The short answer is no, SPF by itself does not protect against display name spoofing. While it's a critical part of email authentication, its scope is limited and doesn't cover the part of an email that attackers manipulate for this type of scam.
To understand why, we need to look at how email headers work. Every email has two important "from" addresses. There's the visible "Header From" address, which is what you see in your email client (for example, "John Smith <john.smith@example.com>"). Then there's the hidden "Envelope From" (also known as the MailFrom or Return-Path address), which is used by mail servers to handle bounces. SPF only validates the domain in the "Envelope From" address. It never even looks at the display name or the "Header From" address.
This means an attacker can send an email from their own domain, which has a perfectly valid SPF record, while putting your CEO's name in the display name field. The email will pass the SPF check, but the recipient will see a familiar name and might be tricked into thinking it's a legitimate request.
What is display name spoofing?
Display name spoofing is a common phishing technique where an attacker forges the sender's name to impersonate someone the recipient knows and trusts, like a colleague, a boss, or a well-known brand. The goal is to trick the recipient into taking an action, such as wiring money, sharing sensitive information, or clicking a malicious link.
This attack vector is particularly dangerous because many people, especially on mobile devices, only see the display name and not the underlying email address. It's a simple, yet highly effective, form of social engineering.
How to protect against display name spoofing
If SPF isn't the solution, what is? The answer lies in combining SPF with its partners in email authentication: DKIM and, most importantly, DMARC.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the key. It builds on SPF and DKIM by adding a crucial step: alignment. DMARC checks to see if the domain in the visible "Header From" address matches the domain authenticated by SPF or DKIM. If they don't align, the email fails the DMARC check.
With a DMARC policy set to quarantine or reject, you can instruct receiving mail servers to either junk or block emails that fail this alignment check. This effectively stops attackers from using your domain in the "Header From" field, which is a huge step in preventing display name spoofing that impersonates your organization.
A layered security approach
Ultimately, protecting your organization from spoofing requires a multi-layered strategy. Relying on a single technology is not enough. Here's what I recommend:
- Implement SPF: Start by creating an SPF record to list all authorized IP addresses that can send email on your behalf. This is the foundation.
- Set up DKIM: Use DomainKeys Identified Mail to add a cryptographic signature to your emails, verifying that the content hasn't been altered in transit.
- Deploy DMARC: This is the most critical step. Start with a monitoring policy (p=none), and then gradually move to an enforcement policy like p=quarantine or p=reject. This enforces the rules and stops spoofing.
- Educate your users: Security awareness training is vital. Teach employees to be skeptical of unexpected requests and to always verify the sender's full email address, not just the display name.
While SPF is an essential email security protocol, it cannot prevent display name spoofing on its own. It's the powerful combination of SPF, DKIM, and an enforced DMARC policy that provides robust protection against this deceptive and dangerous type of phishing attack.
