
Vous est-il déjà arrivé de recevoir un e-mail qui semblait légitime — avec le bon logo, un ton familier — mais qui vous a tout de même paru suspect ? Pire encore, un de vos clients vous a-t-il déjà contacté après avoir reçu un e-mail douteux qui semblait provenir de votre entreprise ?
C’est ça, le spoofing d’e-mail.
Le spoofing d’e-mail est une technique utilisée par des cybercriminels pour falsifier l’adresse de l’expéditeur afin de faire croire que le message provient d’une source fiable — souvent une entreprise connue. Leur objectif ? Tromper le destinataire pour l’amener à cliquer sur un lien malveillant ou à divulguer des informations sensibles.
Dans cet article, nous allons vous expliquer comment fonctionne le spoofing d’e-mail, les risques qu’il représente et, surtout, les actions que vous pouvez mettre en place pour protéger votre entreprise et vos clients.
À quoi ressemble un e-mail spoof ?
Voici les éléments clés à surveiller pour identifier un e-mail spoofé :
- Spoofing du nom d’affichage : un e-mail où le nom d’affichage est identique ou très proche de celui d’un employé réel de l’entreprise. Cela crée un faux sentiment de légitimité.
- Spoofing du domaine : l’expéditeur falsifie non seulement le nom d’affichage, mais aussi le nom de domaine de l’entreprise. L’adresse e-mail semble alors provenir du domaine officiel, rendant la fraude plus difficile à détecter.
- Adresse de l’expéditeur suspecte : c’est souvent un indice révélateur. Même si le nom d’affichage peut sembler familier, le domaine qui suit le symbole “@” est souvent différent ou étrange. Cela trahit généralement une tentative de spoofing.
- Un ton pressant ou menaçant : les cybercriminels utilisent souvent un langage alarmant pour pousser le destinataire à agir rapidement, sans prendre le temps de réfléchir. Cela peut inclure des menaces ou une fausse urgence.
- Promesses de gains ou de cadeaux : ces e-mails prétendent souvent que vous avez gagné un prix ou une récompense. Cela pousse les victimes à fournir des informations personnelles ou à cliquer sur des liens ou pièces jointes malveillants pouvant infecter leurs appareils.
- Incohérences visuelles : certains e-mails spoofés présentent des logos obsolètes, des fautes de mise en page ou un format différent des communications habituelles de l’entreprise. Bien que les fraudeurs deviennent de plus en plus habiles à imiter le style visuel, certaines tentatives restent faciles à repérer.
Stopper le spoofing d’e-mail : les bonnes pratiques à connaître
Le spoofing d’e-mail peut être limité, voire empêché, en configurant plusieurs mécanismes d’authentification comme SPF, DKIM et DMARC. Chacun joue un rôle distinct dans la vérification des messages, mais c’est leur mise en œuvre conjointe qui permet de protéger efficacement votre domaine contre les tentatives de spoofing.
Sender Policy Framework (SPF)
SPF est un protocole d’authentification des e-mails conçu pour vérifier l’identité de l’expéditeur.
Pour mettre en place SPF, vous devez déclarer les adresses IP ou serveurs de messagerie autorisés à envoyer des e-mails en votre nom. Lorsqu’un e-mail est reçu, le serveur de réception interroge le serveur DNS du domaine pour vérifier si l’adresse IP de l’expéditeur figure bien parmi celles autorisées. Si ce n’est pas le cas, le message peut être marqué comme suspect ou bloqué.
L’e-mail n’est délivré dans la boîte de réception du destinataire que s’il provient d’une adresse IP autorisée et s’il réussit la validation SPF. En configurant correctement les enregistrements SPF, vous pouvez améliorer la délivrabilité de vos messages, réduire les risques de spam et prévenir l’usurpation d’adresse e-mail.
DomainKeys Identified Mail (DKIM)
DKIM est une signature numérique ajoutée à chaque e-mail que vous envoyez. Elle fonctionne en complément des enregistrements SPF.
En plus de vérifier l’authenticité de l’expéditeur, DKIM permet de s’assurer que le contenu du message n’a pas été altéré ou modifié pendant son acheminement. C’est un moyen efficace de garantir l’intégrité des e-mails et de renforcer la confiance des destinataires.
