Tech Made Simple

Hot Topics: How to Fix Bluetooth Problems | Browse the Web Anonymously | Complete Guide to Facebook Privacy | How to Block Spam Calls

Use It

author photo

How to Tell if an Email Has Been Spoofed

by on November 01, 2018
in Computer Safety & Support, Computers and Software, Tips & How-Tos, Privacy, Tech 101 :: 14 comments

There are numerous email scams that land in your inbox every day, from malware-ridden attachments supposedly from a friend to IRS impersonators to blackmailers threatening to expose you for watching porn. And what makes many of these scams harder to recognize is that they rely on a “spoofed” email address to make it appear that they are coming from someone you trust (or even your own email address), rather than a scammer 6,000 miles away. So learning how to tell if an email has been spoofed is critical to protecting yourself.

Part of the reason why spoofed emails are so prevalent is that it is incredibly easy to spoof an address. Any mail server can be set up to send from a given domain (e.g., and there are even websites that will let you send one-off emails using any email address for free. But both of these methods leave telltale tracks that give it away as spoofed.

To find these tracks, you need to look at the email header. The header contains critical components of every email – From, To, Date and Subject – as well as detailed information about where the email came from and how it was routed to you. Importantly, it also contains the results of the verification process your email provider used to determine if the sending server has permission to send using that domain (i.e., Is this server authorized to send emails from

Showing your email headers varies depending on which email service you’re using. For Gmail, open the email and click on the three vertical dots next to the reply arrow and select “Show Original”. For other email programs, you can use this list.

Here’s an example of a spoofed email I sent from an online spoofing service pretending that it came from my own address. Looks pretty real. It says it came from my email address and if I reply, it will go to that same address. In fact, unless it was filtered into my spam box by Gmail, the email will even show up in my Sent folder, which could leave me to believe, incorrectly, that my email was hacked.

spoofed email

But the header information gives it away as spoofed. There’s a lot of technical stuff in here, but you can ignore most of it. The two things that matter the most are the domain name and IP address in the “Received” field and the validation results in the Received-SPF field.

spoofed email header

As you can see above, the domain name this email being sent from is (the email spoofing site), not, so that’s a dead giveaway. But if the domain name is similar or it’s listed as just an IP address you should check the IP address, too, and see if that passes the smell test. To do that, go to Domain Tools and enter the “from” IP address in the Received field into the Whois Lookup. When I do that with from the example above, it tells me this is a host called out of the Czech Republic – not what I would expect to see if this were really an email sent by Techlicious.

Next, if we look at the Received-SPF field and see that it is a softfail. Sender Policy Framework (SPF) is a way for a domain (e.g., to specify what servers are permitted to send mail on its behalf. Mail sent from permitted servers will show up as “Pass” in the Received-SPF field, which is a very strong indicator that the email is legitimate. If the results show “Fail” or “Softfail”, that’s a sign the email may be spoofed, though it’s not 100% certain since some domains don’t keep their SPF records up to date, resulting in validation failures.

Taken together, the sending IP address and the SPF validation will give you a very good sense of whether an email truly comes from the person purported to be sending it. And don’t forget to trust your gut. If an email sounds implausible, it probably is. Don’t respond directly or open any attachments. If it is a company, bank or government organization, find their contact information on the web and contact them directly to see if the email is legit.

Spoofing email is just one way scammers attempt to take advantage of us. So make sure you're also on top of these 7 Common Scams We’re Still Falling For

[Image Credit: BigStock-Woman at Computer]

Discussion loading


lookup list

From james on November 03, 2018 :: 2:55 pm

the list you show is not good for yahoo e-mail.



Here's how to check email header for Yahoo

From Josh Kirschner on November 05, 2018 :: 11:27 am

To see the email header info in Yahoo, open the email, click the three horizontal dots in the menu at the top of the message, and then hit “View raw message”



What if the SPF-receiver is none?

From Lara on November 08, 2018 :: 3:50 pm

The title says it already.



Then it could go either way

From Josh Kirschner on November 09, 2018 :: 12:09 pm

While it is best practice to set up up SPF records for a domain and the vast majority of senders do it, not everyone does. So the SPF will show as “none”. In this case, you can’t confirm that it is legitimate nor tell if it is spoofed from the SPF record. So you should use common sense regarding the content of the email and, if you’re still not sure, contact the sender directly to confirm the legitimacy (and yell at them for not having an SPF record).



Your site froze my desktop!

From john on November 10, 2018 :: 8:09 pm

Too many moving parts on this site/page caused freeze on my mac-mini! Took about 5 minutes just to get here to tell you. I was going to share this on FB and Twitter but wouldn’t want to expose contacts to what seems like a malicious site in itself.



