Tech Made Simple

Hot Topics: How to Fix Bluetooth Problems | Browse the Web Anonymously | Complete Guide to Facebook Privacy | How to Block Spam Calls

Use It

author photo

How to Tell if an Email Has Been Spoofed

by on October 17, 2019
in Computer Safety & Support, Computers and Software, Tips & How-Tos, Privacy, Tech 101 :: 21 comments

Techlicious editors independently review products. To help support our mission, we may earn affiliate commissions from links contained on this page.

There are numerous email scams that land in your inbox every day, from malware-ridden attachments supposedly from a friend to IRS impersonators to blackmailers threatening to expose you for watching porn. And what makes many of these scams harder to recognize is that they rely on a “spoofed” email address to make it appear that they are coming from someone you trust (or even your own email address), rather than a scammer 6,000 miles away. So learning how to tell if an email has been spoofed is critical to protecting yourself.

Part of the reason why spoofed emails are so prevalent is that it is incredibly easy to spoof an address. Any mail server can be set up to send from a given domain (e.g. irs.gov), and there are even websites that will let you send one-off emails using any email address for free. But both of these methods leave telltale tracks that give it away as spoofed.

To find these tracks, you need to look at the email header. The header contains critical components of every email – From, To, Date and Subject – as well as detailed information about where the email came from and how it was routed to you. Importantly, it also contains the results of the verification process your email provider used to determine if the sending server has permission to send using that domain (i.e., Is this server authorized to send emails from irs.gov?).

Showing your email headers varies depending on which email service you’re using. For Gmail, open the email and click on the three vertical dots next to the reply arrow and select “Show Original”. For other email programs, you can use this list.

Here’s an example of a spoofed email I sent from an online spoofing service pretending that it came from my own address. Looks pretty real. It says it came from my email address and if I reply, it will go to that same address. In fact, unless it was filtered into my spam box by Gmail, the email will even show up in my Sent folder, which could leave me to believe, incorrectly, that my email was hacked.

spoofed email

But the header information gives it away as spoofed. There’s a lot of technical stuff in here, but you can ignore most of it. The two things that matter the most are the domain name and IP address in the “Received” field and the validation results in the Received-SPF field.

spoofed email header

As you can see above, the domain name this email being sent from is emkei.cz (the email spoofing site), not Techlicious.com, so that’s a dead giveaway. But if the domain name is similar or it’s listed as just an IP address you should check the IP address, too, and see if that passes the smell test. To do that, go to Domain Tools and enter the “from” IP address in the Received field into the Whois Lookup. When I do that with 46.167.245.206 from the example above, it tells me this is a host called emkei.cz out of the Czech Republic – not what I would expect to see if this were really an email sent by Techlicious.

Next, if we look at the Received-SPF field and see that it is a softfail. Sender Policy Framework (SPF) is a way for a domain (e.g., Techlicious.com) to specify what servers are permitted to send mail on its behalf. Mail sent from permitted servers will show up as “Pass” in the Received-SPF field, which is a very strong indicator that the email is legitimate. If the results show “Fail” or “Softfail”, that’s a sign the email may be spoofed, though it’s not 100% certain since some domains don’t keep their SPF records up to date, resulting in validation failures.

Taken together, the sending IP address and the SPF validation will give you a very good sense of whether an email truly comes from the person purported to be sending it. And don’t forget to trust your gut. If an email sounds implausible, it probably is. Don’t respond directly or open any attachments. If it is a company, bank or government organization, find their contact information on the web and contact them directly to see if the email is legit.

Spoofing email is just one way scammers attempt to take advantage of us. So make sure you're also on top of these 7 Common Scams We’re Still Falling For.

Updated on 10/17/2019

[Image Credit: BigStock-Woman at Computer]



Discussion loading

gravatar

lookup list

From james on November 03, 2018 :: 2:55 pm

the list you show is not good for yahoo e-mail.

Reply

avatar

Here's how to check email header for Yahoo

From Josh Kirschner on November 05, 2018 :: 11:27 am

To see the email header info in Yahoo, open the email, click the three horizontal dots in the menu at the top of the message, and then hit “View raw message”

Reply

gravatar

What if the SPF-receiver is none?

From Lara on November 08, 2018 :: 3:50 pm

The title says it already.

Reply

avatar

Then it could go either way

From Josh Kirschner on November 09, 2018 :: 12:09 pm

While it is best practice to set up up SPF records for a domain and the vast majority of senders do it, not everyone does. So the SPF will show as “none”. In this case, you can’t confirm that it is legitimate nor tell if it is spoofed from the SPF record. So you should use common sense regarding the content of the email and, if you’re still not sure, contact the sender directly to confirm the legitimacy (and yell at them for not having an SPF record).

