Jet Mariano

Email Spoofing Explained: How Attackers Do It and How DMARC Blocks Them

Written by

jetnmariano

in

Introduction

Email is built on trust — and the original SMTP protocol (from 1982) was never designed with modern threat actors in mind. Attackers now exploit loose RFC rules, misconfigured servers, and public DNS to spoof legitimate senders and bypass basic filtering.

This blog explains how spoofing actually works, why SPF/DKIM alone are not enough, and why DMARC alignment + Proofpoint is essential for stopping real-world business email compromise (BEC) attacks.

1. Email Spoofing 101 — Why SMTP Allows It

SMTP does not validate who the sender truly is.
An attacker can control:

a) The SMTP Envelope (“MAIL FROM”)

Used for return-path, bounce messages, and SPF checks.

b) The Email Header (“From:”)

What the human sees in Outlook, Gmail, iPhone Mail.

Both can be forged.
That means an attacker can send:

MAIL FROM: <[email protected]>
From: Jane Doe <[email protected]>

…even though they do not own that domain.

2. Step-by-Step: How Attackers Use SMTP to Forge Email

(Everything below uses neutral demonstration domains to avoid referencing any real organization.)

S: 220 mail.fake-sender.net SMTP Ready
C: HELO mail.fake-sender.net
S: 250 Hello
C: MAIL FROM:<[email protected]>
S: 250 OK
C: RCPT TO:<[email protected]>
S: 250 Accepted
C: DATA
S: 354 Start mail input
C: Subject: Urgent – Please Review
C: From: [email protected]
C: To: [email protected]

Hi Bob,
Please review this document:
https://malicious-link-example.net/file

Thanks,
Jane
C: .
S: 250 Message accepted
C: QUIT
S: 221 Goodbye

Important:
This is exactly how attackers craft spoofed email — the same RFC-compliant commands a normal email client uses.

3. How Attackers “Harvest” SPF and DKIM Using DNS

Attackers don’t guess your DNS settings.
They simply query them publicly, like anyone else on the internet.

Example: Retrieving DKIM Keys

nslookup -type=txt selector1._domainkey.victim-of-spoofing.com

This returns the DKIM public key, which attackers use to craft more believable spoofing attempts (not to break DKIM, but to mimic structure).

Example: Retrieving SPF Records

nslookup -type=txt victim-of-spoofing.com

Result:

"v=spf1 include:_spf.example-email.net -all"

Attackers now know:

  • what legitimate sending systems you use
  • how strict your SPF policy is
  • which vendors to impersonate

SPF & DKIM are public, and attackers rely on that.

4. Why SPF and DKIM Alone Are Not Enough

SPF checks the envelope (MAIL FROM).
DKIM checks the message integrity.

But both fail in these common scenarios:

SPF Fails When:

  • A scammer spoofs only the header From
  • Email is forwarded
  • Attackers use free SMTP servers with permissive policies

DKIM Fails When:

  • Sender uses a domain with no DKIM at all
  • Attackers spoof domains they do own
  • Emails pass through weak relays

This is why companies get spoofed even with “perfect” SPF/DKIM.

5. DMARC Alignment — The Real Line of Defense

DMARC requires:

✔ SPF Alignment

Envelope domain must match header From domain.

✔ DKIM Alignment

DKIM signature domain must match the header From.

If neither aligns, DMARC instructs receivers to:

  • none — monitor only
  • quarantine — send to spam
  • reject — block outright

Reject is where spoofing finally dies.

6. Two Ways Attackers Deliver Spoofed Email

This is critical for interview-level mastery:

1️⃣ Using Their Own SMTP Server

Attackers set up a server where:

  • they control all DNS
  • they can configure any RFC behavior
  • they can impersonate any domain

This allows highly believable spoofing.

2️⃣ Using Vulnerable Third-Party SMTP Servers

Attackers often search for:

  • misconfigured mail relays
  • open SMTP relays
  • free spoofing services

Both methods work unless DMARC reject + Proofpoint is in place.

7. Why Proofpoint Completes the Protection

Even with DMARC reject, attackers still spoof:

  • VIP names (“Display Name Spoofing”)
  • Lookalike domains (e.g., companny-secure.com)
  • Legitimate cloud providers that DMARC trusts
  • OAuth-compromised accounts (EAC)

Proofpoint adds:

  • Identity threat intelligence
  • Imposter protection (BEC Defense)
  • Lookalike domain analysis
  • Behavioral anomaly detection
  • URL rewriting + sandboxing
  • Real-time classification

Without Proofpoint, DMARC is only half of the defense.

Conclusion

Attackers rely on the weaknesses of SMTP’s original design, public DNS records, and domains they control. That’s why spoofing is still one of the most common and dangerous forms of cyberattack worldwide.

The only way to fully protect executives, employees, and customers is:

✔ SPF
✔ DKIM
✔ DMARC (reject)
✔ PLUS Proofpoint’s identity + behavioral controls

This is the combination that stops real-world BEC/EAC attacks.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts

error: Content is protected !!