Pour configurer DKIM, il faut publier une clé publique dans les enregistrements DNS de votre domaine. Lorsqu’un e-mail est envoyé, votre serveur génère une empreinte numérique du message (incluant le contenu et les titres) et la signe à l’aide d’une clé privée, qui reste confidentielle.
Lors de la réception, le serveur du destinataire utilise la clé publique pour vérifier si cette signature est bien authentique. Si l’empreinte correspond, cela signifie que le message n’a pas été altéré pendant son envoi.
Cette méthode garantit l’intégrité de vos e-mails et empêche les attaquants de se faire passer pour vous, puisqu’ils ne possèdent pas la clé privée nécessaire pour signer les messages.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC est une méthode d’authentification avancée conçue pour prévenir le spoofing e-mail. Elle repose sur les protocoles SPF et DKIM, et permet de définir une politique claire à appliquer lorsqu’un message échoue à ces vérifications.
Concrètement, DMARC vous permet de publier une politique dans votre DNS indiquant aux serveurs de messagerie des destinataires quoi faire lorsqu’un e-mail ne passe pas les contrôles SPF ou DKIM. Trois actions sont possibles :
Action 1 : Aucune action
Aucune mesure n’est prise, même si le message échoue aux vérifications SPF ou DKIM.
L’e-mail est quand même transmis dans la boîte de réception du destinataire.
Action 2 : Quarantine
L’e-mail est livré, mais redirigé vers le dossier des spams ou courrier indésirable, car il n’a pas passé les contrôles SPF/DKIM.
Action 3 : Rejeter
Si cette politique est choisie, tout e-mail qui échoue aux vérifications SPF ou DKIM est simplement rejeté. Il ne sera jamais livré au destinataire.
Comment Zoho Campaigns vous aide à prévenir le spoofing d’identité par email et à protéger votre domaine
Zoho Campagins permet à chaque utilisateur de configurer facilement les enregistrements SPF et DKIM afin d’authentifier son domaine.
Si un email réussit les vérifications SPF et DKIM, la politique DMARC ne s’applique pas. En revanche, si l’une de ces vérifications échoue, le serveur de réception consulte alors la politique DMARC du domaine pour déterminer comment traiter le message. Il est important de noter qu’une politique DMARC ne peut être activée qu’après la mise en place des enregistrements SPF et DKIM, sans quoi la validation DMARC échouera.
Une fois l’authentification SPF et DKIM configurée pour votre domaine, vous pouvez définir la politique DMARC dans les enregistrements DNS de votre domaine. Vous pouvez en apprendre davantage sur la configuration des enregistrements DMARC ici.
Configurer SPF et DKIM permet non seulement de lutter contre spoofing e-mail, mais aussi d’améliorer la délivrabilité de vos messages. En plus de SPF et DKIM, Zoho Campaigns propose également plusieurs fonctionnalités axées sur la délivrabilité, afin d'assurer que vos emails atteignent toujours la boîte de réception.
E-mail spoofing évolue constamment, et rester passif face à cette menace peut entraîner des pertes financières ou nuire à la réputation de votre entreprise.
En mettant en place de manière proactive des protocoles d’authentification email tels que SPF, DKIM et DMARC, les entreprises peuvent réduire considérablement les risques liés à l’usurpation d’identité par email.
L'équipe Zoho France
Recent Topics
Dynamic Pickup List Values using Deluge and Client Script
I would like to dynamically show Pickup List Values For example we need to fetch some data from an on premise application and display it so they can choose and pick This can be done in Creator but I didn't find anything for CRM
Validation Rule for Controlled Stage Movement in Deals Module (Deluge Script)
For keeping a control over module stage or status, you can use the below deluge script. The below deluge script defines validation control over deals module stages: // Function to validate allowed stage transitions in the Deals module map validation_rule.LeadStatustValidation1(String
Pick List Issues
I have created a pick list that looks at a table in a sheet, it selects the column I want fine. Various issues have come along. The option to sort the pick list is simplistic, only allows an ascending alphabetical sort. Bad luck if you want it descending.
Four types of task dependencies
"Nothing is particularly hard if you divide it into small jobs." - Henry Ford Projects, small or large, are driven by simple work units called tasks. Monitoring standalone tasks might look simple but as the workflow becomes elaborate, tasks may start relying on one another. In project management, this relationship between tasks is termed as "Task Dependencies". Dependency between tasks arise
1099 tracking
Do zoho books offer feature of tracking for 1099's for contractors, etc? Quick books offers this feature and wondered when/if Zoho books will do same
VAT-type Taxes in US Edition?
