How to Catch Spoofing Attack in 2021

How to catch spoofing attack

It is hard to overestimate the need for cyber-security in 2021. Not only we live in a digitalized world, but we also live in the world of pandemics, hence, remote working all over the world. As people switched to their home computers, the question of security of every business became even more important and, at the same time, difficult to achieve. And, as the security of an email is often overlooked, it can lead to dreadful consequences.

Email Spoofing in 2021

There are around 4 billion email users according to Statista, 1.8 billion Gmail users alone. Roughly 306.4 billion emails are being sent and received daily. With such high numbers, cyber-criminals are not losing their opportunities to spoof an email and then phish for valuable information and credentials. As the result, in 2020 the average cost of a data breach was $3.86 million.

And it is a huge mistake, and a great advantage for the attackers, to think that only large corporations are falling victims of email spoofing and phishing. Nearly 1 in 3 organizations, involved in cyber-breach were small and medium businesses, according to Verizon’s report.

Cyber-breaches can come in all shapes and sizes, so why exactly email? Because 94% of all malware gets to a computer via email.

Read more: Why Every Business Needs DMARC

To better understand spoofing, let’s look at how a cyber-criminal tried (unsuccessfully) spoof GlockApps.

How Does Spoofing Work

What is email spoofing? It is a forging of someone else’s identity via email to convince the recipient to perform some action or give up valuable information. Usually, spoofers pretend to be a person or an organization that the recipient would trust.

To perform a spoofing attack, the malicious actor has to compromise the SMTP protocol, which isn’t hard because it was created without any security precautions. Usually, spoofers take advantage of the “From” field, “Return-path” and “Reply-to”.

We have sent a fake email with an appealing raise to ourselves. In Gmail, for example, this spoofed email will most likely not appear in the Inbox and will be marked as probable spam.

Email marked as spam in Gmail

To see the details, invisible from first sight, go to three vertical dots section (More) -> show the original. There you will see all the details: message ID, “From” address, as well as the results of SPF and DMARC check.

Example of the full message header in Gmail

As you can see, SPF shows “softfail” and DMARC authentication – “fail”. If you scroll further down, you will also find that the message that says it was sent from was actually sent from This is a clear indication that the email is not genuine.

Example of spoofed email

The human factors play a massive role here, since not many recipients check the legitimacy of the email, especially if it looks trustworthy, sounds urgent, or comes from a seemingly legitimate source (someone they know).

How Email Security Protocols Save the Day

Today there are three commonly used email security protocols: SPF, DKIM, and DMARC.

SPF (Sender Policy Framework) is the oldest email security protocol. It is a simple TXT record that contains all the IPs that are allowed to send emails on your behalf. So, ideally, if a message fails SPF authentication, it could mean that someone was trying to abuse your domain to send unsolicited messages pretending to be you. Although SPF has its downsides and failure could also mean that your record is misconfigured, it still is a red flag.

DKIM (DomainKeys Identified Mail) is an email authentication standard that uses public-key encryption to authenticate email messages. Simply put, it signs an email to make sure it wasn’t altered in the process of sending.

DMARC (Domain-Based Message Authentication, Reporting, and Conformance) is the protocol that is used for maximum protection as it works on top of the previous protocols and enhances the security level. DMARC provides you with reporting, making it easy to see what is happening with email traffic on your domain. You gain full visibility over who is sending emails on your behalf, as well as choose a policy that will apply to suspicious emails. None – nothing will happen; reject – suspicious emails go to spam; reject – unsolicited mail is getting blocked.

So, to sum it up, SPF dictates who is allowed to send on your behalf, DKIM makes sure email is not altered in the process, and DMARC aligns these two, allows you to choose what to do with suspicious emails, and provides you with reports and visibility.

Read more: Email Authentication: the Ultimate Guide

At GlockApps we believe in the power and necessity of email security, so we have all three in place. So what happened when a malicious agent tried to spoof our domain?

First we received DMARC analyzer warning alerts.

