Email spoofing is one of the common techniques used by phishing attacks. By using different techniques, attackers trick users to think the email is from legitimate parties. To combat email spoofing, a few mechanisms have been invented – Namely DMARC, DKIM & SPF. However many times the terms are confusing. In this blog, we will cover the details of email spoofing and provide an explanation of SPF, DKIM, and DMARC. Here is an outline:
- How does the email system work?
- Email spoofing
- Prevent/detect email spoofing
- The caveats of SPF/DKIM/DMARC
Let’s start with an understanding of how the email system works.
1. Email system behind the scene
When you send out an email, the email system actually takes a few more steps than you would see on your email client. Here is an example of a set of actions when you send an email.
HELO mycomputer.mydomain.com 250- redacted smtp.mydomain.com [10.10.10.10], pleased to meet you
MAIL FROM: noreply@mydomain.com
250 2.1.0 noreply@mydomain.com ... Sender ok
RCPT TO: user@example.com
250 2.1.5 user@example.com ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
- From: Bob Smith <bob.smith@mydomain.com>
- Reply-to: <noreply@mydomain.com>
- Subject: Hello World Message body contents. . 250 2.0.0 wASDDusO0124297 Message accepted for delivery
- HELO: The host is sending the command to identify itself.
- Mail FROM: the mail command initiates the transfer of mail and identifies itself.
- RCPT TO: This identifies the recipients. On receipt a time.
- DATA: everything under data is considered to be message text until the end. Including header, body, and attachment.
- From: This is the “header from” address and what appears in the header session of most mail client
- Reply-to: another item in the header indicates where it replies to
- Subject: the subject of the email.
- The rest are body, attachments .etc.
2. Email Spoofing
As permitted by SMTP, you can actually
- specify whatever you want in Mail FROM or From address
- either the Mail or From address can be null
- specify a name with no address in From address (e.g. Bob Smith <>)
- format a From address like this – From: Bob Smith <bob.smith@example.com> <hacker@hacker.com> for a message from hacker@hacker.com. Some clients will show it as Bob Smith <bob.smith@example.com>
This sounds crazy, right? But these are intentional designs by SMTP but sadly abused by attackers for malicious purposes, namely email spoofing.
In general, there are three types of email spoofing.
- Envelope Mail From spoofing: The MAIL FROM address is declared in a way that is meant to look legitimate.
- Header From spoofing: they declare the header from the address to make it look legitimate as it is what is shown on most clients anyways.
- Display Name spoofing: Control the display name to make it look legit. For example Bob Smith <hacker@hacker.com>. Here, Bob Smith is legit. Both Mail From and From are under the hacker’s control. Most of the time, when you reply to such emails, the email address is truncated and clients only show the name. If you did not detect it the first time, it will be hard to catch later.
Typically when attackers spoof the real email address, the attacker may use one of the following options
- use the actual email address such as “bob.smith@example.com” to pass the filter
- use a misspelling address: “bob.smith@examp1e.com”. Notice 1
- use a completely different domain “bob.smith@gmail.com”
- use whatever weird email address “bob23@randomdomain.com”
3. Prevent/Detect email spoofing
There are a few mechanisms in place for the security team to prevent email spoofing.
3.1 Sender Policy Framework (SPF)
SPF is a DNS record a domain owner publishes that contains a list of servers from which they send emails. When the receiver receives the domain, it checks the list of legitimate sources and if the server it comes from is not on the list, it knows it is not legitimate.
An SPF record looks something like this:
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
SPF is useful to protect against MailFrom spoofing which is good for your company and your domain brand as well. However it only concerns the MailFrom address, and does not protect the header from or display name spoofing
3.2 DomainKeys Identified Mail(DKIM)
DKIM is a key-pair signing mechanism for the header of mail messages. When you send mail you attach a signature to the message using a private key which is compared to a public key published in DNS for your domain. DKIM adds authenticity to a message and guards against tampering with the header by downstream mail servers.
DKIM is a signature, adding a layer of authenticity. However, if an email does not have a DKIM, it does not mean it is malicious.
3.3 Domain Message Authentication Reporting & Conformance (DMARC)
DMARC’s conformance check(“alignment”) checks that the header from is “aligned” with other authenticated domains on the message either via DKIM or SPF. If either DKIM or SPF alignment passes DMARC evaluates as a “PASS.”
SPF Alignment: The domain in the header from and envelope MAIL from must be the same (or sub-domains of the same parent domain if “relaxed”) and must pass SPF.
DKIM Alignment: DMARC requires a valid signature where the domain specified in the d= tag aligns with the sender’s domain from the header from the field.
However
DMARC alignment is only enforced when your policy (
p=) is set to “reject” or “quarantine”.Lots of receiving mail servers still do not evaluate DMARC, evaluate only for reporting, or evaluate but don’t report
4. The caveats of SPF/DKIM/DMARC
You can see SPF is useful for envelopes Mail from spoofing, DMARC + SPF + DKIM can help the header from spoofing. However, they do not address display name spoofing or other email spoofing issues such as using a compromised email account. More advanced email behavior rules are needed to prevent/detect another email spoofing. Moreover, it is up to senders to configure their SPF. The sender may configure or not which is not under your control. Therefore we can not rely on SPF/DKIM/DMARC to detect phishing. They are important metrics but are not enough.
When you are ready, here are three ways we can help
- Schedule a free consultation to discover the best anti-phishing solutions for you and your team (schedule here)
- Leverage free phishing plugins to analyze your suspected email in outlook and Gmail (Outlook, Gmail)
- DTonomy’s AIR platform enables security teams to automate security analysis and response with AI-based scoring. It takes less than 20 minutes to get everything set up. Get started today! (Sign up here)
- Let DTonomy set up affordable phishing awareness training and manage phishing threats for you by requesting professional service here
