Skip to main content
Learning Center
Email SecurityHow Email Works

Why anyone can send an email pretending to be anyone else, and what hidden information every email contains

How Email Works

The Fake Invoice

Jennifer, a controller at a construction company, received an email from their law firm about closing costs on a property deal. The email looked right. The sender address showed the law firm's domain. The signature matched. She wired $127,000.

Two days later, the real law firm called. They never sent that email. The money was gone.

How did this happen? The sender address looked correct. There were no spelling errors. No suspicious links. Jennifer did nothing obviously wrong.

The answer is simple: anyone can put any address in the "From" field of an email. The system doesn't verify it.

This story is fictional, but the patterns are real.

Why Email Can Be Faked

Email works like a postcard. You can write any return address you want. The postal service will still deliver it. They don't check if you actually live at that address.

The technology behind email, called SMTP, was created in 1982 for a network of a few hundred university computers. Everyone on the network knew each other. There was no reason to verify identity.

That design never changed. The SMTP protocol still accepts whatever address the sender claims. Authentication systems were added later, but they're optional and many organizations don't use them properly.

This is the core problem: email trusts the sender to tell the truth about who they are.

What You See vs. What's Real

When you look at an email, you see:

  • From: who supposedly sent it
  • To: who received it
  • Subject: what it's about
  • Body: the message itself

What you don't see is the email's headers. This hidden information shows where the email actually came from and how it traveled to reach you.

Think of headers like shipping labels on a package. The gift card inside might say "From: Grandma," but the shipping label shows it came from a warehouse in Nevada. Headers reveal the real origin.

Every email program can show you headers, but they're hidden by default. In Gmail, click the three dots and select "Show original." In Outlook, open message properties.

The Key Headers

When you view headers, you'll see a wall of text. Here's what matters:

From: What the sender wants you to see. Can be anything.

Reply-To: Where your reply actually goes. Attackers set this to their own address while making "From" look legitimate. You think you're replying to your CEO, but your message goes to a criminal.

Return-Path: Where bounced messages go. Like Reply-To, this can differ from the From address. When all three point to different places, something suspicious is happening.

Received: Each server that handled the email adds one of these. Reading them bottom-to-top shows the email's journey. If an email claims to be from New York but the first Received header shows a server in Romania, something is wrong.

Authentication-Results: Shows whether the email passed security checks (SPF, DKIM, DMARC). We cover these in the next article.

Spam and Legitimate Email

Most email never reaches your inbox. Email servers filter billions of messages daily, blocking spam, phishing, and malware.

How filtering works:

Servers check the sender's reputation. Has this server sent spam before? Is the domain new? They analyze the content for suspicious patterns: urgency phrases, financial requests, known malicious links. They check whether the sender passes authentication.

Messages that fail these checks go to spam or get blocked entirely.

The filtering problem:

Filters aren't perfect. Legitimate emails sometimes land in spam. And sophisticated attacks can pass all checks.

Attackers with lookalike domains (arnazon.com instead of amazon.com) can set up proper authentication. Their emails pass technical checks because they really did come from the domain they claim. The filter can't know that domain is malicious.

Abuse reporting:

When fraudulent emails get through, reporting them helps. Most email providers have "Report phishing" or "Report spam" buttons. This trains filters and can get malicious domains blocked.

Organizations can also report email abuse to hosting providers. Most legitimate hosts will take down infrastructure used for fraud once notified.

Why This Matters for Fraud

Most fraud starts with email. Wire fraud, account takeover, credential theft, invoice scams. Understanding that email can be faked, and knowing where to look for the truth, is the foundation of investigating these attacks.

When someone forwards you a suspicious email asking "is this real?", you now know:

  • The From address proves nothing
  • Check Reply-To for mismatches
  • Headers show the real origin
  • Authentication results reveal whether it passed security checks

The next article covers those authentication checks in detail.

Key Takeaways

  • Email was designed without security. SMTP dates to 1982 and trusts senders to identify themselves honestly. That hasn't changed.
  • Anyone can fake the From address. No technical skill required. Just type whatever address you want.
  • Headers reveal the truth. Hidden metadata shows where an email really came from. Every email program can display them.
  • Reply-To redirects your response. An email appearing to be from your CEO can route your reply to an attacker.
  • Filters help but aren't perfect. Spam filtering blocks most junk, but sophisticated attacks with proper authentication can get through.

What's next: Email Authentication explains SPF, DKIM, and DMARC, the security checks that try to verify senders, and why they don't catch everything.

Key Terms

SMTP: Simple Mail Transfer Protocol. The system that sends email between servers, designed in 1982.

Headers: Hidden metadata in every email showing its origin, path, and authentication status.

From: The displayed sender address. Can be set to anything by the sender.

Reply-To: Where replies go. Can differ from the From address.

Return-Path: Where bounced messages go. Can differ from the From address.

Received: Headers added by each server that handled the email. Read bottom-to-top to trace the path.

Spam filtering: Automated systems that block unwanted or malicious email based on reputation, content, and authentication.

Generated with AI assistance. Reviewed by humans for accuracy.

Test Your Knowledge

Ready to test what you've learned? Take the quiz to reinforce your understanding.

    How Email Works - Email Security