Skip to main content

CISA issues alert on email header syntax enabling sender spoofing bypassing authentication protocols

November 26, 2025

Email protocols including Stream Processing Framework (SPF), DKIM, and DMARC are susceptible to manipulation through crafted email header syntax, allowing attackers to send spoofed messages that seem to originate from legitimate sources.

These vulnerabilities, detailed under Common Vulnerabilities and Exposures (CVE) identifiers yet unspecified, affect email systems that follow standards such as RFC 5321 for Simple Mail Transfer Protocol (SMTP) and RFC 5322 updated by RFC 6854 for Internet Message Format. Attackers exploit the ability to insert multiple addresses in the From: header field using specialized syntax, sometimes combining quotation marks and angle-address notation. This approach allows the displayed sender address to differ from the actual originator, bypassing authentication checks. The use of a null sender (“”) as per RFC 5321 Section 4.5 further complicates sender validation. For example, a user at [email protected] can send an email where the From: header is formatted as [email protected]:[email protected], resulting in [email protected] appearing as the sender. These tactics exploit how some email clients parse headers, potentially deceiving recipients.

The consequence is the impersonation of trusted senders, which undermines domain owner-enforced DMARC policies and bypasses sender verification mechanisms. Research confirms multiple email service providers are affected by these header spoofing techniques.

To address these vulnerabilities, email service providers are advised to verify authenticated outgoing headers rigorously before signing or relaying messages. Tools such as Milterfrom version 1.0.4 include updates aimed at improving verification of authenticated senders in milter-compliant servers. End users are encouraged to inspect original email headers, specifically the From: and Sender: fields, to confirm sender identity before interacting with content that could pose security risks.

The advisory credits Hao Wang and Caleb Sargent from PayPal for reporting the issues and was authored by Vijay Sarvepalli and Renae Metcalf.