Mail Spoofing: Why You Can't Trust the 'From' Field
The Context
Email protocols were designed in a trusting era, making it easy to spoof a sender's identity. If you receive an email from a large institution or bank, the "From" address alone does not guarantee authenticity. To combat this, the industry relies on DNS-based protocols—SPF, DKIM, and DMARC—to verify identity. For domain owners, implementing these is now essential to ensure mail delivery.
My Perspective
It’s a protocol flaw that has persisted for decades: with a few commands in a terminal, it’s possible to send an email that appears to come from an unauthorized address. This is Mail Spoofing, and it exists because SMTP (Simple Mail Transfer Protocol) was designed in 1982, an era when the internet was a small network of trusted researchers.
The Postcard Analogy
Think of email like a physical postcard. You write the message and the recipient's address, but in the "Return Address" corner, you can write any address. The postal service generally doesn't verify the sender's identity. SMTP works in a similar way. It delivers the message without verifying the sender's identity, which is why phishing can be effective.
The Defense Triad
To patch this foundational vulnerability, we've developed three layers of
defense that work via DNS records. SPF serves as a list of authorized IP
addresses for a domain, ensuring only approved servers can send mail for it.
DKIM adds a layer of integrity with a cryptographic signature that validates
the message hasn't been tampered with in transit. Finally, DMARC acts as the
policy enforcer, telling receiving servers whether to reject an email or
quarantine it if it fails the other two checks.
Protecting Yourself
I recommend a practical approach to protection. As a user, I always verify the
actual sender details in the email headers rather than trusting the display
name. For domain owners, configuring DMARC is an important security step;
providers like Gmail and Yahoo have increased enforcement of unauthenticated
domains, meaning legitimate emails might be filtered if these protocols are
ignored.