I'm located in the US, and I use the Zoho One US edition of Books. We are in the process of registering with Canadian authorities for their GST / HST, which is a VAT-type of scheme. It is not immediately obvious to me how one would deal with input tax
2 users editing the same record - loose changes
Hello, I'm very new to Zoho so apology if this has been addressed somewhere i can't find. I have noticed the following: If we have 2 users put an inventory item in edit mode at the same time: say user1 click on edit and user2 while user1 is still in edit,
Schedule sms to be sent later
When will you make available an option to send sms's at a later time??? You finaly have this option available on emails, so it will be very useful to have it also with sms. Our sms provider, has already this available but we cannot use it because you
Ecommerce integration with prestashop
Development of campaigns integration with prestahop. When???
How to create an article containing images and rich text via the api?
Hi, I'm trying to migrate our kb articles from our previous helpdesk service, and import them to ZohoDesk. Is there any way to create an article that contains images? Is it possible to add formatting to articles created via the API? Thanks, Adam.
Number of statement execution limit exceeded on deluge scheduled function
I'm working on a send email functionality in creator that sends out crew work orders at the end of the day each day for the next day. I'm running into the issue that zoho is unable to handle the number of statements that I am doing to be able to successfully
Color of Text Box Changes
Sometimes I find the color of text boxes changed to a different color. This seems to happen when I reopen the same slide deck later. In the image that I am attaching, you see that the colors of the whole "virus," the "irology" part of "virology," and
Zoho SignForm In Progress But Cannot Be Completed
If a person starts signing a document (via SignForm), but closes the window before submitting, Zoho marks the document "in progress", but how do they finish signing it?
How to show Assemblies AND component items in a report
Hi Is there any way in Analytics to create a report that shows the Composite Item AND the Component Items with mapped quantity? It seems that the component item is not exposed in any table that I can find. Also, the same question but for Stock on Hand.....this
Mandatory Messages for Specific Members in Zoho Cliq Channels
Hello Zoho Cliq Team, We hope you're doing well. We would like to request a feature enhancement to Zoho Cliq that would allow marking certain messages in a channel as mandatory for specific members — with built-in tracking and reminders. 🎯 Use Case:
Admin Access to Message Read Statistics in Zoho Cliq
Hello Zoho Cliq Team, We hope you're doing well. We would like to request a feature enhancement that would allow admins or channel owners to view read/unread statistics for messages, even if they were not the original sender. 🎯 Use Case: Currently, in
Online Member Visibility in Channels (Similar to WhatsApp Group Presence)
Hello Zoho Cliq Team, We hope you're doing well. We’d like to request an enhancement to Zoho Cliq’s channel experience by introducing online presence indicators for channel members — similar to how WhatsApp shows how many people in a group are currently
Show ticket field in Zoho Desk only if that same field is not empty (API‑created records)
Zoho Team , We have a ticket workflow where every ticket is created via API based on dynamic logic from an external form. That form has complex logic and already decides what’s relevant to ask, and the API only populates fields in Zoho Desk based on that
Multiple Products on Ticket
Good morning. We will classify all tickets based on the product. Users sometimes send different requests on the same ticket, so we are facing some challenges. Is there a way to add more than one product to the ticket, or is there a way to tie the product
Não recebo Email de confirmação e validação de cadastro do PagSeguro
Olá, utilizei uma das minhas contas de email Zoho para criar um cadastro no PagSeguro, contigo o email com o link de confirmação da conta não chega no meu email Zoho (nem.ma caixa de spam, nem na lixeira, e nem em outras pastas). Outros emails do PagSeguro
Does Thrive work with Zoho Billing (Subscriptions)?
I would like to use Thrive with Zoho Billing Subscriptions but don't see a way to do so. Can someone point me in the right direction? Thank you
accounts payable and receivable subaccounts
How to create accounts payable and receivable subaccounts? Being that I have several clients and in my balance sheet have to specify the accounts of each client and not only appear "accounts receivable or accounts payable" ??
