How does spoofing work technically?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: you get an email from ceo@yourbank.com asking you to verify your account urgently. It looks totally legitimate. But the CEO never sent it. Someone just took advantage of a design quirk baked into email since the 1970s.

Here's the core issue. SMTP, the protocol that moves email between servers, was built for trust, not verification. When your mail server talks to another, it essentially just accepts what it's told. There's no built-in handshake that says "prove you own that domain." An attacker's server can connect to any receiving mail server and claim to be sending from absolutely anywhere.

To understand how that's exploited, you need to know that every email actually has two different "from" fields, and they don't have to match.

  • The envelope sender (MAIL FROM) is the address used during the SMTP conversation between servers. It's mostly invisible to you. This is where bounce messages go when delivery fails.
  • The header From is what your inbox actually displays as the sender. This is the one attackers care about most, because it's what you see.

An attacker writes a plain SMTP session (or uses a misconfigured server) and sets the header From to victim@legitimatebank.com while the envelope sender points to their own infrastructure. The receiving server, without any authentication checks in place, accepts the message and delivers it. Your inbox shows the bank's address. The email lands. You (potentially) click.

The display name adds another layer. Even if a spam filter catches a suspicious domain in the header From, an attacker can write "CEO Name" as the display name with a completely different sending address underneath. Many people read the name, not the address. That's friendly name spoofing, and it doesn't even require domain forgery.

This is exactly what DMARC was designed to fix. It checks whether the domain in the visible header From is actually authorized to send using the infrastructure that delivered the message. No match, no pass. But DMARC only works if it's configured and enforced. Without it, the door stays wide open.

If you want to check whether your domain is protected, our free DMARC Generator will help you build a record from scratch. Or if something's already going wrong, our SOS hotline is free and we actually pick up.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit my spoofing exposure

I'm trying to understand exactly how email spoofing works at the SMTP protocol level. Based on my sending setup, can you tell me: (1) which of my sender fields are most vulnerable to spoofing, (2) whether my current authentication records would catch a spoofed message claiming to be from my domain, and (3) what an attacker's actual SMTP session would look like when targeting my recipients?

Edit the yellow boxes, then send to the AI of your choice.