Jet Mariano

Tag: SMTP

  • Email Spoofing Explained: How Attackers Do It and How DMARC Blocks Them

    Introduction

    Email is built on trust — and the original SMTP protocol (from 1982) was never designed with modern threat actors in mind. Attackers now exploit loose RFC rules, misconfigured servers, and public DNS to spoof legitimate senders and bypass basic filtering.

    This blog explains how spoofing actually works, why SPF/DKIM alone are not enough, and why DMARC alignment + Proofpoint is essential for stopping real-world business email compromise (BEC) attacks.

    1. Email Spoofing 101 — Why SMTP Allows It

    SMTP does not validate who the sender truly is.
    An attacker can control:

    a) The SMTP Envelope (“MAIL FROM”)

    Used for return-path, bounce messages, and SPF checks.

    b) The Email Header (“From:”)

    What the human sees in Outlook, Gmail, iPhone Mail.

    Both can be forged.
    That means an attacker can send:

    MAIL FROM: <[email protected]>
From: Jane Doe <[email protected]>

    …even though they do not own that domain.

    2. Step-by-Step: How Attackers Use SMTP to Forge Email

    (Everything below uses neutral demonstration domains to avoid referencing any real organization.)

    S: 220 mail.fake-sender.net SMTP Ready
C: HELO mail.fake-sender.net
S: 250 Hello
C: MAIL FROM:<[email protected]>
S: 250 OK
C: RCPT TO:<[email protected]>
S: 250 Accepted
C: DATA
S: 354 Start mail input
C: Subject: Urgent – Please Review
C: From: [email protected]
C: To: [email protected]

Hi Bob,
Please review this document:
https://malicious-link-example.net/file

Thanks,
Jane
C: .
S: 250 Message accepted
C: QUIT
S: 221 Goodbye

    Important:
    This is exactly how attackers craft spoofed email — the same RFC-compliant commands a normal email client uses.

    3. How Attackers “Harvest” SPF and DKIM Using DNS

    Attackers don’t guess your DNS settings.
    They simply query them publicly, like anyone else on the internet.

    Example: Retrieving DKIM Keys

    nslookup -type=txt selector1._domainkey.victim-of-spoofing.com

    This returns the DKIM public key, which attackers use to craft more believable spoofing attempts (not to break DKIM, but to mimic structure).

    Example: Retrieving SPF Records

    nslookup -type=txt victim-of-spoofing.com

    Result:

    "v=spf1 include:_spf.example-email.net -all"

    Attackers now know:

    • what legitimate sending systems you use
    • how strict your SPF policy is
    • which vendors to impersonate

    SPF & DKIM are public, and attackers rely on that.

    4. Why SPF and DKIM Alone Are Not Enough

    SPF checks the envelope (MAIL FROM).
    DKIM checks the message integrity.

    But both fail in these common scenarios:

    SPF Fails When:

    • A scammer spoofs only the header From
    • Email is forwarded
    • Attackers use free SMTP servers with permissive policies

    DKIM Fails When:

    • Sender uses a domain with no DKIM at all
    • Attackers spoof domains they do own
    • Emails pass through weak relays

    This is why companies get spoofed even with “perfect” SPF/DKIM.

    5. DMARC Alignment — The Real Line of Defense

    DMARC requires:

    ✔ SPF Alignment

    Envelope domain must match header From domain.

    ✔ DKIM Alignment

    DKIM signature domain must match the header From.

    If neither aligns, DMARC instructs receivers to:

    • none — monitor only
    • quarantine — send to spam
    • reject — block outright

    Reject is where spoofing finally dies.

    6. Two Ways Attackers Deliver Spoofed Email

    This is critical for interview-level mastery:

    1️⃣ Using Their Own SMTP Server

    Attackers set up a server where:

    • they control all DNS
    • they can configure any RFC behavior
    • they can impersonate any domain

    This allows highly believable spoofing.

    2️⃣ Using Vulnerable Third-Party SMTP Servers

    Attackers often search for:

    • misconfigured mail relays
    • open SMTP relays
    • free spoofing services

    Both methods work unless DMARC reject + Proofpoint is in place.

    7. Why Proofpoint Completes the Protection

    Even with DMARC reject, attackers still spoof:

    • VIP names (“Display Name Spoofing”)
    • Lookalike domains (e.g., companny-secure.com)
    • Legitimate cloud providers that DMARC trusts
    • OAuth-compromised accounts (EAC)

    Proofpoint adds:

    • Identity threat intelligence
    • Imposter protection (BEC Defense)
    • Lookalike domain analysis
    • Behavioral anomaly detection
    • URL rewriting + sandboxing
    • Real-time classification

    Without Proofpoint, DMARC is only half of the defense.

    Conclusion

    Attackers rely on the weaknesses of SMTP’s original design, public DNS records, and domains they control. That’s why spoofing is still one of the most common and dangerous forms of cyberattack worldwide.

    The only way to fully protect executives, employees, and customers is:

    ✔ SPF
    ✔ DKIM
    ✔ DMARC (reject)
    ✔ PLUS Proofpoint’s identity + behavioral controls

    This is the combination that stops real-world BEC/EAC attacks.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!