Description
Dear developers of Mailspring,
Hello!
We’ve recently evaluated the impact of email spoofing on the Mailspring client, and found several methods that may spoof the sender address on Mailspring. The detailed discussion is in the report attached. Appreciate for your partience and valuable time!
To Reproduce…
Steps to reproduce the behavior:
- Attackers generate emails with a spoofed email sender and send them to users.
- Recipients access this email through Mailspring.
- Mailspring may present the spoofed sender address to users.
Expected Behavior
We hope this report can be helpful in improving Mailspring display strategies.
Screenshots
Due to the security policy employed by the community, we can not upload the report in PDF format and make it a long figure instead as follows:
Setup
- OS and Version: Ubuntu 25.10
- Installation Method: snapcraft
- Mailspring Version: ver.1.16.0
Additional Context
Although these methods can spoof the sender address on Mailspring; however, the main reason is the lack of a standard policy to process potential spoofed messages rather than the client’s perspective. We hope we can make a modest contribution to email security. Thanks for your reading!