Thanks for letting us know

From Josh Kirschner on November 12, 2018 :: 7:35 pm

We monitor the performance of the site regularly to manage performance across devices. However, it’s possible that one of our ad partners was delivering a new ad that may have impacted performance, especially if you’re running on an old device. I’ll keep an eye on things to see if I can spot the issue. But rest assured, there is nothing malicious going on with the site.



Another Way to Check for Spoofed Email: Return Address of Sender

From Skeeter Sanders on November 12, 2018 :: 4:23 pm

I use Microsoft Outlook (formerly Hotmail) as my primary email service. I’ve noticed that every time I get a “spoofed” email, the sender’s address shows up right in the heading.

I’mot sure if Microsoft’ anti-phishing system is configured to expose the sender’s true email adress to its users, but there have been plenty of instances in which an email supposedly coming from a major company (i.e., PayPal) shows a reutrn address that shows anything BUT “” I immediately report it to Microsoft as a “Phishing Scam,” using Outlook’s drop-down reporting menu.

Microsoft has long had a very aggressive anti-spam filter—far more aggressive than either Gmail or Yahoo Mail—so why would it not also have an aggressive anti-phishing filter that exposes the sender’s true email address? I’ve used Hotmail/Outlook for more than a decade and I’ve never been fooled by spam or malware-infected email.



scam but they mentioned my former password correctly

From JBof4 on November 16, 2018 :: 5:09 am

I too received this email introducing himself, expalining how he hacked my sbc email through router, asking for 800.00 bitcoins, the threats don’t concern me, but the fact he said he would give proof by noting my password at the time of hack, it was correct (well a few letters were missing but he had the remaining exactly.  He said he hacked my email summer 2018.  Im ignorant as to my next steps, change password again, but he said he’s following me and will still get new password, said he’s got access to my camera and takes pic of me.  Creepy.  I know its a scam, Im a middle age mom & do not watch pornography, what worries me, is he referring to my iPhone or Mac or both and how did he get my password, and can he get my new password once I change it?
Thank you.



Not a big deal, unless you're still using it.

From Josh Kirschner on November 19, 2018 :: 1:57 pm

Your password was likely revealed as part of one of the many massive credential hacks that have taken place over the years. I highly doubt your individual system was hacked. I discuss this in more detail in our story on the porn blackmail scam.

If the password he sent you is one that you’re still actively using, however, that is very bad. It means your accounts are highly insecure and you need to change your passwords immediately. Going forward, make sure you always use strong, unique passwords for each of your logins. One of our recommended password managers makes it easy to do that.




From JBof4 on November 19, 2018 :: 2:46 pm

Thanks for your reply.  I just got nervous when he wrote he hacked my email through my router and said not to bother changing my email password because he said he can follow to new password.  It’s no wonder why I’m getting 40-60 scam emails in my inbox recently.


Eu sou um desenvolvedor de software spyware. Sua conta foi invadida por mim no verão de 2018.

From Marcelo Von Atzingen Trevisani on December 06, 2018 :: 2:17 pm

Eu moro aqui no Brasil e recentemente recebi esta ameaça também e me senti terrivelmente ameaçado. Depois eu procurei pelo Bitcoin: 1122NYbAT2KkZDZ5TFvGy4D2Ut7eYfx4en e soube que ja constava na lista do

Isto me tranquilizou um pouco. já estava indo para a Policia Federal do Brazil para fazer um boletim.

Ainda estou assustado, espero que seja mentira mesmo, pois é horrivel se sentir ameaçado.

Marcelo von



IP Blocking of countries

From Jose Hicks on March 01, 2019 :: 3:03 pm

I try to have an optimal configuration in addition to that I have managed to mitigate trying to misuse my mail servers is the blocking of full ranges of addresses ips with which I have no relationship whatsoever. and above all, as you comment, do not forget to trust your instinct. Jose Hicks



Received-SPF pass

From DF on May 14, 2019 :: 9:10 pm

I got a scam email whose “Received” section shows some random website but the “Received-SPF” section shows “Pass”, with additional info including “envelope-from=” followed by yet a third website. Does this mean a scammer did hack a legitimate sender domain to send this? Should this concern me?



Not necessarily

From Josh Kirschner on May 17, 2019 :: 11:49 am

It depends how the SPF records are set up for the domain. If not set up properly, you might see a “pass” even if it shouldn’t be. Without more information, it’s hard to say for sure. Either way, spoofing or hacking, you know it’s not valid so treat it accordingly.


Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships
Newsletter Archive
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.

site design: Juxtaprose