The Problem: Email Headers Are Not Secure
Most people assume that the “From” field in an email accurately represents the sender. However, due to the way the Simple Mail Transfer Protocol (SMTP) works, this is not necessarily true. SMTP is the protocol used to send emails, and it allows for the manipulation of sender and recipient information in a way that is not verified by default.
Here’s how SMTP operates when sending an email:
1. The sending mail server introduces itself with a HELO (or EHLO for extended SMTP).
2. A MAIL FROM command specifies the sender’s email address.
3. A RCPT TO command specifies the recipient(s).
4. A DATA command sends the actual email, including headers and body.
Why This is a Security Issue
SMTP does not enforce validation of sender information. The email headers—such as To, Cc, and From—are not actually used to direct email delivery. Instead, they are just cosmetic fields added for user convenience. The actual routing is handled separately by the MAIL FROM and RCPT TO commands, which are not necessarily the same as what appears in the visible email headers.
This means that a malicious actor can:
- Send an email with a fake “From” address—making it appear as though it came from a trusted source.
- Spoof the recipient fields—misleading users about who else received the email.
- Make phishing emails look completely legitimate—tricking users into clicking malicious links or providing sensitive information.
How Scammers Exploit This Weakness
Because SMTP does not verify sender identities, scammers and attackers can send emails that appear to come from legitimate companies, government agencies, or even a victim’s coworkers or friends. Here are some common scams that take advantage of this:
• Phishing Attacks: Emails appearing to be from banks, PayPal, or other trusted institutions ask recipients to “verify” their information by entering credentials on a fake website.
• Business Email Compromise (BEC): Attackers impersonate executives or managers, instructing employees to wire money or send confidential data.
• Fake Support Emails: Cybercriminals pretend to be customer service representatives from major companies, tricking users into handing over their login credentials.
• Extortion and Blackmail: Scammers send emails pretending to be law enforcement or hackers, demanding payment in cryptocurrency to avoid consequences.
Why Fixing This is Difficult
The biggest challenge in securing email is that it was designed as a decentralised system, meaning there is no single authority that controls email security globally. Implementing a security solution without breaking existing email infrastructure is difficult.
One possible solution would be for email clients to ignore unverified headers, but this would make email inconvenient because:
• Users would lose the ability to see who an email was addressed to.
• The “From” field might have to be removed entirely unless verified, which could disrupt email usability.
Because of these trade-offs, email providers continue to display headers even though they can be falsified.
Attempts to Fix Email Spoofing: SPF, DKIM, and DMARC
To improve email security, modern email services use a combination of three protocols:
1. SPF (Sender Policy Framework) – Allows domain owners to specify which mail servers are allowed to send emails on their behalf.
2. DKIM (DomainKeys Identified Mail) – Uses cryptographic signatures to verify that an email was not altered after being sent.
3. DMARC (Domain-based Message Authentication, Reporting & Conformance) – Builds on SPF and DKIM to allow domain owners to specify how to handle emails that fail authentication.
While these protocols help prevent domain-based spoofing, they do not verify the recipient fields (To, Cc) or fully prevent email impersonation.
How Users Can Protect Themselves
Because email spoofing remains a major issue, users need to be vigilant when handling emails:
1. Check the Email Headers
• Many email clients allow users to view “raw” email headers. If the “Return-Path” or “Received” headers do not match the “From” address, it could be a spoofed email.
2. Be Wary of Urgent Requests for Information
• Legitimate companies and banks will never ask for sensitive information via email.
3. Look for Authentication Indicators
• Major providers like Gmail and Outlook display indicators when an email is verified through SPF, DKIM, and DMARC.
4. Use Cryptographic Email Verification (PGP)
• Pretty Good Privacy (PGP) or S/MIME encryption can be used to digitally sign emails, ensuring they have not been tampered with.
5. Enable Two-Factor Authentication (2FA) on All Accounts
• Even if credentials are stolen, 2FA can prevent unauthorised access.
Email is inherently insecure when it comes to sender verification, and scammers continue to exploit this weakness to launch phishing and impersonation attacks. While security measures like SPF, DKIM, and DMARC help verify domain authenticity, they do not fully eliminate the risk of email spoofing.
Until email protocols are fundamentally redesigned, users must remain cautious and employ security best practices to avoid falling victim to these scams. Understanding the limitations of email security can help individuals and businesses better protect themselves against cyber threats.
