Email Spoofing

Email spoofing takes advantage of the original design of SMTP, the protocol that carries email, which performs no authentication of the sender's address by default. An attacker can set the 'From' header to any address — '[email protected]', '[email protected]' — regardless of which mail server actually sent the message.

Spoofed emails are used in phishing, business email compromise, and malware distribution. Because the displayed sender address looks authentic, recipients are far more likely to comply with requests, click links, or open attachments. Spoofing is distinct from account compromise: the attacker does not need access to the real account.

Modern email authentication standards — SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) — make spoofing much harder by allowing receiving mail servers to verify that a message was sent from an authorised server for that domain. However, many domains still do not implement these controls, and display-name spoofing (showing a trusted name while the actual address differs) remains effective even with authentication in place.