The simple block of code that is used by PHP devs everywhere for "Contact Us" forms everywhere:
$to = "email@example.com";
$subject = "Hi";
$txt = $_POST["body"];
$headers = "From: $_POST["contact"]";
So the idea came, "What if I just put whatever I want?"
$to = "firstname.lastname@example.org";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]!";
$headers = "From: email@example.com";
What is stopping a person from just filling any header data to masquerade as a legitimate contact?
The solution to this little issue is Sender Policy Framework (SPF.)
When the receiving mail server gets an email it will look at the 'Return-Path' header and grab the domain from the sender's address. It will then check the SPF record, which is stored on DNS servers, that correlates with the 'Return-Path's domain and ensure that the senders IP/domain (Received header) is approved of by the SPF.
v=spf1 include:_spf.google.com ~all
"v=spf1" is the version definition. spf1 is the only version, it is mandatory and will be at the beginning of all SPF records.
The testing parameters are here. How the sender's domain is compared to DNS entry can be specified in many ways (There is a ton of different nomenclature; explanation listed here: http://www.zytrax.com/books/dns/ch9/spf.html) For this example there is only an 'include' which tells the user to restart the SPF verification test against this new domain (_spf.google.com instead of google.com)
So if you drop that domain into an SPF reader you get this:
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
Same deal, just three includes, check the first netblocks and you get this:
v=spf1 ip4:184.108.40.206/20 ip4:220.127.116.11/19 ip4:18.104.22.168/20 ip4:22.214.171.124/20 ip4:126.96.36.199/18 ip4:188.8.131.52/16 ip4:184.108.40.206/21 ip4:220.127.116.11/16 ip4:18.104.22.168/20 ip4:22.214.171.124/17 ip4:126.96.36.199/19 ip4:188.8.131.52/19 ~all
So if an email's sender's domain matches with any of the IP addresses listed in the SPF record then it will pass.
+all = pass
?all = neutral = email will be accepted
~all = soft fail = will be accepted, but marked
-all = fail = will be rejected
This is where the SPF record gives instruction on what to do with an email that failed to meet the parameters fails. So this is the part that we are interested in when it comes to spoofing.
v=spf1 mx include:_spf.google.com +a:mail1.keybase.io +a:mail2.keybase.io -all
In this example you can see that keybase.io is using a hard fail for any message that fails to meet its parameters. So what happens to the message?
A one way ticket to the gmail's automatic spam filter.
Here are a couple of tools to check a site's SPF: