Frank Langfitt, writing for National Public Radio, shares a harrowing tale of the challenges faced by Chinese dissident Gao Zhi. After befriending celebrity dissident Wang Jingyu, things started to go sideways, with threats, tips to the police, and emails from Dutch immigration authorities.
How much of it was real? While investigating the story, NPR was quick to notice the lack of email headers in any shared email examples. Were those emails in question actually from the Dutch authorities?
It turns out that … no, those email messages were not legitimate. Somebody (quite possibly Wang Jingyu) was sending those emails from Protonmail, a privacy-focused inbox provider based in Switzerland promising full encryption and theoretically making it harder for governments to get access to mailbox contents.
But honestly, Protonmail wasn’t the problem here. The messages could have just as easily been sent from Yahoo or Gmail. The key here is that they were not sent by the Dutch immigration authorities, who would probably be sending emails from the domains government.ml or ind.nl, or some subdomain under one of those two domains.
But Gao Zhi “didn’t grasp the significance of domain names,” so even if he had the full email headers, would that have helped him? That got me thinking—how does the average person know what they’re looking at? How do they tell?
I’ll share how I check email messages for legitimacy, hoping it can help you learn how to check your email for yourself.
1. Know the domain (or learn it)
Let’s dive deep to help you learn as much as possible about how any email user can review an email they’ve received to help determine whether or not the message is legitimate (or at least to know enough to identify certain types of illegitimate messages).
I’m “going deep” with some of these recommendations. They may not all be easy or simple, but if you’re worried about being scammed, I’d recommend following as many of these steps as possible.
First, know the (likely) email domain of the sender. Is this always obvious? No, but a quick Google search can often give you some ideas. I’m not familiar with the Dutch immigration authorities, but I found their website here, and it stands to reason that there’s a good chance that they use ind.nl as an email domain. (And alternately, as I noted above, I see that the Dutch government has this website and domain, too.)
If you’re getting “official” emails from a freemail or webmail address – Yahoo, Gmail, Outlook, Protonmail, etc. stop right there. A neighborhood ice cream shop might use a Gmail address, but government officials generally don’t. This can get tricky because there are many webmail/freemail providers out there, and you might not know all of them.
Be sure to check the website for the domain and search for information about it. It also can be useful to search to see if that domain is a “disposable” domain – a term email marketers use to denote mailboxes that are easy to get and not specifically tied to an individual long-term. Not all webmail domains will come up as “disposable” domains, but there are webmail (and other) domains that are categorized this way, and this is a red flag that it’s a domain not legitimately used for government business.
Next, look at the email headers. Gmail is best for this. Select “show original message,” and a new window opens. At the top, Google highlights a series of bits of message information. Look specifically for SPF, DKIM, and DMARC authentication results.
You can also use our free Valimail Domain Checker. You can use it to check your domain or the sending domain of the email you received.
2. Review authentication results in Gmail
Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) are all email authentication protocols, and the key here is that you want all of them to pass. If there is no reference to DKIM or DMARC, be concerned.
What you need to see here to have full confidence of legitimacy is DKIM passing authentication checks (with a domain name that matches (“aligns”) with the From domain), and this will cause DMARC checks to pass. If you see a “fail” status for SPF, DKIM, or DMARC, be careful – there’s a strong chance that this email message is not legitimate.
3. Be appropriately wary
Remember that you might not be in the clear even if everything passes. Could the account be legitimate, but somebody hacked into it and can send an authenticated email as that user? It happens. User accounts can get hacked into, and email accounts can get taken over. DMARC is a very important protection against phishing and spoofing, but it’s not the only necessary security measure a company or organization should take.
Or it could be a “lookalike” or “cousin” domain, where a bad guy registered a variation of the legitimate domain name, perhaps with a slightly different spelling. These can be fully authenticated, but it could be the bad guys doing the authenticating.
That’s why, when reviewing all of this information, even if everything passes muster, you’ll still be best off confirming the message’s contents through another means. If you’ve got a long history with this department or organization and enough email history to know that this latest email is legit, great! But if not, call and confirm.
Remember that if something is too good to be true, it probably is.
Protect your own domains
While these tips are useful, stronger protection against phishing is needed. If you’re sending a significant amount of email, implement DMARC to ensure that those messages are legitimate and authorized. At the same time, protect your email domain from phishing and spoofing.
The first step in locking down your domain from unauthorized use is getting visibility into who’s sending on your domain. However, with a long list of IP addresses, it can take forever to find bad actors. When you sign up for Valimail Monitor, you can instantly see a list of good and bad senders using your domain.
Thousands of companies trust Valimail Monitor, and the best part is that it’s a completely free solution. Don’t wait until someone uses your domain to send phish. Get free visibility today.
Industry Research and Community Engagement Lead at Valimail
Al Iverson