Spoofing your Email

Spoofing your Email: a reader asks…

Example of a sextortion scam email. Click to view larger.

I use a small business email address and routinely get a lot of junk email. Usually I just delete it without reading. However I recently got an email that was from myself and to myself! I checked, and the From address was exactly correct – it was mine. The email that came was a typical sextortion scam. So how was someone able to spoof my email address and send email as me? Doesn’t my email service have protection to prevent that?

Unfortunately, our worldwide internet email system was designed for ease of communication, not for security. Over the years as spam proliferated, email service providers worked to establish some standards for verification of the originator of an email, but it’s an imperfect system. It’s not overly difficult for a determined scammer to be able to spoof your email. This even can occur with major email systems like Gmail and Outlook.com.

The primary protection against spoofing is a Sender Policy Framework (SPF) record, that’s located in your DNS records at your domain name registration organization, or the DNS records at your website hosting service. DNS records direct your organization’s domain name to specific servers on the internet that hold your website, your email services, and more. The SPF record is carefully constructed to identify the specific internet servers that are authorized to send email using your domain. Ideally, they should stop anyone sending email from an unauthorized server.

However, current industry practices do allow for delivery of email from unauthorized sending servers. At the end of the SPF record you can have one of three options:

  1. +all is the designator that nobody should ever use. It allows all servers to send email using that domain.
  2. ~all is the designator that is currently used by most mail service providers. This is called a “softfail” in that it doesn’t stop unauthorized servers from sending email, but does notify the receiving email server that it should consider the email as unauthorized. Unfortunately, not all email service providers will let you (the recipient) know that the email is unauthorized.
  3. -all is the designator that should be used, it blocks email from being delivered that doesn’t come from a server specifically authorized in the SPF record.

Fortunately, most major email service providers and email applications will pay attention and keep mail from unauthorized servers out of your inbox. But not all, and abuse of email is on the rise. There is just so much spam on the internet that email service providers can’t keep up. So fake emails will continue to find their way into peoples’ inboxes.


More detail on SPF record syntax can be found at https://www.spf-record.com/syntax

If you have control over your company’s domain name (the part after the @ in your email address), you can check with your hosting or email service provider to find out exactly which internet servers (by server IP address) they use to send your email, and make sure that/those server(s) is/are included in your SPF record. Once you have that, make sure the SPF record ends in -all so that email from any other server is blocked.

In the OP‘s example, I added a pointer to a small warning that his email service provider (and Outlook, the email app he uses) provided, which calls out the email’s suspect nature. But notice how innocuous this warning is, easy to overlook. And not all providers or applications will show a warning!

If you’re not sure if your current SPF record is adequately protecting your email service, you can go to MXToolBox’s SuperTool at https://mxtoolbox.com/SuperTool.aspx and check your domain name. I suggest you type in your domain name, then click open the orange button to the right and choose “SPF Record Lookup” from the list before clicking the button. This will show you exactly what is in your SPF record, and you can contact your provider to make any needed changes.

It is my humble recommendation that no one who’s using email should be sending from a domain that isn’t fully secured against spoofing attacks. The use of the ~all at the end of the SPF record should only be used when testing, not in normal use. But unfortunately, most major email service providers still use it, and are changing their email server infrastruture too often to be able to lock it down. But if your domain email service is simple, you should be able to lock yours down tight and prevent spoofing.

Oh, if anyone is also receiving the type of sextortion email scams, there’s a good writeup of them at https://malwaretips.com/blogs/i-recorded-you/. That’s a good place to look up whatever particular scam message you think you received.

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:

Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek

Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to support@positek.net

Click or tap to open a new browser tab or your Paypal app to send money using your credit card to support@positek.net (no Paypal account required)
(using any credit card)

or by mailing a check/cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!

Leave a Comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

This site uses Akismet to reduce spam. Learn how your comment data is processed.