Reply

gravatar

Your site froze my desktop!

From john on November 10, 2018 :: 8:09 pm

Too many moving parts on this site/page caused freeze on my mac-mini! Took about 5 minutes just to get here to tell you. I was going to share this on FB and Twitter but wouldn’t want to expose contacts to what seems like a malicious site in itself.

Reply

avatar

Thanks for letting us know

From Josh Kirschner on November 12, 2018 :: 7:35 pm

We monitor the performance of the site regularly to manage performance across devices. However, it’s possible that one of our ad partners was delivering a new ad that may have impacted performance, especially if you’re running on an old device. I’ll keep an eye on things to see if I can spot the issue. But rest assured, there is nothing malicious going on with the site.

Reply

gravatar

Another Way to Check for Spoofed Email: Return Address of Sender

From Skeeter Sanders on November 12, 2018 :: 4:23 pm

I use Microsoft Outlook (formerly Hotmail) as my primary email service. I’ve noticed that every time I get a “spoofed” email, the sender’s address shows up right in the heading.

I’mot sure if Microsoft’ anti-phishing system is configured to expose the sender’s true email adress to its users, but there have been plenty of instances in which an email supposedly coming from a major company (i.e., PayPal) shows a reutrn address that shows anything BUT “paypal.com.” I immediately report it to Microsoft as a “Phishing Scam,” using Outlook’s drop-down reporting menu.

Microsoft has long had a very aggressive anti-spam filter—far more aggressive than either Gmail or Yahoo Mail—so why would it not also have an aggressive anti-phishing filter that exposes the sender’s true email address? I’ve used Hotmail/Outlook for more than a decade and I’ve never been fooled by spam or malware-infected email.

Reply

gravatar

scam but they mentioned my former password correctly

From JBof4 on November 16, 2018 :: 5:09 am

I too received this email introducing himself, expalining how he hacked my sbc email through router, asking for 800.00 bitcoins, the threats don’t concern me, but the fact he said he would give proof by noting my password at the time of hack, it was correct (well a few letters were missing but he had the remaining exactly.  He said he hacked my email summer 2018.  Im ignorant as to my next steps, change password again, but he said he’s following me and will still get new password, said he’s got access to my camera and takes pic of me.  Creepy.  I know its a scam, Im a middle age mom & do not watch pornography, what worries me, is he referring to my iPhone or Mac or both and how did he get my password, and can he get my new password once I change it?
Thank you.

Reply

avatar

Not a big deal, unless you're still using it.

From Josh Kirschner on November 19, 2018 :: 1:57 pm

Your password was likely revealed as part of one of the many massive credential hacks that have taken place over the years. I highly doubt your individual system was hacked. I discuss this in more detail in our story on the porn blackmail scam.

If the password he sent you is one that you’re still actively using, however, that is very bad. It means your accounts are highly insecure and you need to change your passwords immediately. Going forward, make sure you always use strong, unique passwords for each of your logins. One of our recommended password managers makes it easy to do that.

Reply

gravatar

Thanks

From JBof4 on November 19, 2018 :: 2:46 pm

Thanks for your reply.  I just got nervous when he wrote he hacked my email through my router and said not to bother changing my email password because he said he can follow to new password.  It’s no wonder why I’m getting 40-60 scam emails in my inbox recently.

Reply

Eu sou um desenvolvedor de software spyware. Sua conta foi invadida por mim no verão de 2018.

From Marcelo Von Atzingen Trevisani on December 06, 2018 :: 2:17 pm

Eu moro aqui no Brasil e recentemente recebi esta ameaça também e me senti terrivelmente ameaçado. Depois eu procurei pelo Bitcoin: 1122NYbAT2KkZDZ5TFvGy4D2Ut7eYfx4en e soube que ja constava na lista do https://www.bitcoinabuse.com/reports/1122NYbAT2KkZDZ5TFvGy4D2Ut7eYfx4en

Isto me tranquilizou um pouco. já estava indo para a Policia Federal do Brazil para fazer um boletim.

Ainda estou assustado, espero que seja mentira mesmo, pois é horrivel se sentir ameaçado.

Marcelo von

Reply

gravatar

IP Blocking of countries

From Jose Hicks on March 01, 2019 :: 3:03 pm

I try to have an optimal configuration in addition to that I have managed to mitigate trying to misuse my mail servers is the blocking of full ranges of addresses ips with which I have no relationship whatsoever. and above all, as you comment, do not forget to trust your instinct. Jose Hicks

Reply

gravatar

Received-SPF pass

From DF on May 14, 2019 :: 9:10 pm

I got a scam email whose “Received” section shows some random website but the “Received-SPF” section shows “Pass”, with additional info including “envelope-from=” followed by yet a third website. Does this mean a scammer did hack a legitimate sender domain to send this? Should this concern me?

