Why do phishing e-mails use faked e-mail addresses instead of the real one?

While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.

To explain in short what these technologies do:

  • SPF
    Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM). dig txt amazon.com shows that a SPF policy exists.
  • DKIM
    The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from the DKIM-Signature fields in the mail header.
    Aligns the From field in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches. dig txt _dmarc.amazon.com shows that Amazon has a DMARC record with a policy of quarantine.

Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.

To complement Steffen Ullrich's answer, note that:

  • Historically, it was indeed possible to spoof anything you wanted, no-one checked, everybody trusted everybody.
  • However, with the rise of spam, phishing and other scams, SPF, DKIM and DMARC were introduced. Those allow a server to check if the sender does have the right to send mail with a sender in a given domain.
  • To work, those require both the sender and the receiver to implement those methods.
  • Most large e-mail providers will definitely implement at least one of the 3 methods on their side (as a receiver), and many organisations at risk of having people trying to impersonate them will implement at least one of the 3 methods on their side as well (as a sender).
  • However, there are still both e-mail systems not checking either and domains without the appropriate setup.

So if you find a domain without SPF, DKIM or DMARC, you could send e-mail on behalf of that domain and not be rejected outright. Many e-mail providers will "trust" such e-mails less that others, and it has larger changes of being handled as spam.

Likewise, you could send e-mail even "from" a domain protected with SPF, DKIM or DMARC to an e-mail system that doesn't check it.

But most definitely, it you want to send as Apple or Amazon to mailboxes managed by Google or Microsoft, that won't work. And that's the reason they use other domain names for this.

  • The phisher may be hoping to get any replies to send to that address.
  • They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.

Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.