Email spoofing is the process of creating and sending emails with a forged email heading and sender address. Because most email protocols do not have a rigid authentication mechanism, it is often commonly used for phishing and spamming. Spammers usually spoof emails to get the recipient to open the mail.
Today, more and more cyber criminals are spoofing the biggest websites in the world to lend more credence to their messages. These cybercriminals spoof these big websites in order to scam people or spread inaccurate information all over the media. Unfortunately, most of these email spoofers succeed because many of the top trafficked websites do not have a strong defense against email spoofing.
But, the good news is, there is still hope. Big websites can practice security measures that will help prevent unscrupulous and fraudulent cybercriminals from spoofing major domains and websites. One of the security measures that big domains can use to avoid getting spoofed is the SPF or Sender Policy Framework.
SPF is a pretty simple email validation system that is typically designed to detect e-mail spoofing. This system uses a mechanism that allows the recipient to contact the domain’s administrators to verify if the incoming mail really comes from an authorized host. But, according to a research conducted by a top security firm called Detectify, the Sender Policy Framework is improperly configured by top trafficked websites, making them vulnerable to spoofing attacks and other types of fraud.
Detectify checked the top five hundred biggest and most trafficked sites ranked by Alexa and found out that around two hundred and seventy six (55%) of these websites are vulnerable to e-mail spoofing because either they do not have an anti-spoofing system or it was misconfigured. The main reason why a lot of these websites do not have a potent anti-spoofing system is because e-mail authentication is not an easy task. This is also the reason why a lot of companies set up SPF and other anti-spoofing methods with “soft settings” because they are afraid that some of their genuine messages may be binned if they use stricter and more stringent settings.
This means that forged emails are merely flagged as suspicious or spam, so most of these messages still go through. These messages can potentially scam you or cause malware infection to your PC so you have to be careful. You must look out for dodgy-looking links and attachments.
As for huge websites, Detectify recommends that they use SPF and configure it properly to defend their site from email spoofing.