"I, thy CEO, doth hereby request thee transfer the paltrey sum of USD $14 million to our new supplier of gizmos, whatchamacallits and thingumbobs. As a feudal gesture of good faith, I have made blood oath of payment before the Celestial Serpent consumes yonder fiery orb. Please, my good number cruncher, make it so."

I jest, but spoofed emails like this one litter the graveyard of well-meaning company careerists trying to please their boss. A believable email from your CEO telling you to wire money internationally: For many accounts payable departments, this is not only a daily, but perhaps an hourly occurrence. How on earth is the business world to keep turning if nothing in your inbox can be trusted? Well, we're working on it.

TL;DR How to stop email spoofing: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Despite all this good-faith work to secure email--and that has, it must be noted, significantly reduced email spoofing—smart attackers still have many technical loopholes to use.

Email spoofing is trivially easy, and the technical skills required to engage in this kind of attack are extremely low, and potentially hugely profitable. Until we figure out how to throw the entire email stack into the garbage and set in on fire and replace it with something secure by design, we're going to be spending vast amounts of time and money defending our enterprises, our governments, and our society from this frustrating weakness.

(original article is here)