What Is Email Spoofing and How to Safeguard Against It


Did you know that during the 2018 U.S. presidential elections, the email accounts of four senior NRCC aides were hacked, and thousands of emails were collected by hackers over several months?

It is a well-known case of a cybersecurity breach. One of the other kinds of cybersecurity attacks is email spoofing. The attacker forges the email address to access recipients' sensitive information. Unfortunately, the address might look so authentic that you may fall prey to such emails.

To help you avoid such mishappening, we have written this guide. We will talk about how email spoofing works and how you can identify it and safeguard against it.

Table of contents

What is email spoofing?

Email spoofing is a form of cyberattack in which someone tampers with the email header (sender details) and trick the recipient into thinking it has come from a known or credible source.

Email spoofing is often used to carry out phishing or scams by forging the sender’s details and prompting users to open the email, follow a link, download an attachment, fill out a form, reply with personal information, etc.

The email is spoofed for the following purposes:

  • Get sensitive information such as social security numbers, bank account details by inserting a deceptive link in the email.

  • Deploy malware to use a victim's email account to spread the infection further.

  • Hack your email address and send phishing emails pretending to be you.

  • Breaching a company's communications circle to get high-value info. This can include CEO imitation or pretending to be a vendor with a fake invoice to start activities like wire transfers.

How does email spoofing work?

Before we discuss the email spoofing process, you need to understand the email transmission process:

When the sender hits send the email, the email is transmitted to the recipient server via Simple Mail Transfer Protocol (SMTP). The initial transfer provides two pieces of address information:

MAIL FROM or Envelope address

The Mail From is the sender's address that isn't visible to the users unless they check the original source of the email. It is the same address where undeliverable message notices, or bounces, are sent.

Thus, it is also known as the Return-Path address, Envelope-Sender address, and the bounce address.


It specifies where to deliver the email and is not visible to the user. But, it can be included in the headers as part of the "Received:" header.

If the recipient mail server doesn't find anything wrong with these two, it will generate a Data command.

After getting the command, the client launches the delivery of the email contents line by line, starting with the header. The header contains the following information:

Email header

How does the attacker carry out email spoofing

The attackers can carry out email spoofing with a working Simple Mail Transfer Protocol (SMTP) server.

  • Once an email message is composed, the attacker can forge fields found within the message header, such as the From, Reply-to, and Return-path.

  • When the user gets the email, it appears to come from a known source, while in reality, it had been sent by the attacker.

It is possible to forge these addresses because SMTP does not provide a way to authenticate addresses. Although protocols and methods (which we’ll discuss later) have been developed to combat email spoofing, adoption of those methods has been slow.

What are the different types of email spoofing?

The attacker can carry out spoofing in three different ways which are as follows:

1. Spoofing via legitimate domain

This involves inserting the organization's domain being spoofed into the From header, making it difficult for the user to differentiate a fake email from a real one.

Under this, the spoofers only use compromised Simple Mail Transfer Protocol (SMTP) servers that allow connections without authentication and make them manually specify the "To" and "From" addresses. Besides, they can also do this by setting up a malicious SMTP server themselves.

2. Spoofing via lookalike domain

Spoofing via a lookalike domain is more complicated as the spoofer needs to set up a domain similar to the organization being spoofed.

For example, they might have a domain @doma1n.co instead of @domain.co, which is the exact domain of the organization. However, the difference in both domains could be minimal so that it might go unnoticed by the recipient.

This form of Spoofing is effective because users don't typically bother to read an email header?

The attacker creates a sense of authority by using a similar domain, bypassing spam checks due to a legitimate mailbox. However, it might be just enough to convince its victim to reveal their password, transfer money, or send some files.

3. Spoofing via display name

The display name is the sender's name that appears from the section of your emails. Only the email sender's display name is forged in display name spoofing.

Sometimes email clients hide the sender's address and show only the display name to make the email look less cluttered.

Unfortunately, this allows cybercriminals to substitute the name but leave their actual address in the From header. And since a DKIM signature and SPF often authenticate this address, the authentication systems see the message as legitimate.

Moreover, if users recognize the display name, they are more likely to open it without checking the email's source.

What are the impacts of email spoofing on organizations?

Email spoofing can cause a significant financial burden on an organization. The 2021 Cost of Phishing Study conducted by Polemon institute revealed that phishing cost has tripled since 2015, increasing from $3.8 million in 2015 to $14.8 million in 2021.

