search
Where Thought Leaders go for Growth
Reference a solution

How to prevent your email identity from being stolen?

How to prevent your email identity from being stolen?

By Michael Carletto

Published: May 9, 2025

Today, email is still our preferred means of communication on a professional or personal level, and it also represents our digital identity for creating application accounts, among other things. It's available on our smartphone or computer, and sometimes takes just a few seconds to write.

55% of global e-mail traffic consists of spam and phishing attacks on hundreds of billions of e-mails every day. These attacks have risen sharply since the Covid-19 pandemic in 2020, and are increasingly targeted.

At the top of the list are :

  • BEC (Business Email Compromise),
  • and EAC (Email Account Compromise).

The former is an e-mail sent by someone impersonating you without access to your mailbox, and the latter is an e-mail sent by someone who has stolen access to your mailbox in order to gain access to it. These attacks are extremely costly for victims (loss in 2020 of +1.8 billion dollars) and very easy to exploit in today's over-open environment.

Why and how can this happen? With email, we think our correspondence is protected, especially with anti-spam software. To connect to your inbox, you need a password. That sounds more secure than paper correspondence, where you can simply change the sender's address to impersonate him or her. But what if it were just as easy with your e-mails?

Protect access to your e-mails

A password isn't enough- it may have leaked or been guessed. To secure access to your e-mails, we strongly recommend that you implement double authentication or MFA (Multi-Factor Authentication).

What is MFA?

Multi-factor authentication is a more secure method of identification, since instead of typing just your password to access your e-mail inbox, you'll need to enter a second authentication factor: a code received by SMS, push notification or even a fingerprint. Two factors of different categories among the famous "what I know", "what I have" or "what I am".

With this method, if a hacker has managed to steal your mailbox password, he will normally be blocked by the second authentication factor and will not be able to access your mailbox.

MFA prevents 99% of mailbox access compromises.

Protect your identity

Now that access to your inbox is protected, it's vital to protect your identity, your e-mail domain.

This is made possible by computer protocols with barbaric acronyms: SPF, DKIM, DMARC and BIMI. So let's take a few lines to break them down and make them easier to understand.

The SPF, DKIM and DMARC protocols

To simplify understanding, we'll use the analogy of postal mail. When you send a business letter, how can the executive assistant who receives and filters the mail make sure it's really from you?

It's a Tuesday morning, and you have the day's mail on your desk, opened and removed from its envelope. How can you guarantee the authenticity of the sender?

First of all, the post office stamp on the envelope indicates an office in Marseille, which is a first clue as to its provenance. Does this sender usually send mail from this city? For e-mail, this stamp corresponds to the SPF (Sender Policy Framework), a public list of sender IP addresses authorized to send e-mail on behalf of the sender. This must have been declared by the sender.

Then, to verify the authenticity of the sender of this mail, you check the signature. Think of the wax buckets used in the Middle Ages: each person had a different bucket which sealed the mail and proved the identity of the sender, as well as the integrity of the message if you were the one opening the mail. For email, this seal or signature corresponds to DKIM (Domain Keys Identified Mail), an electronic signature invisible to the recipient but visible to the messaging tool, which is not intended to guarantee that the sender is who he claims to be in the email. This signature is technical.

The executive assistant has checked the envelope with the indicated signature and provenance to ensure that the mail appears legitimate. He opens it and hands you only the contents. If he takes the time to check that the sender's information on the envelope is the same as on the letter itself, this is what the DMARC (Domain Messaging Authentication Reporting and Conformance) protocol does for email.

These three protocols are security patches, working together, to be added to your domains and are not configured by default. Without them, you may encounter deliverability problems and no security to counter the spoofing of your own emails. Since the invention of email in 1971 by Ray Tomlison, none of these protocols have existed. We had to wait until 2004 and 2012 for DMARC to see them appear. These protocols are therefore rules verified by anti-spam software to judge the legitimacy of emails sent on your behalf.

It's time to take responsibility for configuring them to protect yourself and the rest of the world when using your domain.

How to protect your identity with DMARC?

DMARC verifies that the SPF and DKIM tests have been met, and that the envelope information seen by the mailbox corresponds to the sender listed in the mail content.

Fine, but what do you do once you have this information? How do you configure it?

Implementing a DMARC policy on your e-mail domain helps protect you against identity theft. In fact, it carries a processing policy, indicated to the anti-spam recipients of the email, to categorize an email in the event of non-compliance with one of the previous protocols (SPF and DKIM).

If your recipient receives an e-mail :

  • Whose IP address is not listed among the IPs authorized to send emails on your behalf (SPF)
  • Whose digital signature is missing or does not match yours (DKIM)

Then you can decide (in DMARC) to tell this recipient's inbox to :

  • Do nothing
  • Or place the e-mail in quarantine/spam
  • Or reject/delete the non-compliant email.

To use the postal mail analogy again, a letter with a French government logo mailed from a post office in Switzerland, with a valid signature from Monsieur Dupont, whose letter states êYou know how to judge the legitimacy or otherwise of such mail, and to refuse or discard it immediately. Well, SPF, DKIM and DMARC need to be implemented to help you make these judgments.

How do you know if your identity has been stolen?

So it's a good idea to help your recipients when they receive a potentially fraudulent email by giving them the elements to judge your authenticity. But how can you tell if your identity has been stolen?

A second effect of DMARC implementation on your e-mail domain is the ability to ask recipients' anti-spam software to let you know when an e-mail in your name has been received, with SPF and DKIM pass/fail indications in the form of reports. They give you the visibility to act quickly in the event of identity theft, and to check that everything is in compliance for authorized traffic. So it's important to collect, save and consult your DMARC reports.

Products exist to retrieve these DMARC reports rather than tracking them by hand, since you'll be receiving a lot of them, and they're XML files that are difficult to analyze.

What to do in the event of email identity theft?

In the event of an EAC attack, access to your e-mail account has been compromised to send e-mails in your name :

  • Change your password
  • Activate double authentication (MFA)
  • Find out how this was done
  • Communicate to potential victims: "We're working to remedy the problem and improve the security of our domains and accesses to protect our identity".

In the event of a BEC-type attack, your identity has been usurped, and someone has sent an e-mail in the name of your domain without access to your mailbox, react quickly with a few best practices:

  • Deploy the 3 SPF/DKIM/DMARC protocols on your domains' DNS.
  • Determine the means by which this is being done
  • Send a message to potential victims: " Please note that you have recently received e-mails under our identity. We are working to remedy the situation and improve the security of our domains in order to protect our identity".
  • Depending on the case, denounce the IPs used so that they can be considered malicious by everyone.

In conclusion

To sum up, there are safeguards in place, but it's up to you, the domain owner, to put them in place as soon as possible to guarantee the protection and reputation of your identity.

If a reputation is lost, it takes time to rebuild it. So there's no instant miracle remedy in the face of compromise. You have to work upstream, preparing yourself to counter any attempts.

Article translated from French