Fake Email Sender & Date: How It’s Done

TL;DR

Yes, emails can be faked to show a different sender and date. This is done by manipulating the email headers. While modern email systems try to prevent this, it’s still possible, especially with direct access to an email server or through sophisticated phishing attacks. Detecting these forgeries requires careful examination of email source information.

How Emails Are Faked

1. Understanding Email Headers: Every email has a header containing metadata like sender, recipient, subject, date, and routing information. The ‘From’, ‘Date’, and ‘Received’ headers are most commonly targeted for forgery.
2. Direct Server Access: If someone gains access to an email server (through hacking or misconfiguration), they can directly modify the headers of emails before sending them. This is the most reliable way to forge an email, but also the hardest to achieve.
   • This usually requires advanced technical skills and knowledge of email protocols like SMTP.
3. Spoofing (Less Reliable): ‘Email spoofing’ involves creating an email with a forged ‘From’ address. Modern systems use technologies like SPF, DKIM, and DMARC to combat this.
   • SPF (Sender Policy Framework): Checks if the sending server is authorized to send emails on behalf of the domain.
   • DKIM (DomainKeys Identified Mail): Adds a digital signature to the email header, verifying its authenticity.
   • DMARC (Domain-based Message Authentication, Reporting & Conformance): Builds on SPF and DKIM, telling receiving servers what to do with emails that fail authentication checks (e.g., reject them or quarantine).
4. Email Clients & Manipulation: Some email clients allow you to change the ‘From’ address displayed, but this doesn’t alter the actual header information and is easily detectable.

How to Check if an Email Has Been Doctored

1. View the Full Header: Most email clients have a way to view the full email header. The method varies depending on your client (Gmail, Outlook, etc.). Look for options like ‘Show Original’, ‘View Source’, or similar.
   • Gmail: Open the email, click the three dots (More), then select ‘Show original’.
   • Outlook: Double-click to open the email in a new window, go to File > Info > Properties. Look for ‘Internet headers’.
2. Examine the ‘Received’ Headers: These show the path the email took from sender to recipient. Look for inconsistencies or unexpected servers.
   • A legitimate email will have a chain of ‘Received:’ headers, each showing a server that handled the message. Forged emails may have missing or altered entries.
3. Check SPF, DKIM, and DMARC Records: Use online tools to verify if the email passed these authentication checks.
   • MXToolbox Email Authentication Check is a useful resource.
4. Look for Discrepancies: Compare the ‘From’ address in the header with other information in the email (reply-to address, signature). Inconsistencies are red flags.

Example Header Snippet & What to Look For

Received: from mail.example.com (mail.example.com [192.0.2.1]) by mx.recipientdomain.com with SMTP; Tue, 15 Aug 2023 14:30:00 +0000
From: forged-sender@example.com
Date: Mon, 14 Aug 2023 18:00:00 -0500

In this example:

• The ‘Received:’ header shows the email came from ‘mail.example.com’.
• The ‘From:’ header claims the sender is ‘forged-sender@example.com’.
• The ‘Date:’ header indicates August 14th, but the ‘Received’ date is August 15th – a potential discrepancy.

Protecting Yourself

1. Be Wary of Suspicious Emails: If an email seems unusual or unexpected, be cautious.
2. Don’t Click Links or Open Attachments from Unknown Senders: These could contain malware.
3. Verify Requests Directly: If you receive a request for sensitive information (e.g., password reset), contact the sender through a known, trusted channel (phone call, separate email).
4. Enable Two-Factor Authentication: Adds an extra layer of security to your accounts.