Fake or genuine email from Home Office?

[hiteshtuteja]

Hi
I have made a citizenship application from my family. Recently I have received an email from an individual with an email ID in the format firstname.lastname@homeoffice.gov.uk. He has asked me to share the scanned pages for my wife and son's old passports (these were not scanned by the commercial partner) and send it to nationalityfurtherinformationrequests@homeoffice.gov.uk .
Does this seem genuine and is the email address where I am supposed to send it a genuine email ID?
Thanks
HT

[alterhase58]

Emails in that/various formats are constantly quoted on the board - never had emails from UKVI but the domain is certainly ok.

[Zerubbabel]

Usually they send from a generic email address rather than disclose their identity by using firstname.lastname@

However, I have seen them doing it by mistake and sometimes even trying to recall the email.

The address they ask you to send to seems legit.

The email seems genuine to me.

[Cool321]

Probably its an email directly from the case worker and sometimes helpful case workers use their own email for quick replies and fast processing

[AnotherUUID]

never had emails from UKVI but the domain is certainly ok.

The domain as it appears by itself cannot ever be trusted as the email protocol, old as it is, does not require authentication to specify the sender email address. Unfortunately, the technology is such that anyone (with a tiny bit extra know-how) can send an email as anybody else - a huge opportunity for scammers and a huge problem for the ordinary people.

There are however, workarounds (not solutions!) that have been put in place for a number of years to deal with the issue as much as possible, largely on the server side and transparent to the users (luckily!).

This might sound a bit techy - bear with me - but it's something relatively simple that everyone can do to check if an email might be dodgy. One way is to look at the headers of the email message itself. Depending on whether you use a web based email client or a desktop application such as Thunderbird there will always be an option to view the message "source" where you will be able to see the email in its raw format, as communicated between the servers, which will include some additional technical information.

Don't be shocked when you see the huge amount of text which will largely mean nothing to most people.

Things to look for are lines (and their contents) that start with: Received-SPF, Authentication-Results, DKIM-Signature, and ARC-Authentication-Results (used by Google). In the header contents one should look for the following:

• Received-SPF: pass
• Authentication-Results:
  • dkim=pass
  • spf=pass
  • dmarc=pass
• ARC-Authentication-Results: similar or same as Authentication-Results above

I won't go into the details of how and why but, if all of the above (when present) show a pass, there's a good chance the email is coming from legit mail server, and thus, likely a legit source.

Compliant mail servers these days are required to conform to additional techniques and do the above standardised checks. If one or all checks don't pass most receiving mail servers will usually treat this as spam - but it's not a foolproof system and you can't ever trust it 100%.

It's a never ending topic and plenty of other checks one can manually do, but this is by far one of the simplest accessible to everyone out of the box without the need for extra tools.

All HO communications I've had - though admittedly not directly from a caseworker - have, at the very least, passed the above (automated) checks.

Hope this helps!

[hiteshtuteja]

never had emails from UKVI but the domain is certainly ok.

The domain as it appears by itself cannot ever be trusted as the email protocol, old as it is, does not require authentication to specify the sender email address. Unfortunately, the technology is such that anyone (with a tiny bit extra know-how) can send an email as anybody else - a huge opportunity for scammers and a huge problem for the ordinary people.

There are however, workarounds (not solutions!) that have been put in place for a number of years to deal with the issue as much as possible, largely on the server side and transparent to the users (luckily!).

This might sound a bit techy - bear with me - but it's something relatively simple that everyone can do to check if an email might be dodgy. One way is to look at the headers of the email message itself. Depending on whether you use a web based email client or a desktop application such as Thunderbird there will always be an option to view the message "source" where you will be able to see the email in its raw format, as communicated between the servers, which will include some additional technical information.

Don't be shocked when you see the huge amount of text which will largely mean nothing to most people.

Things to look for are lines (and their contents) that start with: Received-SPF, Authentication-Results, DKIM-Signature, and ARC-Authentication-Results (used by Google). In the header contents one should look for the following:

• Received-SPF: pass
• Authentication-Results:
  • dkim=pass
  • spf=pass
  • dmarc=pass
• ARC-Authentication-Results: similar or same as Authentication-Results above

I won't go into the details of how and why but, if all of the above (when present) show a pass, there's a good chance the email is coming from legit mail server, and thus, likely a legit source.

Compliant mail servers these days are required to conform to additional techniques and do the above standardised checks. If one or all checks don't pass most receiving mail servers will usually treat this as spam - but it's not a foolproof system and you can't ever trust it 100%.

It's a never ending topic and plenty of other checks one can manually do, but this is by far one of the simplest accessible to everyone out of the box without the need for extra tools.

All HO communications I've had - though admittedly not directly from a caseworker - have, at the very least, passed the above (automated) checks.

Hope this helps!

Thanks. I checked the security details in gmail and it says "sent by: homeoffice.gov.uk, signed by: ukhomeoffice.onmicrosoft.com, security: stabdard encryption (TLS)". Would that be sufficient for confirming security?

[AnotherUUID]

Thanks. I checked the security details in gmail and it says "sent by: homeoffice.gov.uk, signed by: ukhomeoffice.onmicrosoft.com, security: stabdard encryption (TLS)". Would that be sufficient for confirming security?

It seems okay. "signed by: ukhomeoffice.onmicrosoft.com" is the only thing that, to me, would be of slight concern but I wouldn't be surprised if HO use third party service providers as a cost saving measure.

Since you mentioned GMail, an extra quick check you could do is click on the "More" menu (the three vertical dots in the top right corner the email body, next to the Reply button) and select "Show original".

Luckily, GMail gives a you very nice and user friendly tabular summary of the email and most important checks at the top. If DMARC and SPF are also shown as "PASS" then, personally, I would be fairly satisfied that the email is legit.