search Where Thought Leaders go for Growth

How can you prevent your email identity being stolen?

How can you prevent your email identity being stolen?

By Michael Carletto

Published: 9 May 2025

These days, email is still our preferred means of communication, whether professional or personal, and it also represents our digital identity for creating application accounts, among other things. It is available on our smartphone or computer and sometimes takes just a few seconds to write.

55% of global email traffic consists of spam and phishing attacks on hundreds of billions of emails every day. These attacks have increased sharply since the Covid-19 pandemic in 2020 and are increasingly targeted.

At the top of the list are :

  • BEC (Business Email Compromise),
  • and EAC (Email Account Compromise).

The first is an email sent by someone impersonating you without having access to your mailbox, and the second is an email sent by someone who has stolen access to your mailbox in order to gain access to it. These attacks are extremely costly for the victims (loss in 2020 of +1.8 billion dollars) and very easy to exploit in today's overly open environment.

Why and how can this happen? With email, we think that our correspondence is protected, especially with anti-spam software. To connect to your inbox, you need a password. This seems more secure to you than paper correspondence, where all you have to do is change the sender's address to usurp their identity. But what if it were just as easy with your emails?

Protect access to your emails

A password is not enough, it may have leaked or been guessed. To secure access to your emails, we strongly recommend that you set up double authentication or MFA (Multi-Factor Authentication).

What is MFA?

Multi-factor authentication is a more secure method of identification, because instead of just typing your password to access your email inbox, you will have to enter a second authentication factor: a code received by SMS, push notification or even a fingerprint. Two factors of different categories, including the famous "what I know", "what I have" or "what I am".

With this method, if a hacker has managed to steal the password to your email inbox, he will normally be blocked by the second authentication factor and will not be able to access your inbox.

MFA prevents 99% of compromised access to email boxes.

Protect your identity

Now that access to your inbox is protected, it is essential to protect your identity, your email domain.

This is made possible by computer protocols with barbarian acronyms: SPF, DKIM, DMARC and BIMI. So we're going to take a few lines to break them down and make them easier to understand.

The SPF, DKIM and DMARC protocols

To simplify our understanding, let's use the analogy of postal mail. When you send a business letter, how can the executive assistant who receives and filters the letter be sure that it's really from you?

It's a Tuesday morning and you have the day's mail on your desk, opened and removed from its envelope. How can you guarantee the authenticity of the sender?

First of all, the post office stamp on the envelope indicates an office in Marseille, which is the first clue as to its origin. Does this sender usually send mail from this city? For email, this stamp corresponds to the SPF (Sender Policy Framework), a public list of sender IP addresses authorised to send emails on behalf of the sender. The sender must have declared this.

Then, to verify the authenticity of the sender of this email, you check the signature. Think of the wax buckets used in the Middle Ages: each person had a different bucket that sealed the mail and proved the identity of the sender as well as the integrity of the message if you were the one opening the mail. For email, this seal or signature corresponds to the DKIM (Domain Keys Identified Mail), which is an electronic signature that is invisible to the recipient but visible to the messaging tool, whose purpose is not to guarantee that the sender is who he claims to be in the email. This signature is technical.

The executive assistant has checked the envelope with the indicated signature and the origin to ensure that the mail appears legitimate. He opens it and gives you only the contents. If he takes the time to check that the sender information on the envelope is the same as on the letter itself, that's what the DMARC (Domain Messaging Authentication Reporting and Conformance) protocol does for email.

These three protocols are security patches, working together, to be added to your domains and are not configured by default. Without them, you may encounter deliverability problems and no security to counter the spoofing of your own emails. Since the invention of email in 1971 by Ray Tomlison, none of these protocols have existed. We had to wait until 2004 and 2012 for DMARC to see them appear. These protocols are therefore rules verified by anti-spam software to judge the legitimacy of emails sent in your name.

You urgently need to take responsibility for configuring them to protect yourself and the rest of the world when using your domain.

How do you protect your identity with DMARC?

DMARC allows you to check that the SPF and DKIM tests have been respected and that the information on the envelope, as seen by the mailbox, corresponds to the sender listed in the content of the mail.

Fine, but what do you do once you have this information? How do you configure it?

By implementing a DMARC policy on your email domain, you can protect yourself against identity theft. In fact, it contains a processing policy, indicated to the anti-spam recipients of the email, to categorise an email in the event of non-compliance with one of the previous protocols (SPF and DKIM).

If your recipient receives an email :

  • Whose IP address is not listed among the IPs authorised to send emails for you (SPF)
  • Whose digital signature is missing or does not match yours (DKIM)

Then you can decide (in DMARC) to tell this recipient's inbox to :

  • Do nothing
  • Or place the email in quarantine/spam
  • Or reject/delete the non-compliant email.

To use the postal mail analogy again, a letter with a French Government logo posted from a post office in Switzerland, with a valid signature from Monsieur Dupont, whose letter states êYou know how to judge the legitimacy or otherwise of this mail and whether or not to refuse it or throw it out immediately. Well, SPF, DKIM and DMARC need to be implemented to help you make these judgements about emails.

How do you know if your identity has been stolen?

So it's a good idea to help your recipients when they receive a potentially fraudulent email by giving them the information they need to judge your authenticity. But how can you tell if your identity has been stolen?

A second effect of implementing DMARC on your email domain is the ability to ask recipients' anti-spam software to let you know when an email in your name has been received, with indications of successful or failed SPF and DKIM tests in the form of reports. They give you the visibility to act quickly in the event of identity theft and to check that everything is in compliance for authorised traffic. It is therefore important to collect, save and consult your DMARC reports.

There are products available to retrieve these DMARC reports rather than tracking them by hand, because you will receive a lot of them and they are XML files that are difficult to analyse.

What to do in the event of email identity theft?

In the event of an EAC attack, access to your email account has been compromised in order to send emails in your name :

  • Change your password
  • Activate double authentication (MFA)
  • Find out how this was done
  • Send a message to potential victims: "We are working to remedy the problem and improve the security of our domains and accesses to protect our identity".

Through a BEC attack, your identity has been usurped, someone has sent an email in the name of your domain without having access to your mailbox, react quickly with a few good practices:

  • Deploy the 3 SPF/DKIM/DMARC protocols on the DNS of your domains
  • Find out how this is being done
  • Send a message to potential victims: " Please note that you have recently received emails under our identity. We are working to remedy the situation and improve the security of our domains in order to protect our identity".
  • Depending on the case, report the IPs used so that they can be considered malicious by everyone.

In conclusion

To sum up, there are safeguards in place, but it is up to you, as the owner of a domain, to put them in place as soon as possible to guarantee the protection and reputation of your identity.

If a reputation is lost, it takes time to rebuild it. So there is no instant miracle cure for a compromise. You have to work upstream and prepare yourself to counter any attempts.

Article translated from French