DUPLICATING WORKFLOWS IN CREATOR
Hi all, I want to duplicate and slightly amend 3 workflows in Creator so that I don't have to keep typing in all the rules and properties each time. I can see lots of videos on CRM with the 3 dots at the top of the workflow, but nothing like that in Creator.
Add SKU to query options in `items` API endpoint
It would be very useful to be able to pull items by SKU in the API as this is a commonly used unique ID that tends to be consistent across systems.
Estimates and invoices being sent from company-wide address, rather than individual
In our organization, team members send estimates and invoices through Zoho Books by using the "Send Email" function. However, for certain users, the system defaults to sending estimates and invoices from a shared organizational email address (e.g., company@example.com)
Need profit margins for books in estimates & invoice
https://help.zoho.com/portal/en/community/topic/show-my-cost-or-profit-while-creating-estimate
Decimal places settings for exchange rates
Hello, We are facing issues while matching vendor payments with banking feeds. As we often import products/services exchange rate comes into play. Currently, ZOHO allows only six digits for decimal places. We feel that conversions like JPY to INR require
Item Level Notifications
I need to create a custom workflow based on the creation of an estimate that has a SKU/Item name that matches certain criteria. I can have it generated based on a total amount, but not at the item level. Is this possible?
Cannot categorize a bank deposit to an income sub-account
When I go to categorize a bank deposit, I am not able to see any income sub-accounts. If I set up an income account without a parent, then I am able to categorize a transaction into that account, but as soon as I make it a child account, it disappears
ZV Extension passkey changes in v5.7.0
Has there any changes to the how passkeys are managed in ZV - Chrome extensions v5.7.0? Namely, if the passkeys were already implemented/enforced as 2FA on a certain webpage, but ZV does not track them yet. Would that be the issue for my use case?
What's New in Zoho Billing - August 2025
Hello everyone, We are excited to share the latest updates and enhancements made to Zoho Billing in August 2025 to improve your overall billing management experience. Keep reading to learn more. Notify Customers About Subscriptions via WhatsApp Business
How do I get my account id?
Hello, I followed the instructions to get a list of accounts of the currently authenticated user (which is me, and I am logged in). But when I follow the below instructions I get the following error: ERROR: {"data":{"errorCode":"INVALID_TICKET","moreInfo":"Invalid ticket"},"status":{"code":400,"description":"Invalid Input"}} Instructions that I am following: GET - User account details Purpose The API retrieves the list of accounts of the currently authenticated user. Request URL http://mail.zoho.com/api/accounts
Why are tasks not showing in Zoho Calendar?
Hi there, I updated the Zoho calendar preferences for Task records to show on the calendar together with Meetings and Calls - see attached screenshot. Despite of that, Task records still won't show on the calendar. Is there a specific reason why this
Zoho Payroll: Product Updates - July 2025
Over the past month, we've focused on making Zoho Payroll more flexible, compliant, and easier to use—whether you're processing complex payouts, ensuring accurate calculations, or meeting local tax regulations. Here's what's new: One-Time Payments and
Discussion for “sub product”, “sub item” or “child products”
Hello everyone, In some CRM systems, there is the ability to associate products in a hierarchical manner within a quote. For example: Product A: Gold Plan Product B: Setup Product C: Connector Product D: Silver Plan Product B: Setup Product C: Connector
Retrieve Accidental Deleted User
Is there a way to undelete a user who accidentally deleted themselves?
Request for Support - CRM Integration Issues
I’m reaching out to request assistance with the following items: 1. Zoho Forms Integration with Zoho CRM We are currently using Zoho Forms to send the Global Credit Application form to our customers. The intended workflow is for the form submissions to
Knowledge Base Module
How to enable the knowledge base module in zoho crm account. I saw this module in one crm account but unable to find it other zoho crm account. can anyone know about this?
Zoho sign changed Indexing of signing_order
Because I missed this Announcement (is there even one?): when you work with the indexes of actions > signing_order. Previous those started with 0 now starts with 1. Changed somewhere between 15.07 and 23.07
How to Invoice Based on Timesheet Hours Logged on a Zoho FSM Work Order
Hi everyone, We’re working on optimizing our invoicing process in Zoho FSM, and we’ve run into a bit of a roadblock. Here’s our goal: We want to invoice based on the actual number of hours logged by our technicians on a job, specifically using the timesheets
Next Page