An email message is very similar to a physical letter that you would send in the mail. There is an envelope, with To/From information, and there is the actual letter on the inside, with it's own To/From information. The envelope to/from information is the real information that is used for message delivery, for both email servers and post offices.
When an envelope comes into a post office, they inspect the To address on the envelope, and send it to the correct destination. The post office workers have no knowledge of the letter inside the envelope. The letting inside could have completely different To/From information than the envelope says. The Envelope could say the message is to Bob, but the letter inside may say it's for Alice. Or in real world: The envelope could say the message is to SomeCompanyName, and when secretary open envelope, letter inside say, it's is for Mr. Brown which work in SomeCompanyName.
The same is true for emails. The envelope To/From is the most important information when delivering a message. If the envelope says the message is to firstname.lastname@example.org and email@example.com, then the message is sent to both, regardless of what the letter inside (the message header) says the message is To:.
It is very esay to write fake/forged address in the mail from command in the smtp communication ( in the email envelope)
It is very easy to write fake/forged address in the From: email header
Both envelope sender together with email header sender can be faked
The sender's email address in email header From: can be differrent from the envelope's mail from
telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 mailserver.secar.cz ESMTP ehlo fakemailserver.com # Here start email envelope 250-mailserver.secar.cz mail from: <FakeEnvelopeSender@fakedomain.com> # Fake envelope sender 250 2.1.0 Ok rcpt to: <firstname.lastname@example.org> # Real recipient in mail routing 250 2.1.5 Ok data # Here end email envelope and start email header 354 End data with <CR><LF>.<CR><LF> From: "Fake Sender" <FakeHeaderSender@fakedomain.com> # Fake email header sender To: "Real Recipient Name" <email@example.com> # email header recipient (what you see in your email client) Subject: test fake sender message # email header subject This is test meassage # After one empty line email header end and start email body . 250 2.0.0 Ok: queued as 44DxhQ58Jgz6tvJ quit # We end the smtp communication with recipient mailserver 221 2.0.0 Bye Connection closed by foreign host. # tcp connection is closed
And what you see in your email client:
And here is raw email message:
Return-Path: <FakeEnvelopeSender@fakedomain.com> Delivered-To: <firstname.lastname@example.org> Received: from fakemailserver.com (localhost [127.0.0.1]) by mailserver.secar.cz (mail_locahost) with ESMTP id 44DxhQ58Jgz6tvJ for <email@example.com>; Wed, 6 Mar 2019 15:57:51 +0100 (CET) From: "Fake Sender" <FakeHeaderSender@fakedomain.com> To: "Real Recipient Name" <firstname.lastname@example.org> Subject: test fake sender message Message-Id: <44DxhQ58Jgz6tvJ@mailserver.secar.cz> Date: Wed, 6 Mar 2019 15:57:51 +0100 (CET) This is test meassage