How email works

2.PNG


Email Spoofing

Email spoofing refer to the email messages with a forged sender address, which means the message appears to have originated from one source that may not exist than the actual source. Spammer intercept user network to get his/her information, some might contain malware and pose security risks. 


7.PNG

How to prevent email spoofing

1. Sender Policy Framework (SPF)

A SPF identifies which mail servers are permitted to send email on behalf of your domain and prevent spammers from sending messages with forged from addresses at your domain. If a SPF record is published, a receiving server is able to validate if an email is coming from an authorised server. Receiving mail server verify SPF by checking a specific TXT DNS entry in your domain, which includes a list of approved IP addresses. Depending on the SPF policy, email may pass(accept), softfail(move to spam) and fail(fail).

spf.PNG



2. DomainKeys Identified Mail (DKIM) 

DKIM uses cryptographic keys to add signatures on emails, which can be verified with a cryptographic public key in DNS by receiving mail servers. This process verifies that the message was not altered during transit. If an email has been signed with DKIM, the headers will have a DKIM-Signature which consists of hashed values (header fields and message body). These values are generated with the private key, which is only known by the owner of the sending domain. Once the hash made with the private key is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.


dkim.PNG



3. Domain based Message Authentication, Reporting & Conformance (DMARC)

DMARC is an anti-spoofing protection built on top of SPF and DKIM as well as  checks the header-from address of an email. It allows the owner of a domain to control email for a domain by publishing a DMARC policy in DNS. The policy tells a receiving server to either move to spam or reject the email if a validation fails. ISPs who support DMARC will also generate reports on sending activity for your domain. This gives you deep visibility into who is sending on your behalf AND if they are signing with DKIM or passing SPF.

dmarc.PNG



How to know it was spoofing

The easiest way to identify spoofing is to check the email header of an email. This header is important since it tells you the IP address of the computer that had sent the email. To find the original sender’s IP address is by looking the first line of the Received header (HTTP) . Return-path or Reply-to also stated the originator’s email address. Example shown as below:


From: Media Temple user (mt.kb.user@gmail.com)

Subject: article: How to Trace an Email

Date: January 25, 2011 3:30:58 PM PDT

To: user@example.com

Return-Path: <mt.kb.user@gmail.com>

Envelope-To: user@example.com

Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700

Received: from po-out-1718.google.com ([72.14.252.155]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from <mt.kb.user@gmail.com>) id 1KDoNH-0000f0-RL for user@example.com; Tue, 25 Jan 2011 15:31:01 -0700

Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for <user@example.com>; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)

Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)

Received: by 10.140.188.3 with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)