Our initial implementation of this feature computes all the significant permutations of the display name (friendly-from) provided in the From header and compares it to an address book of known "real names" of domain users. If a name-based match is found but the sending email address is not a known address of that person, the message is tagged as a possible spoofing attempt.
It currently handles all the cases where two or more of the words in the person's real name appear in the display name. A future iteration will add detections for common known substitutions (eg: Jeff for Jeffrey, Jon for Jonathan, etc), common homoglyph tricks, and name-initials (eg: Davis, J. or Jeffrey D.)
As for how this feature will affect the message, there are initially two options (not mutually exclusive):
- Add a visual warning message into the email body: "This sender ({{email_address}}) is not a recognized email address of {{real_name}}. This may be a phishing attempt."
- Add a message header "X-PhishProtection-Warning" with value "senderspoof"