There may be clues. Or not.
While it can be helpful to identify fake email addresses — they’re a great clue as to whether the email you’re looking at is a scam, or worse — you might not be able to. A phony email address can easily be made to look like a valid one.
Sometimes there are clues, and I’ll review a few of those, but some of those clues also apply to legitimate email addresses.
Become a Patron of Ask Leo! and go ad-free!
Fake email address?
Determining if an email address is fake can be tricky and perhaps impossible. Be sure to pay attention to the actual email address, not the display name. Use whois tools to confirm the domain exists. Look for typos or misleading domains. Be cautious if the email content feels off. Scammers are clever; it’s hard to be 100% sure just based on the email address.
Two parts to what you see
When you get an email, you may see something that looks like this.
From: Ask Leo! <leo@askleo.com>
The first part is the “display name”. It can be anything the sender configures. The second part (in angle brackets) is the actual email address.
Our first problem is that many email programs display this instead:
From: Ask Leo!
The email address is hidden. The only way to see it is to hover your mouse pointer over the display name.
Spammers know this and use it to mislead you. For example:
From: leo@askleo.com
looks like it’s coming from leo@askleo.com, but it is not. The display name, which can be anything, has been set to “leo@askleo.com”. The actual email address is fake@somerandomservice.com. This mismatch is a great clue that something may be amiss, but again, you won’t see it unless you put your mouse pointer over it.
So if your email program doesn’t display both, make sure you’re looking at the email address and not the display name.
Syntax
An email address has several parts. Using “leo@askleo.com” as an example:
- leo – the email account
- @ – the separator that indicates that the email domain follows
- askleo.com – the domain name of the email server, which itself is comprised of three parts:
- askleo – the name assigned to the web or email server
- . – the separator that indicates a top-level domain follows1
- com – the top-level domain on which the domain is registered.
If the email address does not follow that syntax, it’s invalid. For example, “leo@leo@askleo.com” is invalid.
Unfortunately, most spammers get this part correct.
Legit domain?
Using a tool like whois.domaintools.com, confirm that the domain (“askleo.com”) exists. (You can also visit your favorite domain registrar and see if the domain is available for purchase.)
Whois may not tell you much about the owner of the domain, but it will tell you if it’s registered by someone. If it’s not registered or it’s available to buy, then it’s likely a fake email address.
Whois may also tell you how recently the domain was registered. A recently registered domain (days or weeks old) might be suspect.
Typos and misleading domains
Look for typos in the email address. This is particularly true if the email address appears to be someone you recognize. For example, “lao@askleo.com” might be an attempt to fool you.
Similarly, a look-alike domain, such as “leo@goaskleo.com”, can be an attempt to mislead you.2
Perhaps more common are email addresses built on top of domains that have been compromised. “Leo@askleo.com.somerandomservice.com” could be a working email address, but it’s likely to be fake because it tries to trick you into thinking it’s related to askleo.com when it is not.
Character replacements
Character replacements can be difficult to detect, and they are more commonly used in links in emails you might get. However, they can be used in email addresses as well.
Consider these three email addresses:
- leo@askleo.com
- leo@askleö.com
- 1eo@askleo.com
If you’re not careful, you could confuse the first two, even though they are completely unrelated to one another.
Depending on the font used by your email program, you could also confuse the first and third, which tries to confuse you by using the digit 1 rather than a lowercase L.
Display name versus email mismatch
A display name should match the email address in some way. These two examples are likely to be valid.
Ask Leo <leo@askleo.com>
Leo Notenboom <leo@askleo.com>
However:
Bill Gates <leo@askleo.com>
or worse:
is almost certainly bogus. This type of mismatch is common in spam.
The body of the email
While not technically a check on the email address itself, the content of the email message, particularly typos and grammar that seem off or flat-out wrong, is also a sign that the sender might be bogus.
Especially if the email claims to come from someone you correspond with regularly and it just feels wrong — perhaps it doesn’t sound like them, or it’s asking something that your correspondent would normally never ask — it’s definitely worth a careful look.
MX records
This is somewhat of an advanced check, but it can be helpful.
You may already be familiar with DNS, or the Domain Name System. It maps names (like somerandomservice.com) to IP addresses (such as 52.27.227.69).
Using what’s called an MX (for Mail eXchange) record, DNS is also used to determine which email servers handle email for which domains. Any domain that can receive email should have an MX record. While designed for technical folks configuring MX records, mxtoolbox.com is a good, quick resource to see if an MX record exists. Enter the domain portion of the email address you’re checking out.
If the tool doesn’t display an MX record, that may be a clue that all is not what it seems.
