How Email Spoofing Works

The core email protocol, SMTP, was designed in the early 1980s for a small, trusted network of researchers. It has no built-in authentication of the sender.

That original trust assumption is why email spoofing is so easy today. Anyone who can talk SMTP to a mail server can claim to be anyone they like, unless additional protections (SPF, DKIM, DMARC) are layered on top.

A crucial concept: an email actually has two sets of addresses, and they need not match.

• Envelope (MAIL FROM) — used by mail servers to route and bounce the message; the user never sees it
• Header From — the 'From:' line displayed in the email client

Spoofing exploits the gap: the visible Header From can say anything, regardless of who really sent the message.