What is Mail Spoofing and how to avoid it using SPF

If we resort to sources like Wikipedia we see that the Mail Spoofing like a “Phishing technique generally with malicious or investigative uses”.

“Spoofing attacks can be classified, depending on the technology used. Among them we have IP Spoofing (perhaps the best known), ARP spoofing, DNS spoofing, Web spoofing or email spoofing, although in general any network technology susceptible to identity theft can be included within spoofing ”.

Put simply, MailSpoofing is when someone sends you an email where in the field DESDE (sender) is false, so they could tell you that the email was sent to you by, for example, or any entity or company that wants to impersonate.

Spammers often use spoofing to get mailboxes open, and possibly even responding to your requests. Phishing can be used legitimately, even if it is illegal and the Mail Spoffing it can be considered a full-blown identity theft.

The Mail Spoofing it is possible because the protocol Simple Mail Transfer (SMTP), the main protocol used for sending email, does not include an authentication mechanism.

Although an extension of the SMTP service (specified in IETF RFC 2554) allows an SMTP client to negotiate a level of security with a mail server, although this precaution is not always taken. If proper precautions are not taken, anyone with the necessary knowledge can connect to the server and use it to send messages. To send a spoofed email, senders enter commands in the headers that alter the information in the message (spoffing).

With this it is possible to send a message that seems to be from anyone, from anywhere, saying what the sender wants to say. Therefore, someone can send counterfeit emails that appear to be yours, with a message you did not write, from your email domain @

If you receive an email that has not been sent from your email address, there are two possibilities:

  1. The message is fraudulent, it has been sent falsifying your address as if you were the sender.
  2. The actual sender has set your email address as the reply address so that replies are sent to your account.

One way to find out the origin of an email is by reading the headers of the received message so that we can obtain from that email information such as the “date / time of sending”, the “sender” (it will be the supplanted email), the “User -Agent ”from where“ supposedly the mail ”came from (it can also be impersonated) and other data that may be useful in a later analysis for system administrators.

Header example:

Delivered-To: [email protected] Received: by with SMTP id z9cs22623mup;         Sun, 7 Ago 2014 10:54:05 -0800 (PST) Received: by with SMTP id n4mr3722461mul.128.1265568845523;         Sun, 07 Ago 2014 10:54:05 -0800 (PST) Return-Path:  Received: from localhost ( [])         by with SMTP id u26si17461538mug.45.2010.;         Sun, 07 Ago 2014 10:54:05 -0800 (PST) Received-SPF: softfail ( domain of transitioning [email protected] does not designate as permitted sender) client-ip=; From: Theliel  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv: Gecko/20100111 Lightning/1.0b2pre Thunderbird/3.0.1 MIME-Version: 1.0 Subject: Test Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit ...

How to get a complete email header ?, check the following link in case it is useful to you.

70% of emails sent are spam

Recent studies carried out by IT Security Company Lab showed that the 70% of all emails sent worldwide are spam. To protect users from this type of malicious messages, most large email providers (Gmail, Hotmail, etc.) are very strict in managing email filters.

Google / Gmail 2013 font

How to fight it?

Implementing SPF, which is a protection system applied to email servers to protect them against falsification of shipping addresses.

SPF is responsible for identifying, by IP and through DNS records, the SMTP mail servers authorized to send messages from a specific domain.

How does it work?

  1. The sender or sender sends an email.
  2. The message reaches the recipient’s incoming mail server or receiver, which calls their Sender ID Framework (SIDF).
  3. The SIDF queries the SPF record of the domain that the sender uses to send the mail and determines whether or not it passes.
  4. If this email is not returned, it is passed to the reputation filters to be classified accordingly.
  5. The mail is delivered to the recipient.

Currently, there are many companies that do not implement SPF registration on their mail servers or do not validate it, and it is also not verified that the reverse IP address of the person sending the message is really from the legitimate mail server that it claims to be.

In Websites Are Us SPF (Sender Policy Framework) and DKIM can be enabled in order to avoid Mail Spoofing.

We can configure the SPF from cPanel, simply activating “Authentication of e-mail”. We access the cPanel of our website, and in the section “Mail”, “Email authentication”, we click:

On the screen that appears we can see a section for SPF, with a button to “Activate” in case of being deactivated. We click on this button, and after activating we see a screen where the activation of the SPF record is indicated, in addition to showing it to us:

After activation we click on the button “Backward” and we can see the advanced options of SPF.

Note: The subdomains have individualized treatment and are not included within the domain SPF records.

In the following video made by Jordi Sala, you can see the management of the advanced SPF options and the use of “Authentication of e-mail in cPanel.

Have a SPF record Correctly implemented and adapted to your needs, it will allow you not to impersonate your identity and with this the mail servers will know that it is a legitimate email, preventing your emails from being classified as spam.

Member of the Websites Are Us technical team.
Coordinator of content on the Blog and YouTube.
Technical support in CyberProtector. Teacher at Websites Are Us Learning.

By |2020-05-12T01:32:28+00:00May 12th, 2020|Administración del Hosting|