Email spoofing is a method of forging email header to change the sender's email address so that receiver sees it as sent by different sender than actual.
In the above example, it looks like mail sent from Dean of IIT Goa (email@example.com), but it's not. It is an example of spoofed mail.
There are few online services available(like this) to send such spoofed mail, or one can use PHP / Python mail function with a modified email header.
Mail Servers decides given mail is Spam or not based on various factors like the content of the mail, email address, and a few others.
The main criteria are validating email id from which email came is the same mail id?
To validate, SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) DNS records are used.
(I won't go into depth how it works)
let's consider the scenario, We have three websites to test.
|Website||SPF Record||DMARC Record|
|iitgoa.ac.in||Not Present||Not Present|
IIT B SPF
v=spf1 a:smtp6.iitb.ac.in a:smtp7.iitb.ac.in a:smtp8.iitb.ac.in a:smtp9.iitb.ac.in a:smtp10.iitb.ac.in a:smtpd6.iitb.ac.in a:smtpd7.iitb.ac.in a:smtpd8.iitb.ac.in a:smtpd9.iitb.ac.in a:smtpd10.iitb.ac.in ~all
IIT H SPF
v=spf1 ip4:184.108.40.206 ip4:220.127.116.11 ip4:18.104.22.168 ip4:22.214.171.124 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:_spf.google.com ~all
IIT B DMARC
v=DMARC1; p=quarantine; pct=100; rua=mailto:firstname.lastname@example.org
Now, Send Spoof mail from all of these domains, and let's see, How Gmail reacts to this. (Check full email header)
|Website||Response||SPF Status||DMARC Status|
|iitgoa.ac.in||In Inbox without warning||-||-|
|iitb.ac.in||In Inbox with warning||SOFTFAIL||-|
|iith.ac.in||In Spam with critical warning||SOFTFAIL||FAIL|
- The attacker can launch phishing campaign with fake mail id like
- An attacker can use fake mails id's and make social engineering attacks.
- Add SPF record starts with "v=spf1" in DNS Zone File
- Add DMARC record in DNS Zone File.