This article explains email spoofing and describes the steps that you can take
to combat it.
- Applies to: Administrator and User
- Difficulty: Moderate
- Time needed: 15 minutes
- Tools required: Email access
For more information on prerequisite terminology, see
Cloud Office support terminology.
If you prefer a video tutorial, see
Rackspace Email - Spoofing: How to identify & protect your organization.
The word spoof means falsified. A spoofed email is one in which the
sender purposely alters parts of the email to make the message appear as though
someone else authored it. Commonly, the sender’s name, email address,
and the body of the message appear from a legitimate source. Sometimes, the
spoofer makes the email appear to come from a private citizen.
A spoofed message can appear to come from a coworker, a bank, a family member,
or any number of seemingly trustworthy sources. A good spoof looks like any
other email that you normally receive.
Warning: If you suspect that you have received a fraudulent message, DO
NOT click any link in the message or enter any requested information.
Often, the spoofed email is part of a phishing (scam) attack. In
other cases, someone uses a spoofed email to dishonestly market an online service or
sell you a bogus product. The intent is to trick the recipient into making a
damaging statement or releasing sensitive information, such as passwords. If
you receive bounced (returned) emails for messages that you never sent,
this could be a case of spoofing.
Scammers alter different sections of an email to disguise who is the actual
sender of the message. To view the following properties, you must open the
email headers of a suspected spoofed message. Following are
some examples of spoofed properties:
- FROM [email protected]: This appears to come from a legitimate
source on a spoofed message.
- REPLY-TO: This can also be spoofed, but a lazy scammer might leave the
actual REPLY-TO address. If you see a different sending address here,
it might be a spoofed email.
- RETURN-PATH: This can also be spoofed, but a lazy scammer might leave the
actual RETURN-PATH address. If you see a different sending address here,
it might be a spoofed email.
- SOURCE IP address or “X-ORIGIN” address: This is typically more difficult
to alter, but it is possible.
A spoofer can alter the first three properties by using settings in Microsoft
Outlook, Gmail, Hotmail, or other email software. They can also alter the fourth
property, IP address, but that requires more sophisticated user knowledge to
make a false IP address convincing.
In the following example, it appears that the recipient has received a message
from their office assistant requesting money.
The subject line should alert you immediately. This user should contact
their assistant through another form of communication to confirm that they did
not send this message. Next, you want to discover who actually sent the message
by opening the message headers. It should look similar to the following:
In this message header snippet, we see that the From: field shows the
message as coming from "Assistant"<[email protected]>.
However, we can also see that the REPLY-TO: field lists [email protected].
That is a clear example of a spoofed message.
You should Blocklist any address you find in the REPLY-TO,
RETURN-PATH, and SOURCE IP field that is not an email address or IP
address from which you normally receive mail.
For more information on viewing and understanding email headers, see
View and read Rackspace email headers.
User education is the first line of defense against these types of attacks. If
you receive a spoofed message, you should perform the following tasks:
- Blocklist any email address or IP address listed in the REPLY-TO,
RETURN-PATH, or SOURCE IP that you have determined to be fraudulent.
For instructions, see
Blocklist addresses, domains, and IP addresses in Rackspace Email.
- Immediately change the password of your email account if you or
your users provided that information at any point.
- Alert the rest of your business to the situation.
Spoofing is possibly the most frustrating abuse issue to deal with because you
can't stop it. Spoofing is similar to hand-writing many letters and signing
someone else's name to it. You can imagine how difficult that would be to trace.
The most impactful change you can make as an administrator is to implement
SPF, DKIM, and DMARC records in that order. These are DNS records
that add extra layers of protection to prevent malicious email from being sent
out using your domain name.
Sender Policy Framework (SPF) records help recipient mail servers identify
unauthorized use of your domain in the form of forgeries (spoofing). Create
an SPF record policy first.
Note: If you send email from other providers on behalf of your domain,
be sure to include their sending servers in the same SPF record entry. Do
not create multiple SPF records.
DomainKeys Identified Mail (DKIM) records assign a digital signature to
mail sent from your domain, marking it as authorized mail sent from your
domain. If you require instructions to enable DKIM for your Rackspace Cloud
Office email, see Enable DKIM in the Cloud Office Control
Creating a DKIM record is the second step in the process.
Domain Message Authentication Reporting and Compliance (DMARC) records
indicate to recipient mail servers that messages sent from that domain
employ DKIM and SPF sending policies. The recipient mail server then
validates the message that you sent by using your DKIM and SPF policies.
Creating a DMARC record policy
enables you to enforce DKIM and SPF records. This is the last step in the
Using record policies protects the integrity of internal emails, as well as the
external reputation of your domain. Implementing this protection is a multi-step
process that you must carefully follow. For more information, see
Create a DMARC policy.
Updated 4 months ago