Our New Leader to Follow on LinkedIn - Arthur Grishkevich on his How to Spoof Email
Updated: May 3
">> 💌Do cold email gods hate you? Or is it infosec?
>> If your cold emails are missing the inbox, here's
👇🏼A brief history of email security (or how to spoof email 👿)
Email wasn’t designed for security.
SMTP (1971), POP (1985) and IMAP(1986) are email transmission protocols.
SMTP allows ANY computer (node) to send an email to ANY address, claiming to have originated from ANY address. Yeah, that's that thing they call email spoofing
Why didn't they think of security? 🤔
In those days only government agencies, large corporations and educational institutions had access to Internet nodes
The physical access (or rather lack of access) to an internet-connected computer terminal WAS the security layer.
You'd think we've gone a long way. But today most cyberattacks still start with an email because humans are the easiest vulnerability to exploit for 1337 h4x0r5 😱
How easy is it to send a spoofed email? Just google “send spoofed email online” and you can send one through a web form
Email got an encryption upgrade in mid 90's when Netscape made SSL encryption popular.
But many countries today are still sending unencrypted emails. As a matter of fact only 90% of all email traffic in 2022 is encrypted.
Remember Yahoo? They started researching and implementing email authentication in early 2000's
By mid 2010's email authentication methods finally came into their own, as accepted Internet Standards.
Authentication methods are the SPAM filter that doesn't need a SPAM list. They rely on publishing public data in the domain name’s DNS records. The receiving server can refer to the public data to verify authenticity of the email it received.
The main authentication methods are:
SPF est.: 2014
Specifies from which servers your domain sends email
DKIM est.: 2010
Generates a signature which is verified by the public key posted in DNS
DMARC est.: 2015
Specifies which sending policy (SPF or DKIM or both) is used by sending server, instructs receiving server what to do if verification is failed and to what email address to send a report
So when Jesse Ouellette or I or anyone else talks about the value of DNS settings for email deliverability, we are really talking about playing by the rules designed to protect *your* inboxes
You might be a great guy, working for an honest company with no malintent to your cold email…
But the receiving servers don’t know that unless you (or your IT) tell them.
Play by the rules - be inbox 📥
Ignore the rules - be spam 🛑
Cold email gods are just but strict"