SMTP Pentest Guide
Back to Email Authentication Attacks

From/Sender Ambiguity

This attack exploits inconsistencies in how email clients and servers handle the From and Sender headers. By manipulating these headers, attackers can create emails that appear to be from legitimate senders while bypassing authentication mechanisms.

Attack Summary: Exploiting differences in how email clients display From vs. Sender headers and how authentication mechanisms validate them.

Background: From vs. Sender Headers

According to RFC 5322, email messages can have both a From header and a Sender header:

  • From: Indicates the author(s) of the message (who wrote the content)
  • Sender: Indicates the mailbox of the agent responsible for the actual transmission (who sent the message)

In most legitimate emails, the From and Sender headers are either the same or clearly related (e.g., From: marketing@company.com, Sender: no-reply@company.com). However, many email clients only prominently display the From header, while authentication mechanisms like SPF might validate the Sender header or the MAIL FROM envelope address.

From: ceo@company.com Sender: attacker@malicious.com Subject: Urgent Wire Transfer Please process the attached wire transfer immediately.

This inconsistency creates opportunities for attackers to manipulate how their emails are displayed to recipients while still passing certain authentication checks.

Attack Methodology

This attack involves creating emails with different From and Sender headers to exploit inconsistencies in how they are displayed and authenticated.

Basic From/Sender Ambiguity
Exploiting display vs. authentication differences

The most basic form of this attack involves setting different domains in the From and Sender headers.

Attack Example

Different From and Sender domains

HELO attacker.com MAIL FROM: <attacker@attacker.com> RCPT TO: <victim@victim.com> DATA From: <ceo@target.com> Sender: <legitimate@attacker.com> To: <victim@victim.com> Subject: Urgent Action Required Dear Employee, Please process the attached invoice immediately. .
Explanation: In this example, the attacker sets the From header to ceo@target.com (the spoofed identity) and the Sender header to legitimate@attacker.com (a domain they control). Most email clients will prominently display the From header (ceo@target.com), while SPF checks will validate the MAIL FROM address (attacker@attacker.com). If the attacker has proper SPF records for their domain, the email may pass SPF checks while appearing to be from the CEO.

How It Works

  1. Attacker creates an email with different From and Sender headers
  2. The From header contains the spoofed identity (ceo@target.com)
  3. The Sender header contains a domain the attacker controls (attacker.com)
  4. The MAIL FROM envelope address also uses the attacker's domain
  5. SPF checks validate the MAIL FROM address against the attacker's domain
  6. The SPF check passes because the attacker has valid SPF records
  7. Email clients prominently display the From header (ceo@target.com)
  8. Recipients see the email as coming from the CEO
DMARC Bypass
Exploiting DMARC alignment issues

This variant exploits how DMARC alignment checks work with From and Sender headers.

DMARC Bypass Example

Exploiting DMARC alignment

HELO attacker.com MAIL FROM: <bounce@attacker.com> RCPT TO: <victim@victim.com> DATA From: <security@bank.com> Sender: <security@attacker.com> Reply-To: <security@bank.com> To: <victim@victim.com> Subject: Security Alert Dear Customer, We have detected suspicious activity on your account. Please log in immediately. .
Explanation: In this example, the attacker sets the From header to security@bank.com (the spoofed identity) and the Sender header to security@attacker.com (a domain they control). DMARC alignment checks may pass if the email server uses the Sender header for alignment instead of the From header. The attacker also sets the Reply-To header to the spoofed address so that any replies will go to the legitimate domain, making the email appear more legitimate.

DMARC Alignment Issues

DMARC alignment can be affected by From/Sender ambiguity in several ways:

  • Some implementations check alignment between the From header and the authenticated domain
  • Others check alignment between the Sender header and the authenticated domain
  • Some check both, requiring at least one to align
  • The RFC is somewhat ambiguous about which should be used in all cases
  • This ambiguity creates opportunities for attackers to bypass DMARC
Display Name Spoofing
Combining From/Sender ambiguity with display name spoofing

This variant combines From/Sender ambiguity with display name spoofing for a more convincing attack.

Display Name Spoofing Example

Combining techniques for more effective spoofing

HELO attacker.com MAIL FROM: <info@attacker.com> RCPT TO: <victim@victim.com> DATA From: "John Smith, CEO of Target Company" <info@attacker.com> Sender: <marketing@attacker.com> To: <victim@victim.com> Subject: Important Company Update Dear Employee, Please review the attached company policy update. .
Explanation: In this example, the attacker uses a convincing display name in the From header ('John Smith, CEO of Target Company') but sets the email address to their own domain (info@attacker.com). The Sender header is also set to the attacker's domain. This approach passes authentication checks while still appearing to be from the CEO in many email clients that prominently display the From name rather than the email address.

Client Display Variations

Different email clients display From/Sender information differently:

  • Mobile clients: Often show only the display name in the inbox view
  • Webmail: May show the display name prominently with the email address in smaller text
  • Desktop clients: Vary widely in how they display From vs. Sender information
  • Some clients: Show "on behalf of" or similar text when From and Sender differ
  • Others: Don't display the Sender header at all in the user interface

Impact

This attack allows attackers to:

  • Create emails that appear to be from legitimate senders while passing authentication checks
  • Bypass some DMARC implementations by exploiting alignment ambiguities
  • Target specific email clients with tailored spoofing techniques
  • Conduct sophisticated phishing attacks that appear legitimate to recipients

Detection

Organizations can detect these attacks by:

  • Implementing email security solutions that check for mismatches between From and Sender headers
  • Configuring email gateways to flag or quarantine emails with suspicious header combinations
  • Using email clients that clearly display both From and Sender information
  • Training users to check the full email address, not just the display name

Mitigation

To protect against these attacks, organizations should:

  • Implement strict DMARC policies: Use p=reject with strict alignment requirements
  • Configure email gateways: Set up rules to detect and block From/Sender mismatches
  • Use email clients: Deploy clients that clearly display both From and Sender information
  • Train users: Educate users about checking the full email address and being suspicious of mismatches
  • Implement additional authentication: Use additional authentication mechanisms beyond SPF/DKIM/DMARC

Testing

Security professionals can test for this vulnerability using the following approach:

  1. Create test emails with different combinations of From and Sender headers
  2. Send these emails to test accounts using different email clients
  3. Observe how different clients display the sender information
  4. Check if email authentication mechanisms detect or block the emails
  5. Document inconsistencies in how different systems handle the emails

References

  • RFC 5322: "Internet Message Format." https://tools.ietf.org/html/rfc5322
  • RFC 7489: "Domain-based Message Authentication, Reporting, and Conformance (DMARC)." https://tools.ietf.org/html/rfc7489
  • Chen, J., Duan, H., Weaver, N., Paxson, V., & Jiang, J. (2021). "Measuring and Mitigating Email Sender Spoofing Attacks." In Proceedings of the 30th USENIX Security Symposium.
  • Foster, I. D., Larson, J., Masich, M., Snoeren, A. C., Savage, S., & Levchenko, K. (2015). "Security by Any Other Name: On the Effectiveness of Provider Based Email Security." In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.
Previous: Multiple From HeadersNext: Parsing Inconsistencies