I use a small business email address and routinely get a lot of junk email. Usually I just delete it without reading. However I recently got an email that was from myself and to myself! I checked, and the From address was exactly correct – it was mine. The email that came was a typical sextortion scam. So how was someone able to spoof my email address and send email as me? Doesn’t my email service have protection to prevent that?
Unfortunately, our worldwide internet email system was designed for ease of communication, not for security. Over the years as spam proliferated, email service providers worked to establish some standards for verification of the originator of an email, but it’s an imperfect system. It’s not overly difficult for a determined scammer to be able to spoof your email. This even can occur with major email systems like Gmail and Outlook.com.
The primary protection against spoofing is a Sender Policy Framework (SPF) record, that’s located in your DNS records at your domain name registration organization, or the DNS records at your website hosting service. DNS records direct your organization’s domain name to specific servers on the internet that hold your website, your email services, and more. The SPF record is carefully constructed to identify the specific internet servers that are authorized to send email using your domain. Ideally, they should stop anyone sending email from an unauthorized server.
However, current industry practices do allow for delivery of email from unauthorized sending servers. At the end of the SPF record you can have one of three options:
+all is the designator that nobody should ever use. It allows all servers to send email using that domain.
~all is the designator that is currently used by most mail service providers. This is called a “softfail” in that it doesn’t stop unauthorized servers from sending email, but does notify the receiving email server that it should consider the email as unauthorized. Unfortunately, not all email service providers will let you (the recipient) know that the email is unauthorized.
-all is the designator that should be used, it blocks email from being delivered that doesn’t come from a server specifically authorized in the SPF record.
Fortunately, most major email service providers and email applications will pay attention and keep mail from unauthorized servers out of your inbox. But not all, and abuse of email is on the rise. There is just so much spam on the internet that email service providers can’t keep up. So fake emails will continue to find their way into peoples’ inboxes.
If you have control over your company’s domain name (the part after the @ in your email address), you can check with your hosting or email service provider to find out exactly which internet servers (by server IP address) they use to send your email, and make sure that/those server(s) is/are included in your SPF record. Once you have that, make sure the SPF record ends in -all so that email from any other server is blocked.
In the OP‘s example, I added a pointer to a small warning that his email service provider (and Outlook, the email app he uses) provided, which calls out the email’s suspect nature. But notice how innocuous this warning is, easy to overlook. And not all providers or applications will show a warning!
If you’re not sure if your current SPF record is adequately protecting your email service, you can go to MXToolBox’s SuperTool at https://mxtoolbox.com/SuperTool.aspx and check your domain name. I suggest you type in your domain name, then click open the orange button to the right and choose “SPF Record Lookup” from the list before clicking the button. This will show you exactly what is in your SPF record, and you can contact your provider to make any needed changes.
It is my humble recommendation that no one who’s using email should be sending from a domain that isn’t fully secured against spoofing attacks. The use of the ~all at the end of the SPF record should only be used when testing, not in normal use. But unfortunately, most major email service providers still use it, and are changing their email server infrastruture too often to be able to lock it down. But if your domain email service is simple, you should be able to lock yours down tight and prevent spoofing.
Oh, if anyone is also receiving the type of sextortion email scams, there’s a good writeup of them at https://malwaretips.com/blogs/i-recorded-you/. That’s a good place to look up whatever particular scam message you think you received.
This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via (send to @PosiTek), (send to Support@PosiTek.net), using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182.
I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public.
Thank you!
Author: Chris Gardner
Your Tech Coach at PosiTek.net
There are currently 1277 reader comments on published articles, care to join in? Use the Leave a Comment form below/at the bottom of any existing comments. This is a good place to ask follow-on questions on this subject.
"I'm all about helping you deal with our 21st century high-tech digital world so you can enjoy a healthy and secure digital life!"
About Me
Hi! I'm Chris Gardner, Your Tech Coach giving you Practical Help for Your Digital Life® since 1996. My job is to translate geek-speak into clear and concise advice and give you easy-to-understand how-to's and instructions about your consumer technology products and services.
Browse my library with over 1,000 of the types of questions and answers we all have about our consumer technology. Better yet, use the search bar above or pick a subject or keyword below to see a list of related posts you can read. And please sign up for my freeweekly digest and occasional email alerts!
If you don't find the answer to your question in my library, ask me a question - anything about consumer technology. I answer questions large and small, from how to use Siri on an iPhone to how to protect your computer, tablet or smartphone. I take arcane language from manuals and translate that into easy-to-follow instructions. This gives you better ways to use your consumer technology - helping you get more out of the gadgets and services you already own and use.
I provide all the above, supported by my readers who find my answers valuable (patronage model). Please consider supporting me by sending any amount via (send to @PosiTek), or via (send to Support@PosiTek.net), or via using any credit card (no Paypal account required), or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182.
I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public.
If you need more immediate or direct support, please see my 1-on-1 Tech Support page. I don't profess to know everything about everything, but I'm great at finding and giving you exactly the right answer in the way you need to hear it. Give me a try and let Your Tech Coach help you get your technology working for you, not the other way around!
The information presented on this website and referred to in various social networking channels are the considered opinions of the authors. We accept no advertising, kickbacks or any sort of remuneration for any commercial products or services that we recommend or suggest. Furthermore, posts or links to external websites or other content do not imply endorsement, unless explicitly stated.
Any elements on this website that may be linked to or displayed, including trademarks and product/service images, are for educational purposes only under fair use copyright law. PosiTek.net LLC purchases licensing for commercial imagery used on this website via Shutterstock.com and any other imagery is licensed for our use via:
(send to @PosiTek), 
(send to Support@PosiTek.net), 
using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182.
I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public.
Thank you!
Author: Chris Gardner
Your Tech Coach at PosiTek.net
