Step-by-Step: Investigating a Spoofed Email from Header Inspection to DMARC Result
Email spoofing is a common strategy used in phishing schemes and business email compromise attacks. By learning to analyze email headers and understand DMARC results, security professionals and technical teams can swiftly verify the authenticity of an email and take action.Here's a step-by-step guide to investigating a spoofed email—from header inspection to DMARC evaluation.
Step 1: Obtain a full email header
To begin the investigation obtain a full email header. This can typically be found under “Show original" or “ Show source” in most email clients. Here is a breakdown of detecting the header in some Inbox providers.
Step 2: Identify key header fields
The header contains key information such as:
- Received paths
Compare the IP with the legitimate sending IP range for the sender's domain.
- From and Return-path
Spoofed emails often manipulate the From field to impersonate someone familiar, while the Return-Path may lead to a malicious or unrelated domain.
- Authentication results for SPF, DKIM and DMARC
These results are usually found under Authentication-Results in the header.
Step 3: Analyze SPF
Checks if the sending IP is authorized to send on behalf of your domain.
Once the authentication is confirmed, compare the smtp.mailfrom and From addresses to ensure Alignment is achieved.
Step 4: Analyze DKIM
Verifies the digital signature attached to the message. For example:
In order to confirm Alignment, take the From address and the header.d tag’s domain for comparison. If they match, alignment is achieved.
Step 5: DMARC
Combine SPF and DKIM to determine if the domain's policy is aligned and passes.
E.g.: dmarc=fail (p=reject disallows this message)
Step 6: Take action
Understanding the cause of failure can put you on the right path of filling in missing configurations (SPF/DKIM) or detecting unauthorised senders. Enforcing the DMARC policy ensures non-compliant emails failing to reach their destination.
A detailed examination of email headers, along with an analysis of DMARC authentication, can successfully identify attempts at spoofing. Understanding the various fields within email headers and the different authentication methods is crucial for protecting yourself against email-related threats.