Reply to potentially spoofed email

You are focused on the person existing and not the account. Consider that Eve exists, did not send the email, but someone with access to her account did, and has entered an email rule to prevent your emails from hitting the inbox. You could carry on a conversation with that account but not Eve herself.

So I would add:

  1. Account exists, email was sent from the account, but Eve did not send the email (compromised account)
  2. Account exists, email was sent from the account, but Eve does not exist (dummy account)

In both cases, if you reply, you could be replying with the malicious actor and not Eve.

The best response is to contact Eve through some means other than email (call, other contact info, etc.)


If you don't know Eve, I see no reason to follow up.

If you do business with the company she claims to represent, you could reach out to a regular contact you use at that business. Don't try to engage that account directly because it may not be what it seems (e.g. a compromised account or a spoofing trick that fools your email client).

You can also vet the DMARC, SPF, and/or DKIM on the message to see if it is legitimate. First, check that the From domain is correct. Then look for an Authentication-Results header in the message. Only trust it if it is surrounded by headers added by your email infrastructure (the systems your company uses to receive your mail). It will tell you what of DMARC, SPF, and DKIM passed. You're looking for DMARC alignment (a DKIM header whose d= value matches the From header's domain or an SPF approval, which means finding the SPF record for the From domain and verifying that the IP of the system connecting to your MX record is approved). There are tools like G Suite Toolbox Messageheader that can look this up for you (but it'll be Google-centric). If SPF or DKIM pass with alignment, the message is probably legitimately sent by that domain's infrastructure (but you don't know if it was sent by a compromised account).


A long time ago when I was just out of short trousers and working my first gig as a system administrator I replied to a spam email asking them to stop spamming me.

It turned out the FROM address was actually the spam distribution list and thousands of people received an email from me asking them to stop sending me spam. They then emailed me back to say they weren't sending spam - how could I think such a thing.

Since then I just pass them off to my bayesian filters.