Everything could be valid
Spammers don’t need to resort to any of the tricks above to make a fake email address. Someone could easily use something like:
Ask Leo! <fakeemail@askleo.com>
That’s a perfectly valid email address for an account that doesn’t exist. It could even be someone else’s email address — including yours. The spammers want you to act on the body of the email, not the email address.
Since spammers rarely care about replies or bounces, and since it’s trivial for them to put anything in the From: line, this may be the most common approach of all.
Do this
Here’s the problem: every one of these clues can lead you wrong.
- It’s possible to craft an email address that seems to have bad syntax but is OK.
- It’s possible for a domain check to show ownership even if the domain is unused.
- Special characters (like ö) are valid and could be used by someone in a legitimate email address.
- Sometimes display names are intentionally different than the email address they’re paired with.
- Some people are poor at spelling and grammar.
- An MX record isn’t actually required, so the lack of one doesn’t necessarily prove anything.
This is part of what makes it so difficult to truly determine whether or not an email address is a sham meant to mislead you.
Be skeptical. Look for the clues I’ve outlined above. Chances are that if you think it’s fake, it’s fake. But understand that being 100% certain based solely on the email address you see in the From: line is almost impossible.
For more tips on staying safe, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
“it’s likely to be fake because it tries to trick you into thinking it’s related to askleo.com when it is not.”
Actually somerandomservice.com is a website owned by Leo
I’ve been using Mailwasher to screen all my emails for years. I find it is very accurate at identifying spam, and in addition it displays the actual email address, so no need even to hover. I can mark spam for bounce before it even reaches my computer, blacklist senders, and quickly mark for delete the dozens of time wasting “newsletter” emails from every company I’ve ever bought from .
Thanks for the clear background and guidance on suspect email addresses. I’ll try some of these features when I come across suspected spam.
What’s your opinion on using https://mxtoolbox.com/EmailHeaders.aspx to analyze an email’s headers?
I use it often. It’s a great tool, but not necessarily for fake address detection. (I’m constantly fighting with and confused by SPF/DKIM/DMARC which this tool is excellent at analyzing.)
My friend has an email address with the domain @myself.com. This was available through mail.com, which has many domain names to chose from, and that is kind of fun.
My friend is rather depressed, so I tried to subscribe him to “Not all news is bad”, but the email address was not accepted. Is there a problem with “Not all news is bad” or a problem with the domain name?
Thanks.
I got an email message today that looks perfectly fine until I open it. The salutation reads “Hello Liz,”. I’m definitely NOT named Liz, so I closed and sent it to the spam folder.
Users of Microsoft Mail should probably find a different email client. The message list only displays the display name, and doesn’t show any additional information when I hover my mouse over it. I’d also avoid Outlook for Windows because it has been reported that it is sending user’s information, including passwords, etc. to Microsoft. Until I learn that this information is wrong, or that things have changed, I’m moving to Thunderbird – today.
Ernie (Oldster)
My “last resort” trick is to Google who it’s supposed to be from and the first line or a relevant line from the email. Google then shows me that it’s a fake and everyone is getting the same email. That has saved me from some bad mistakes when all else has failed. :)
But WHY are you doing this at all?
Why would you be responding to an email from somebody you don’t know?
If it’s a friend you know, their email is in your address list.
If it’s a company you do business with, their email is on their invoice, or their website.
If it’s an organization you support, their email is in their Newsletter, or their website.
Otherwise, they are spammers (and probably scammers), and you shouldn’t even be responding at all, much less wasting your time trying to research their supposed email address. Just delete it!
Leo, this is rather like you spending a whole column explaining in detail “What is the best way to send money for transfer fees, so I can get a share of the Nigerian Prince’s locked accounts?”
Read the article you are commenting on. Leo has never suggested responding to suspected spammers. In other articles he’s warned not to click on unsubscribe buttons in spam messages. Never respond to spam.
Smart move. I’ve been using Thunderbird since its inception and it’s become a joy to use, especially with the add-ons (extensions) that let you get TBird to look and work the way you want. Among the great add-ons are QuickFolders, QuickText, and Signature Switch.
Thank you, Leo, for keeping us aware of the pitfalls that our technology presents. I have two concerns about fake email addresses. Although It hasn’t happened recently, in the summer I received a number of emails that identified long fake addresses that were threatening, such as, “on my way to your house.com“, or “God will punish all sinners.dl“. They were obviously fake so I deleted them from the Junk folder (thank you, Microsoft). The second type of email was legitimate but I learned that it was intended for someone with the same name, separated by _. Subsequently, I found more almost identical email addresses as mine in the U.S. and Canada. I`m very careful to determine whether the message is intended for me or not. This is tricky, so I am vigilant.