The phishing cost includes additional costs which can damage and hinder the growth of your organization. Some of the high phishing costs are as follows:

  • Decrease in employment productivity as they spend more time dealing with the consequences of phishing scams. Employee productivity losses become costlier to the organization, increasing from $1.8 million in 2015 to $3.2 million in 2021.

  • Organizations are encountering an average of 5.3 compromises in their credentials over the past 12-month period.

  • The average total cost of credential compromise not contained is $2.1 million and has increased significantly from $1 million in 2015.

  • The cost of resolving malware infections has doubled the total cost of phishing. In addition, the costs due to non-containment of malware almost doubled from an average of $3.1 million in 2015 to $5.3 million in 2016.

  • The average cost of business email compromise (BEC) exploits was $5.96 million in 2021. BEC happens when the attacker targets employees who have access to an organization's funds or data.

  • Ransomware is a sophisticated malware that blocks victims' access to their files. The average total cost of ransomware in 2021 was $5.66 million, with an average attack rate of 17.6%.

How to recognize spoofed emails?

There are the following ways you can recognize whether the email is spoofed or not:

✅ Analyze the email header

Check the 'From' email address, not just the display name. Whenever you get an email, hover over the contact name and look at the actual email address. They should match or be pretty close.

For the below points, you need to go to the original source of the email and then look for the following in the email header:

  • Return path
  • Received file
  • Reply-To header

The email address should match the original email address in each field. If it doesn't, then email is likely to be spoofed.

✅ Analyze the email content

  • Be sure to not click on the links; instead, hover over them. A small box should pop up to show you the URL that the link will take you to.

  • Identify any grammatical or spelling errors.

  • Do not click on any attachments from unfamiliar sources.

  • If the email asks you about personal information such as usernames, passwords, or account numbers, don't engage with the email.

  • Email content contains information about deadlines or expiration dates.

  • Generic greetings like "Dear customer" instead of your name.

Another way to detect email spoofing - Authentication protocols

Various email authentication protocols have been developed to safeguard against email spoofing.

These protocols ensure that email addresses, and email content is not tampered with. If emails have failed any of them, then the chances are that email is spoofed. You can check the pass/fail status by checking the original source of the email.

Let’s discuss how each of these.


The Sender Policy Framework (SPF) allows a mail domain owner to restrict the IP addresses that send messages from this domain and lets the recipient's mail server check that the domain owner authorizes the sender's IP address.

For this, SPF uses a Domain Name System (DNS) record that checks whether the email is coming from a legitimate domain or not.

However, SPF only checks the MailFrom address, so it won't safeguard against the header from spoofing or display name spoofing.


DomainKeys Identified Mail (DKIM) is like a stamp on mail, a digital signature that ensures email content is not tempered.

The sender attaches a private key compared to a public key published in DNS for your domain. But, DKIM does not directly prevent abusive/malicious behavior.


Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the final authentication that checks the domain in the 'From' header against an SPF and DKIM validated domain.

If either DKIM or SPF authentication passes, DMARC will also PASS.

What actions can you take to prevent being targeted by spoofed emails?

You can't stop hackers from sending spoofed and phishing emails, but you can learn various tips to identify and deal with such emails:

  • Educate employees via conducting mock phishing scenarios. You can teach them about the key characteristics of spoof and phishing emails.

  • Make sure to keep your anti-virus and anti-spyware software and your firewall updated.

  • Be careful while opening or downloading email attachments, even if they appear from a known source.

  • Deploy a spam filter for detecting viruses, blank senders, etc.

  • Try not to send sensitive data (Social Security number, credit card numbers, etc.) via email.

  • Encrypt your and your organization's sensitive and personal information.

  • Call the sender before replying or even opening the message when an email appears suspicious but comes from a legitimate business or person.

  • Look out for URL redirects and pay attention to subtle differences in the website content.

Wrapping up

Email spoofing has severe consequences for the individual and the organization. As we discussed above, phishing costs have tripled in the past six years and even though there are authentication protections such as SPF, DKIM, and DMARC, the incidence of email spoofing is on the rise.

To combat them, we need to be more vigilant while conducting work via emails and not open or click on any suspicious email because that one-click might cost you a lot.

Bring life to your emails

Convert your emails into experiences
with interactive AMP elements