Spoofing
Internet Security. A technique where a falsified sender email addresses attempts to trick recipients into opening an email message.
Email spoofing happens when someone sends email with a forged From address. As a spoofed email looks legitimate, phishing attacks often use spoofing.
As email lacks an inherent authentication mechanism, bad actors can spoof a From address. To combat spoofing, several internet standards have been developed:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-based Message Authentication, Reporting and Conformance (DMARC)
These methods use DNS to set authentication through domain records.
Bad actors can spoof email messages because each email has two From addresses: the Header From or friendly from address and the Envelope From or return-path address.
The Header From displays in the From field of your email client. This From address matters less for directing email traffic. It serves as the address on the letterhead of paper correspondence. Your postal service doesn't use that address to route mail. It provides friendly information about the sender to the recipient.
To spoof the Header From address, the bad actor places false information in the From field of your email client.. Display name abuse only changes the user interface. Domain authentication doesn't protect against this form of spoof.
The Envelope From address informs receiving email servers where to deliver replies and where to send bounces. The Envelope From serves as the return address on a postal envelope. Your postal service does use this address to route mail. It establishes the sending source of the letter.
To find the Envelope From address in your email client, select an option like Show Original, View Message Source, or Show Headers in your email client. Mail User Agents (MUA) don't display the Envelope From by default.
Domain authentication does protect against this form of spoof. To prevent email abuse, these standards have been developed and updated.
Report Spam when discovered
If you discover that a Twilio customer sent spam, report it to Twilio. Twilio bans their account immediately.
US recipients can also file a report with the US Federal Trade Commission.
To learn more, see the Twilio Email Infrastructure Guide.