Your IT Consultant

The Technology of Email – Understanding Headers and Sniffing out Spoofing

August 8, 2019

Believe it or not, email has been around for a long time. Email was pretty simple in the early days. There was no fancy formatting and only text messages were being sent. The protocols were simple (and fairly insecure) without giving the user a lot of flexibility. Today's email mechanism are much improved and therefore a lot more complicated. Ars Technica has an excellent post that explains email in great detail.

A very simple step to help prevent email spoofing is to have a SPF record for your domain. The Sender Policy Framework (SPF) record is nothing more that a TXT record entry in DNS that identifies valid IP addresses and networks for transmission of your email. In other words, a recipient can compare your SPF record to the values in an email header to see if it is really being sent by you or if someone is trying to spoof the transmission.

The post goes into a deep dive about the various sections of an email header. We propeller heads get juiced up when reviewing the contents of an email header. Now you can too. The sample email is a real transmission from AOL to a locally hosted Exchange server. Spend a little time going over the various sections and you'll get a good idea of the complexities involved in a normal email flow. At the end of the day, there is no 100% guarantee that all the header information is accurate since it is possible that a server within the path manipulated the header contents. In our experience, the headers are a fairly good indicator of a potential originator to an email message. Don't use them as gospel, but assemble data from other sources to help support your case.

Email: Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://senseient.com