Email Spoofing

Email spoofing manipulates the RFC 5322 header fields visible to a recipient, typically the From header, to display an arbitrary sender identity regardless of the actual origin of the message. Because the SMTP protocol imposes no inherent authentication on the envelope or header sender, an unauthenticated mail server can claim any From address. Spoofing ranges from exact-domain impersonation to display-name deception, where the From header contains a trusted name paired with an attacker-controlled email address.

Spoofed emails are the delivery mechanism for phishing, business email compromise (BEC), and malware distribution. Even technically sophisticated recipients are susceptible to display-name spoofing because most email clients show only the display name rather than the full address. BEC attacks exploiting spoofing have resulted in billions of dollars in wire fraud losses annually according to FBI IC3 reporting.

The SMTP envelope sender (MAIL FROM) and the RFC 5322 From header are independent fields; an attacker sets the From header to the impersonated address while routing the message through their own infrastructure. SPF validates the envelope sender's domain against authorized sending IPs, DKIM validates a cryptographic signature tied to the signing domain, and DMARC enforces alignment between those authenticated domains and the header From domain. When all three are absent or misconfigured on the target domain, spoofing requires no special access. Even with DMARC enforcement, display-name spoofing (using a legitimate-looking name with an unrelated From address) and cousin-domain spoofing (a look-alike domain with valid authentication records) remain viable attack vectors.