Posted 21 November 2023

Can an email's "from" address be spoofed?

It's always been my understanding that an email "from" address can be spoofed, so you can't assume the email is from who it appears to be, rather like spoofed caller ID. Is this correct?

I had a discussion with an IT expert today who says the "from" address can be taken on face value.

New Comment

15 Comments

sorted by

21st Nov 2023
Short answer yes

Longer answer is that it really depends on how things have been setup. If it has the relevant SPF and DMARC configuration then it's much harder to spoof, but then again it also depends on the recipient server and how strict it is with checking the records.
21st Nov 2023
Yup. A few years ago I had a Samsung Digital camera that had the ability to send photos by email using wi-fi. I found that I could type any email address in as the sender, and that is what the recipient would see!
21st Nov 2023
"IT Expert" is wrong.

You can indeed spoof it. While decent email services have security measures like SPF, DKIM, and DMARC (technologies used to authenticate email messages and protect against email spoofing and phishing), these aren't always foolproof.

So no, it definitely can't be taken on face value.
21st Nov 2023
There used to be free online websites to send spoof emails.

If you look at raw incoming email headers, they'll typically contain something like a "received" header with the IP address of the sender, or the last relaying mail server, which is added by your email server, so is one of the few headers that can be trusted. Some spoofers used to ad a chain of fake received by and from headers to try to make them appear to be a relay from the expected IP address. (edited)
21st Nov 2023
Your IT experts title need to be removed.
21st Nov 2023
Absolutely. I receive several emails each week that claim to be from me.
21st Nov 2023
Absolutely.
21st Nov 2023
I see less of it these days, but it was uncommon to go a week without receiving a couple of emails, allegedly from myself
21st Nov 2023
Yes it can, email is a highly rudimentary protocol developed decades ago as a simple way to send messages, it hasn't really changed much over the years, but has had a few complimentary technologies tacked on to make it more secure.

For example, most providers will do SPF lookups of the domain to ensure that the server that sent the email is listed as an authorised server for that domain.

There is also DMARC that compliments this again, but if these technologies aren't implemented properly or at all on a domain there will be little to protect said domain against spoofing, and then it's really easy to fake an email.

You can use the enkei.cz website to send a fake email, I always use this to demonstrate fake emails from Elon musk etc, to prove my point.
21st Nov 2023
That link doesn't work. Not that I wanted to send a load of fake emails, of course!
21st Nov 2023
Expert

You can do it from telnet in windows, so it shows how basic email systems are tbh.

I doubt your expert even knows what telnet is.
22nd Nov 2023
Your "IT expert" is wrong, the advice is even worse! Removing the "IT expert" from the equation the advice for anything should always be "never take anything at face value"! - regardless of what is being discussed! This is why is always important to do your own research!
Phising via email ultimately relies on the user to ensure it's legitimate - are you expecting it? Does the address look correct. There is currently no technology guaranteed to prevent any spoofed emails (apart from blocking every email!)
The best way to deal with it is to consider the real world "junk mail" post and how you deal with that - if it's generic/spam (bin it) recycle it!

Actually just watched a Monk clip on Youtube yesterday that is the perfect analogy here:
22nd Nov 2023
I used to send spoof emails to friends via an outgoing mail utility we wrote. It was great fun watching them squirm over imaginary speeding tickets etc
22nd Nov 2023
You must be a great mate