Reply

avatar

Not necessarily

From Josh Kirschner on May 17, 2019 :: 11:49 am

It depends how the SPF records are set up for the domain. If not set up properly, you might see a “pass” even if it shouldn’t be. Without more information, it’s hard to say for sure. Either way, spoofing or hacking, you know it’s not valid so treat it accordingly.

Reply

gravatar

My email spoofed

From Ant on August 11, 2019 :: 11:47 pm

I received a Phishing message in my junk folder from my address plus my profile image. I believe it is spoofed because of the header info. I changed my password. Is there any other course of action I should take?

Reply

avatar

No need to do anything

From Josh Kirschner on August 13, 2019 :: 10:29 am

If your email has been spoofed (and it sounds likely given what you say about the header info and the fact your email provider sent it to junk), then there is nothing you need to do. Changing your password won’t make a difference since spoofing isn’t account hacking, it’s just someone using a tech trick to pretend to be you.

If your email is a business account, you can prevent spoofing by setting up your SPF and DKIM records properly, but this doesn’t apply to personal email accounts.

Reply

gravatar

hundreds of spam a day all sent to trash

From g saturn on August 13, 2019 :: 4:34 pm

I send hundreds of offers of porn nude pics male enhancement, update car warranty, health, life insurance ( something I looked for on amazon and the insane list goes on. here are some of the spoofed return emails I get.

————————————————-
ManPlus <ED_Solution@73165784.thenewsletters.club>
reply-to:
  .(JavaScript must be enabled to view this email address)

to:  .(JavaScript must be enabled to view this email address)

date:  Aug 13, 2019, 2:58 PM
subject:  * Drive Your Partner Crazy in Bed Tonight*
security:    thenewsletters.club did not encrypt this message


Warning<returen@chechss.keyword-on.net>via sub4.gleeze.com

reply-to:  .(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address)

to:  .(JavaScript must be enabled to view this email address)

date:  stcroix.raven - SOMEONE TRIED TO LOG INTO YOUR ACCOUUNT Alert: #851
subject:  sub4.gleeze.com
mailed-by:    Standard encryption (TLS) Learn more

security: 

Melissa <edu@educationsplans.com>,
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),———————————————————————————

I know they are fake because my son said do not reply you will not get removed from any list you will simply get more. These are in my trash because I filtered with ” is spam, then delete”
here’s the problem Gmail will not delete them they just keep filling my trash day after day most are from the UK.  when you look up how to make them go away forever you get ” click the little upside triangle and click on block to block these or any user you do not want to get email from” its a lie there is no ” block sender” why does Google lie and why do they allow it to keep happening? they can stop some of it but they will not. I think they make money so there will never be a fix. you may write to them, however, they don’t care. the mail will not automatically delete from trash for 30 days. why is it not possible to delete all (since it is only manual), at one time, or set up an auto delete forever?
also, there are many pages when a search is done that have a green box with the word ad in it and you get the following error… This site can’t be reached http://www.googleadservices.com refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED. BS, why are they blocking any search?
you can not ask them they never reply, they do not care. any help from anyone would be apreciated. thank you

Reply

avatar

Don't move spam to trash

From Josh Kirschner on August 14, 2019 :: 3:23 pm

First, you shouldn’t move spam to trash because then it will get mixed with your valid emails when you’re doing searches - just mark it is as spam and it should go to the spam folder. Either way, all messages in your trash and spam folders will autodelete after 30 days. You can always select all and delete everything manually if you want, but I really don’t see why you would bother since the messages are segregated into a spam folder that you would never be interacting with, anyhow.

For blocking senders, open an email and click on the three vertical dots in the upper right and you will see the option to Block “[SENDER NAME]”.

Reply

gravatar

Thanks!

From Ant on August 13, 2019 :: 8:57 pm

Thanks!

Reply

gravatar

Spoofs

From tazmo8448 on October 17, 2019 :: 3:42 pm

One way I use is to hover over the sender and see if it looks legit. If it doesn’t I send it to the company it is trying to spook like spoof at paypal dot com.

Reply

Received field

From Dan Chien on October 25, 2019 :: 10:57 pm

First, this is in US patent 9674145.
There are many Received. Attacker may inject a Received in the header.  The one you need to look is the last one (usually the first one at top) that is written by your SMTP.

Thanks

Dan

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships
Newsletter Archive
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.

site design: Juxtaprose