This article is meant to help email users with questions on email spoofing and how to prevent it.
First of all, email spoofing is defined as email that fakes its FROM address. In practice, this is VERY easy to do, and anyone that tells you it can be prevented is technically lying. I can create a script or mailing domain on ANY of the HostMySite webservers or mailservers right now that sends mail as if it were from
someuser@hotmail.com
even though our servers are NOT the hotmail servers. The reason for this is quite simple - one can create an outbound email message and define all of its characteristics, including the FROM field, using any number of scripting languages or email progams. This particular functionality is due to the inherent insecurity in the SMTP protocol - a set of standards that was created over 20 years ago and its creators never imagined that it would achieve such longevity.
In recent years this protocol has been expanded upon in an effort to prevent spammers from creating misleading emails, i.e. messages that 'spoof' the FROM address in their header and claim to be from somewhere they aren't. Two major efforts in this direction are SPF records and DomainKeys/DKIM. More information on these two anti-spoofing techniques can be found at the following websites:
http://www.openspf.org/ (SPF Records)
http://www.dkim.org/ (DomainKeys or DKIM - DomainKeys Identified Mail)
In addition, I would recommend looking up both protocols in Wikipedia. Here's a short summary of both for fans of brevity:
SPF Records: Uses a unique TXT record in the sending domain's DNS Zone to identify the mailservers that are allowed to send mail for a given domain.
DomainKeys: (From Wikipedia, since I'm not as familiar with this technology) DKIM adds a header named "DKIM-Signature" that contains a digital signature of the contents (headers and body) of the mail message. The receiving SMTP server then uses the name of the domain from which the mail originated, the string _domainkey, and a selector from the header to perform a DNS lookup. The returned data includes the domain's public key. The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail message (headers and body) that was received. If the two values match, this cryptographically proves that the mail originated at the purported domain and has not been tampered with in transit.
In short, both use DNS to verify that a message comes from the domain that it states in the FROM field of the message header. So, why doesn't this prevent spoofing completely?
1. Because the recipient mailserver still has to check for the existence of the anti-spoofing elements. If it's not checking, the message will still go through as normal.
2. Because the existence of anti-spoofing technology does NOT prevent the spammer from sending mail, it just provides the recipient a way to verify the mail.
This means that EVEN IF you add anti-spoofing technology to your domain name, that does not prevent spammers from spoofing your domain! However, it DOES give recipients a method in which to validate your mail. If they aren't validating, there is nothing you can do to prevent others from 'faking' your domain name though.
As of this post, most if not all major commercial email providers have SPF or DomainKeys technology implemented, and all anti-spam agencies (i.e.,
Postini) most certainly do. So, if you have a
Yahoo, MSN, Gmail, etc account then your mail is most certainly filtered in this manner. If your email accounts are on a private commercial webhost (HostMySite, 1and1, GoDaddy, Rackspace, etc.) then such technology may exist but it may not be enabled by default. So, as you can see using SPF/DomainKeys on the domains that you control will help your messages deliver, and also help prevent others from spoofing your domain, however in practice there may be some implementation that needs to be done in order to make this happen.
HostMySite, for example, offers the ability to create SPF records or DomainKeys for any of the domains hosted on it's network, however due to the nature of said records they cannot be created automatically and must instead be specifically requested from Support, since our technicians would need to know exactly where you are sending mail from in order to properly configure these technologies.
As an important side note, many times you will recieve a message from
user@domain.xyz, where
user@domain.xyz is YOUR EMAIL address. This is a VERY common practice by spammers, but it doesn't mean that they are sending out thousands (or millions) of messages with your address as the FROM address. What is happening here is the spammer is using a script that dynamically changes the FROM address to match whatever address the message is delivering to. So, in my case my address is
jamie@hostmysite.com so the message will appear to be from
jamie@hostmysite.com. If your address is
joe@smith.com, you could be on the SAME spammer's mailing list and the message would appear to come from
joe@smith.com, NOT
jamie@hostmysite.com. The lesson here: if you recieve such a message the best way to prevent it is to make sure your domain is configured with DomainKeys or SPF (or in a perfect world, both) then make sure your mailserver is configured to REJECT all messages that don't conform to these anti-spoofing technologies.
The good news is that EVERY mailserver that can be configured for DomainKeys/SPF also has the ability to allow messages in which the domain that the message appears to be from doesn't have DomainKeys/SPF enabled. In other words, if someone is sending you a message and does not have anti-spoofing technology in place, the message will still deliver. However, if they are sending you a message and they DO have anti-spoofing technology in place, your mailserver will validate the message and make certain that it is coming from where it claims to be coming from.
