If you've received an email that appears to be from your own email address, but you didn’t send it, it can be alarming, especially if the message claims the sender has access to your account. The good news is that, in many cases, your account hasn’t been compromised and the email is spoofed.
This help page explains what email spoofing is, how to tell if it happened, and what you can do about it.
What is email spoofing?
Email spoofing is when someone sends an email that is made to appear as though it came from a different address or sender than it actually did, often a trusted sender, organization, or even your own email address. Attackers use spoofing to trick recipients into trusting a message or to bypass spam filters.
Spoofing is possible because the addresses you see in the To and From fields are simply part of the message content, they do not determine delivery. For example, forwarded emails maintain the original To and From while the sender (the person who forwarded the email to you) and recipient (you) are different. Behind the scenes, email is routed using separate “envelope” addresses.
Since the email system was originally designed for communication between trusted devices, To and From fields can be forged or spoofed. The Email addressing help page has more detailed information about this process.
Modern sender authentication tools can help in identifying when an email has been spoofed.
What is sender authentication?
We use Sender authentication standards like SPF, DKIM, DMARC, and ARC to help verify that an email really came from who it claims to. SPF checks whether the sending server is allowed to send for that domain, DKIM uses cryptographic signatures so receivers can tell if the message was tampered with. DMARC builds on these by checking against the domain in the header “From” (the part that is most commonly spoofed), and by letting domain owners specify how SPF and DKIM failures should be handled.
Fastmail treats authentication results as a signal and not a cause to block emails because sender authentication can fail for legitimate reasons such as email forwarding. Not all authentication failures indicate a spoofed or malicious message. When an email fails authentication, spam scores are adjusted to reflect this. However, authentication is only one of many factors used to determine whether a message is delivered to the Inbox or Spam.
How to detect if an email was sent from your Fastmail account?
You can view the headers of an email by clicking the Actions menu at the top right of the message, then clicking Show raw message.
If the header X-ME-Sender is present and contains xms information, the email was sent from Fastmail servers which means the email was not spoofed. If you see this header on an email with your address in the “From” header and you did not send this email, please reach out to our support team for assistance.
How can I prevent spoofing?
If you receive a spoofed message, you can report it as spam by selecting the message, clicking the More button, and clicking Report spam.
If you are using a custom domain and you’re seeing frequent spoofing attempts, we recommend setting up a DMARC policy. This tells receiving mail servers how to handle unauthenticated emails sent from your domain.