Why can I send emails from domains I don't own? [closed]

Question

I was recently messing around with the mail functionality when I made a discovery that truly troubled me!

I was using commands of a similar format in PHP:

mail("[email protected]","My subject", "IT WORKED", "From: [email protected]");

What I realised is that no matter what email I put on the "From" section, the email always sends (although it does go the the Junk folder, but that's probably because of the contents of the email)!!!

My question is:

• Why does this work? Surely there should be some authentication process to make sure that I actually own the domain and the email was truly sent by the domain!
• What's stopping me from pretending to be from a bank or Paypal or something else and committing fraud
• As a user, how can I be sure that the email i receive is truly from the sender? My way of checking has always been to look at the sender's email address. But it seems I can send any email from any email address (even ones I don't own) and it still sends!

NOTE: I am using outlook.com as my email client (web version. not desktop!)

I would have continued my experiment to see if it works with emails like: [email protected], but I was scared I may be doing something illegal or my IP will get blacklisted.

Answer 1

Yes, you are correct that there's isn't anything technically preventing you from sending e-mail as another user. This is defined as part of the Simple Mail Transfer Protocol (SMTP). However, there are authentication processes out there to try and identify mail sent like this on the receiving end:

1. DKIM (Domain Keys Identified Mail) https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
2. SPF (Sender Policy Framework) https://en.wikipedia.org/wiki/Sender_Policy_Framework

It is likely that it's actually the failure of these authentication processes that is directing your mail to your junk folder, instead of/as well as the message content. This, combined with other elements in the UI of your e-mail client (such as "fraud detection" in Thunderbird) is, as a user, what would call out to you that the e-mail might not be trustworthy.

DKIM

DKIM works via an asymmetric key. Only the true owner of a domain knows the private half which is used to digitally sign emails, and they publish the public half as a TXT record in their DNS zone.

When someone receives an e-mail claiming to be from example.com, their email client will check a DKIM-Signature header on the message, using the published public half of the key to verify that the message has been signed correctly. As the signature also includes a hash of the message contents, this also ensures that the contents have not been changed in transit as well as ensuring the sender is legitimate.

SPF

The true owner of a domain publishes a list of hosts allowed to send e-mail on it's behalf, again as a TXT record in their DNS zone.

When someone receives an e-mail claiming to be from example.com, their e-mail client will check that the host that sent the e-mail has been authorized to by the domain's owner.