachments.

Protection

As a website owner you should prevent your domains being used in spam mail by adopting both of the following approaches:

  • Implement the Sender Policy Framework (SPF): publish a DNS record to explicitly state which servers are allowed to send email from your domain.
  • Implement Domain Key Identified Mail (DKIM): use a digital signature to prove that outgoing email was legitimately sent from you domain, and that it wasn’t modified in transit.

There is also an emerging umbrella standard called DMARC (“Domain-based Message Authentication, Reporting & Conformance”) that you should be aware of. Read more about DMARC here.

Adopting these technologies also has the benefit that the emails you send are less likely to be marked as spam.

Configuration

Implementing SPF and DKIM requires publishing new DNS records and making configuration changes to your technology stack - consult the documentation for your email sending service or software for details. Here are the relevant documentation links for some of the more common methods of sending email.

Transactional Email Services

Transaction emails are sent programmatically in response to actions on a website or application. If your site makes use of transactional email (during sign-ups or password resets, for example) you need to ensure you are sending authenticated mails. Here’s how to set up authenticated emails in the leading transactional email services.

Email Marketing Services

Email marketing services allow bulk-sending of emails to targeted mailing lists. If your sales and marketing staff make use of this kind of service, you need to ensure they are sending authenticated mails.

Mail Transfer Agents

If you organization hosts its own email servers, your system administrators will be making use of “Mail Transfer Agent” software. The most common MTAs are Microsoft Exchange (on Windows) and SendMail/Postfix (on Linux). Here’s how to implement authenticated email on those platforms:

Is your site secure?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for vulnerabilities with the