Protecting Your Email Address from Spoofing: Why SPF, DKIM, and DMARC Aren’t Enough

Many people don’t realize how easy it is to fake the sender address of an email. In other words, it’s possible to send an email from someone else’s address or from any domain you choose. Spammers, phishers, and other scammers constantly find ways to bypass SPF, DKIM, and DMARC protections. Let’s look at how they do it and how you can better protect your emails from spoofing.

The average office worker receives about 120 emails per day, most of which don’t require an urgent response, and some are outright spam. Filtering is essential in this environment.

But where there’s filtering, there are also mistakes. For example, your mail server could end up on a blacklist simply because it shares an IP range with problematic neighbors on a VPS hosting service. Unfortunately, this is a common situation.

Another major risk is sender address spoofing. Incidents like the 2014 Yahoo breach and hacks of high-profile Gmail accounts show that email address spoofing is a serious and ongoing threat.

How Email Sender Addresses Get Spoofed

There are at least 18 different ways to spoof an email sender address. For example, at the 2020 DEFCON hacker conference, a tool called espoofer was demonstrated, which can bypass SPF, DKIM, and DMARC authentication in email systems (see presentation slides, video).

The espoofer tool helps system administrators and penetration testers quickly identify vulnerabilities in target mail servers.

Unfortunately, there are many such vulnerabilities, and attackers keep finding new ways to bypass protections because the email infrastructure is fundamentally vulnerable to these types of attacks.

Why SPF, DKIM, and DMARC Protections Fall Short

In practice, scammers can successfully bypass SPF, DKIM, and DMARC protections. All three of these policies share some common weaknesses:

1. They all rely on DNS, so any known DNS attack methods (like DNS query spoofing) are effective against them.
2. They only protect the domain part of the email address, not the full address.
3. DKIM signatures are applied by the sender’s mail server and verified by the recipient’s mail server, so the integrity and authenticity of the message are not fully end-to-end. The message remains vulnerable between the client and the mail server on both the sender and recipient sides. This issue can be addressed by properly implementing TLS on both servers.

This is where S/MIME outperforms SPF, DKIM, and DMARC.

How S/MIME Provides Better Email Protection

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for encrypting and signing emails using public key cryptography. Here’s how it works:

• S/MIME signatures are applied directly by the sender’s email client and verified only by the recipient’s email client. No one can tamper with the message at any stage.
• The public key for signature verification is attached to a certificate that comes with the email, so the email client doesn’t need to rely on DNS records.
• The sender’s organization is verified by a certificate authority.
• The certificate uses the RFC 822 standard for the email address, which matches the from field exactly. This means the sender’s authenticity is guaranteed at the email address level, not just the domain.

As you can see, existing methods like SPF, DKIM, and DMARC can be bypassed and emails can be spoofed if the sender doesn’t use S/MIME protection with end-to-end encryption and digital signatures.