Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.
Although most spoofed email falls into the nuisance category and requires little action other than deletion, the more malicious varieties can cause serious problems and pose security risks. For example, a spoofed email may purport to be from a well-known shopping website, asking the recipient to provide sensitive data such as a password or credit card number. Or the spoofed email may ask the recipient to click on a link that installs malware on the recipient's computing device. One type of spear phishing used in business email compromises, involves spoofing emails from the CEO or CFO of a company who works with suppliers in foreign countries, requesting that wire transfers to the supplier be sent to a different payment location.
Email spoofing is possible because the Simple Mail Transfer Protocol (SMTP) does not provide a mechanism for address authentication. Although email address authentication protocols and mechanisms have been specified to battle email spoofing, adoption of those mechanisms has been slow. The SMTP AUTH extension specified in RFC 4954, "SMTP Service Extension for Authentication", defines a way for an SMTP client to negotiate an authentication mechanism with an SMTP server to authenticate the client and, if desired, to set up additional security on the client-server session.
Some other proposed solutions to authenticating email senders include Sender Policy Framework (SPF), a protocol defined in RFC 7208 to allow domain managers to authorize individual hosts to use a domain in email; Domain-based Message Authentication, Reporting and Conformance, defined as an email authentication protocol in RFC 7489; and DomainKeys Identified Mail, which provides a way to validate a domain name identity associated with a message. Sender ID, described in RFC 4407, is an experimental protocol based largely on SPF and promoted by Microsoft, but failed to gain any significant deployment.
To prevent becoming a victim of email spoofing, the FBI and the Federal Trade Commission urge recipients to keep antimalware software up to date, be wary of tactics used in social engineering and contact the sender directly when sharing private or financial information instead of responding through an email.