I'd never really given it much thought. All I knew is that in under a minute, I could get into an email client and make a new email account with the Header Sender Address, "email@example.com" and the Sender ID, "Microsoft Security." But the more I think about it, the more outrageous it seems that this is possible. One solution would be to simply introduce a standard in email clients where the users username domain has to also be the Header Sender Address domain; and I cannot believe that isn't the case currently. However, today I came across SPF, Sender Policy Framework, in particular 'OpenSPF' designed to detect someone spoofing.
If this technology exists, then why don't Microsoft and banks use it?
Edited by chris155au, 12 January 2017 - 12:31 AM.