Sending an email from an email account that you don’t control is called email spoofing. The problem with spoofed messages compared to other phishing messages (e.g. Nigerian Prince schemes) is that spoofed emails usually impersonate someone the recipient trusts. Essentially, the attacker is claiming the “sender’s” identity and abusing their credibility to trick the victim into taking some action. This can be a funny prank or extremely damaging to the target and the victim. Since it's such a common problem, it seems like it must be easy to do. To find out how easy it is to send a spoofed email, I gave it a try. It turns out it's incredibly simple. Here's how you can send a spoofed message.

Step 1: Choose a Method

There are multiple methods for spoofing a domain. Some are very technical, some are not. To find them, all it took was a Google search. I used a website to send a spoofed message for me, which was one of the top search results.

Step 2: Select a Target

The target of your spoofed email is the domain that you are impersonating, which becomes the ending of the “from” address you choose. If I want to impersonate Facebook, I might use “mzuckerberg@facebook.com,” but I can’t spoof facebook.com because it has a DMARC Reject policy. The target domain needs to be a registered domain; you can’t spoof a domain that doesn’t exist. In addition, it needs to be a domain that’s not using a DMARC Quarantine or Reject policy. A None policy can be spoofed, although the domain owner should notice your spoof. I used gatech.edu, which is not using DMARC. To see if a particular domain is using DMARC or what its DMARC policy is, use Fraudmarc’s Email Security Score tool. For more information about Fraudmarc’s Email Security Scores, see our post, Understanding Fraudmarc’s Email Security Scores.You’ll also need a name for the “from” field. This can be anything, but typically it’s a person’s name. I used George P Burdell to match the “from email address,” georgepburdell@gatech.com.

Step 3: Select a Victim

The victim of your spoofed email is the recipient of your message. This can be a fun way to prank your friends and colleagues. Or it could be more malicious. These emails are very convincing. I chose my boss.

Step 4: Write Your Message

This is the same as writing an email from your account. Except you are posing as someone else. College students have sent messages to their roommates “from” potential employers saying they got a job offer, and high school students have emailed their school “from” their parents to excuse themselves from classes. People have also emailed to their colleagues “from” their bosses to get out of work responsibilities. The possibilities are endless. While some scenarios lead to laughs, others can have costly or devastating consequences.For my prank, I sent this:

sending a spoofed message

Step 5: Send Your Spoofed Message

Once I filled in all the fields on the website, I hit send, verified that I'm not a robot, and the website showed that the email was successfully sent. That was too easy.

Success! (sending a spoofed message)

The Results

My boss was not fooled. Of course, he is the CEO of a cybersecurity company, and I sent an email from an infamous Georgia Tech Alumni requesting an outrageous pay increase. However, when we examined the email header, which contains all the details about the email, there was no difference between the spoofed version and a legitimate email from gatech.edu.

spoofed message compare to real email without DMARC

It’s Time to End Spoofed Emails

Once I found the site, it took me less than 5 minutes to send the message. A 5th grader could do it. While my example is meant to amuse, this should be alarming to anyone who values their domain, which represents their brand. Although spoofing a domain is surprisingly easy, so is protecting domains from spoofing. DMARC fixes this problem by blocking this type of phishing attack. To understand more about the features of DMARC, see Fraudmarc’s post, What DMARC Can & Can’t Do for Domains.

Fraudmarc Can Help

A domain with a Quarantine or Reject policy can’t be so easily spoofed because DMARC works to secure domains against spoofing. To learn how DMARC works, check out our info page, What is DMARC. The more restrictive DMARC policies block spoofed messages from inboxes because spoofed messages don't pass email authentication- SPF and DKIM. With no DMARC policy or with the monitor-only None policy, the spoofed email is delivered despite failing email authentication.Fraudmarc makes blocking spoofed email easy for the domain owner. Fraudmarc offers a variety of plans and tools, including free options, to help every domain block spoofed emails using DMARC. Fraudmarc’s tools help with managing and monitoring as many authorized senders and DKIM selectors as required for your business. Fraudmarc uses SPF Compression, so the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Fraudmarc’s DMARC reports are free, so you have the information you need to configure your policies accurately. For some tips on how to implement a Reject policy, see Fraudmarc’s post, How to Implement a Reject Policy. If you want more hands-on assistance with this, let us know.

At Fraudmarc, we want to end spoofed emails. Let’s #GetToReject!