Screenshot with alerts about authentication and compliance rate drop

Alerts about authentication and compliance rate drop

As you can see, in one day SPF and DKIM authentication, as well as compliance rate, have dropped significantly (from around 90% to 10%). So we went to our DMARC reporting dashboard and this is what we saw.

Screenshot with DMARC Analytics dashboard

Email spoofing example in the DMARC Analytics dashboard

Looks like two islands in green water. So green is our usual domain traffic, whereas islands – you guessed it – are the spoofing attacks. In this particular attack, the SPF evaluation failed because the SPF domain didn’t match the “header from” domain. In the second case, IP was not included in the SPF record. So you see, these security protocols work perfectly together.

Now, when you have implemented DMARC with the reject policy the good part is that you don’t need to do anything about the attack because it is not coming through and your clients are not getting these spoofing messages.

Why Do You Need to Enforce DMARC?

Many are mistakenly think that to prevent email spoofing it is enough to implement DMARC with a “none” policy. In reality, this policy is only needed at the first stages of implementation to gain visibility and make sure you’re not blocking any legitimate sources. But what happens during the spoofing attack with a none policy?

Sсreenshot of DMARC dashboard with spoofing data

DMARC analytics dashboard shows the DMARC policy and SPF and DKIM evaluation fail

As you can see on the screenshot, DKIM has failed authentication, but nothing really happened, because the DMARC policy was set to “none”, so the unsolicited emails were not quarantined or blocked.

How to See that You Are or Have Been Spoofed?

  1. DMARC Analyzer

    First, we do recommend using third-party tools to receive the reports and gain full visibility into your domain traffic, or at least get a dedicated mailbox to receive reports to. But remember that they come in an XML format, created to be read by machines, not humans. That is why third-party tools, like GlockApps DMARC Analyzer, are so much better. Apart from storing thousands of reports, they translate them in a comprehensive readable format and send you notifications if something goes wrong.

  2. Bounced Emails

    DMARC reports start coming in within 24 hours. But is there a way to know that you are being spoofed right now? Yes, all you need to do is track your bounced messages. When a message is not delivered, usually it bounces back and you receive an email with an error and, sometimes, the reason. For example:

    Sсreenshot of a bounced email from Gmail

    Example of bounced spoofing email from Gmail

    If you follow the email list best practices, don’t buy any email addresses and don’t have spam traps, a spike in bounced emails should be a warning sign that at the moment you might be getting spoofed. Red flags could also come from your recipients (if they start receiving weird or suspicious emails from you).

  3. Google Postmaster Tools

    Google gives you a great opportunity to see spam reports, delivery errors, feedback loops, sender reputation, and more. If you are a legitimate sender and you follow email best practices, your sender reputation should be high. When an email gets spoofed – the sender’s reputation goes down very fast. Within days you can end up with a low spammer reputation and zero recipients’ trust.

    Google Postmaster also shows your delivery errors, where you can see spikes in bounced emails.

    Sсreenshot of a Gmail Postmaster tools showing spikes in delivery errors

    Email spoofing example in Gmail Postmaster tools

The Takeaway

Cyber-crime in 2021 is not to be taken lightly, as the compromise rates skyrocket, especially after the pandemic. Email should be protected just as any other source since the vast amount of malware gets on the computers through email.

Spoofing is one of the most common cyber-attacks. What is email spoofing? It is a type of attack in course of which the malicious agent changes the “From” field and basically pretends to be a legitimate source to make the recipient perform a certain action or give up important credentials.

The best way to prevent email spoofing is to protect yourself by implementing 3-layered protection: SPF, DKIM, and DMARC. And although this is not a silver bullet from cyber-attacks – it is the best chance to protect your email streams these days. Take action, start protecting your domains today!

You can start using DMARC Analytics right now with 10,000 free monthly DMARC messages and unlimited domains. We provide all the help with our support team, guides, and in-depth analytics.


Julia Gulevich is an email marketing expert and customer support professional at GlockSoft LLC with more than 15 years of experience. Author of numerous blog posts, publications, and articles about email marketing and deliverability.