Email spoofing means someone claims to be somebody else and asking for something that he/she wouldn’t have had access to. For example a person could be pretending to be the CEO of the company and asking for immediate payment outside the organisation.
There are two things relating to email spoofing:
- Open relay SMTP servers. SMTP server is the mail server that sends out outgoing emails. If SMTP server doesn’t require authentication, anyone within a company can pretend to be somebody else and send out emails on behalf of the other. The bigger danger is whether someone outside the company network, can use the company’s SMTP server to send out emails.
2. Emails from anywhere of the world. When an email is drafted, it’s possible to type in any “from” & “reply to” without restriction. This of course opens the door for email forgery. The solution is to implement Sender Policy Framework (SPF) which requires the company to publish MX record in DNS entry of the company’s domain record. The idea is the company publishes information to the world in advance saying only the company’s domain/subdomain are able to send out emails (i.e. bob@theCompany.com can only be used when SMTP server is within domain theCompany.com). In Office365’s case, Microsoft suggests “customers add the SPF record. It should be something like v=spf 1 include:spf.protection.outlook.com ~all” so our IT may also need to check if this has been implemented.