What is Spoofing?¶

I, or someone I know, got an email that said it was from me, but I didn’t send it. What is going on?
Has my account been compromised?
What should I do if I receive or am notified about a spoofed email?
How can I avoid having my email address spoofed in the future?
Is there anything I can do to help others know if email coming from my email address is real or fake?

I, or someone I know, got an email that said it was from me, but I didn’t send it. What is going on?¶

You have most likely been the victim of a spoofed email. Spoofed emails are emails where the sending address was forged by the real sender. Unfortunately, this is fairly easy to do. The technical protocols used by email do not have a built in way to verify that the address given as the “from” address are truly sent from this address.

Imagine sending a letter and writing the return address on the envelope. The “from” address is information provided by the sender, and there is not a built in way to prevent the sender from providing a false address.

Has my account been compromised?¶

All that one needs to spoof an email is the email address itself. Unless there is some other sign that the sender of the address has gotten access to your personal information, such as sending an email to everyone in your contact list, it is most likely that there has been no breach of personal information.

Owners of domain names are a popular target for spoofing attacks because it is easy to guess common email addresses that exist on many domain names. For example, you might receive an email claiming to be from “admin@example.com” where example.com is the domain name you own.

What should I do if I receive or am notified about a spoofed email?¶

Unfortunately, there is not much you can do about a spoofed email after it has been sent. Like most spam messages, the best response is to ignore it. Replying to, or clicking links in a spoofed email can indicate to an attacker that your email is active, and thus a good target for future attacks. You do not need to forward the email to our support team.

If you have any concern that your account has been compromised you can change the password for your email.

How can I avoid having my email address spoofed in the future?¶

Practices that help prevent spam will also help protect you from spoofed emails.

Don’t publish your email address on your website. Instead, use a contact us form to receive messages. If you feel it necessary to list an email address, display it in an image instead of as text.
Don’t publish your email address to public forums, mailing lists, newsletters, etc. Don’t submit your business card or email address to contest or giveaways, since these are often attempts to gather emails for marketing purposes.
Avoid creating generic, easy to predict email addresses (such as contact@example.com, admin@example.com, info@example.com, etc.)

Is there anything I can do to help others know if email coming from my email address is real or fake?¶

There are a few technical protocols that can help identify your email as being authentic. These are handled automatically in the background by your mail server and do not require any specific action by your or the recipient. These protocols cannot fully prevent every instance of spoofing, but can provide a measure of reassurance to recipients using email servers that have implemented checks using these protocols. You can learn more about these tools on our page explaining tools to protect your email against being spoofed.