TitanHQ Blog

How to Tell if an Email Has Been Spoofed

Posted by Geraldine Hunt on Wed, Mar 13th, 2019

Email spoofing is the creation of emails with a forged sender address in order to trick the recipient into providing money or sensitive information. If your organization uses a registered domain for their email, then chances are you have seen some of these in your inbox.  It's also likely that most, if not all, were simply a phishing scam. 

Is Your Account Hacked or Spoofed?

The initial fear in these circumstances is that the sender account has been hacked.  If your own account were compromised, an attacker could use it to implement social media attacks against your fellow employees and email contacts.  At the least, it could be used as a spamming account, which would negatively affect your email reputation.  The good news is that email accounts are rarely hacked.  Most of these occurrences are due to email spoofing. 

Spoofing is all about making it appear that the email is coming from a sender that you trust, including yourself.  In actuality, the email originated from an external source that could be on the other side of the world.  Unfortunately, it is easy to spoof an email account today.  Any email server can be configured to send mail from any given domain for someone with the required knowledge.  Even if you don’t have the equipment or know-how, there are websites that will let you send one-off emails using the email address of your choice.  All of this is possible because the email protocol makes spoofing possible by its very design.  That’s because security was not built-in to the email protocol when it was created.

Verifying the Origin of an Email

A good rule today for emails that ask you to “do something” is to not just rely on the Display Name.  For instance, the sender name may be PayPal but the email address is paypal@eydh12.com.  If an email is coming from a trusted source within your company, a quick glance down at their email signature may be a clear indication that the email didn’t come from that person.  Spoofed email signature often contain bogus phone numbers that have no correlation with your company or lack the mandatory company logo. You can also click the forward button which will then show the “To” and “From” fields of the original email in the body.

While verifying the correct email address will allow you to properly discern if an email has been spoofed a majority of the time, it isn’t foolproof.  The only way to absolutely know where an email came from is to examine the email header.  Each email application has a different way to access the header.

  • For Office 365, open the email and click on the Action Menu contained within the email and select “View Message Details”
  • For gmail, open the email and click on the three vertical dots next to the reply arrow and select “Show Original”.
  • For Outlook, open the email and go to File – Properties and view the “Internet Header.”

There is a lot of information contained within the email header, far more than you want to probably know about.  When you read an email header, the data is in reverse chronological order.  This means that the information contained at the top is the most recent.  In order to trace the email from sender to recipient, you need to start at the bottom.  There are two very important fields contained in the full header.


This part of the header lists all of the servers and computers that were utilized to send the email.  Because we go from the bottom up, the last “Received:” line is where the email originated.  This email domain should match the one being displayed in the email.


The Sender Policy Framework (SPF) is used by organizations to specify which servers are permitted to send email on its behalf.  Mail sent from permitted servers will show up as “Pass” in the Received-SPF field, which is a very strong indicator that the email is legitimate. If the results show “Fail” or “Softfail”, that’s an indication that the email may be spoofed.  Keep in mind that this isn’t true 100 percent of the time as some domains don’t keep their SPF records up to date, resulting in validation failures.

Optional Fields:

For those organizations that choose to utilize DKIM and DMARC, the header has one more field to give clues:


This field will let you know if the email passed DKIM or DMARC authentication.  While SPF can be bypassed by spoofing, DKIM and DMARC are far more dependable. 

No business is immune from data loss

The risks from spoofed and malicious emails are much greater today.  Individuals can lose financial security due to identity theft.  Organizations’ databases can be mined for social security numbers, credit card information, health records, bank account numbers, etc. leading to billions of dollars in damages to, not only the organization, but also the people whose information has been stolen.  Small businesses are often the victim of significant financial damage caused by malicious emails. We usually don’t hear as much about these as we do the large Targets, Sonys and Homebases of this world.

Staying protected from phishing attempts using spoofed emails

Despite the fact that it’s relatively easy to protect against spoofed emails it’s still a common technique used by spammers and cyber-criminals.  It does take some effort, and therefore money, to combat email spoofing. I suspect that is why many small companies do not take the necessary precautions.  My recommendation to my clients is pretty straightforward: 

  • Subscribe to a highly effective spam filter service and re-evaluate its effectiveness annually.
  • Assign someone (if not an employee, hire an IT outsourcing firm) to monitor and administer the email system including the spam filtering service.  This is not a trivial task as email functionality changes, new threats evolve constantly and email addresses are in frequent flux due to personnel changes. 
  • Educate employees about email spoofing and other techniques used by spammers and cyber-criminals.  Train them on what to look for when scanning their inbox so they can quickly identify potential malicious emails.  Provide them with a resource who can help them decide if they are not sure if an email is bogus.

Email is a necessary and extremely useful business communication tool.  Unfortunately, because it's used so much it makes an easy target for cyber-criminals.  For an average email user it’s a difficult task at best to spot a malicious email among the hundreds or thousands that pour into their inbox. That is why it's so important for organizations to allocate the resources and funds to protect their personnel and their organization from all the threats that may arrive as an innocent looking message from a friend. 

Since 1999 SpamTitan has been building threat intelligence to dramatically reduce the risk of a successful attack on your organization. With SpamTitan you’ll significantly reduce the risk of new variants of malicious email from entering your network.

If you are looking for the best spam filter for business users, be sure to check out SpamTitan – the leading anti-spam solution for SMBs and enterprises. Contact the TitanHQ team today for further information and a product demonstration.

Never Miss a Blog Post

Sign-up for email updates...

Start Free Trial Request Demo

Talk to a Trusted Security Advisor

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us