How to Spot a Spoofed E-mail

The internet is an incredible invention which has united the world through a system of networked computer systems. Of the many ways it has changed our lives, the internet has facilitated the replacement of more traditional forms of communication, introducing new and innovative methods of staying in touch or getting work done. Few applications are as important in modern day life as electronic mail. E-mail allows for near instantaneous contact between two parties and can include not only a typed message, but also attachments of every kind or even multimedia displayed within the body of the e-mail message.

Individuals may e-mail friends and family from time to time (when instant messages over cellular networks or third party applications are not preferred), but businesses rely quite heavily on e-mail every single day. As with any method of communication, it is important that both parties involved in a conversation over e-mail can trust each other to be who they claim to be or represent.

A modern day concern with regard to e-mail exists in the form of e-mail spoofing, which is the fabrication of an e-mail header (the technical details about the e-mail, such as who sent it, the software used to create it, and the e-mail servers it routed through) with the intention of fooling the recipient into thinking a nefarious individual is actually a trusted party, such as a coworker, a friend, or a family member. The damage this can cause is quite high, especially when the e-mail appears to be from a bank, providing a fake login link which may in actuality capture our real login credentials or download malware to our computers. Most spam e-mail is easily identified by an obviously fabricated sender address, poor vocabulary in the body of the e-mail, or blocked links and attachments, but when an e-mail address appears legitimate and the body of the e-mail does not raise any red flags, how can we verify that we are not receiving a spoofed e-mail?

One such tool we can use is the freely available Google Admin Toolbox, which provides an online utility for inspecting an e-mail message header. You can find the Google Admin Toolbox with a quick Google search. There, click on MessageHeader at the bottom of the screen to open the utility.

Next, open an e-mail you would like to inspect and then make a copy of the message header data. The method for displaying the message header is different depending on the e-mail service provider, but can for example be found in Yahoo mail by clicking the 3 dots at the bottom of the message then “View raw message”, or in Gmail by clicking the 3 dots at the top and then “Show Original”. Select all text in the message header, copy it, and then paste it into the Google Admin Toolbox’s MessageHeader page. Finally, click “Analyze the header above”.

The result of this action will reveal a few very important details about the e-mail message sender, such as the SPF (Sender Policy Framework), DKIM (Domain Key Identified Mail), and DMARC (Domain-Based Message Authentication, Reporting, and Conformance). These are protocols developed and used by internet service providers to help authenticate e-mail passing through their systems. DMARC builds upon the results from the SPF and DKIM tests in order to detect forged e-mail sender addresses (the technique used in phishing and e-mail spam). If all three of these tests do not show “Pass” as a result, and if there appear to be several delays in the routing shown at the bottom of the screen, the e-mail may be malicious and it should be deleted.

By Alberto Jimenez, Sr. Systems Administrator



PSI's state-of-the-art Innovation Facility is now open in Valparaiso, FL. It is designed to provide a cyber secure ecosystem for development of new technologies and approaches, illustrating the company’s commitment to deliver excellence to its customers. Watch a video about the Innovation Facility.