Our initial implementation of this feature computes all the significant permutations of the display name (friendly-from) provided in the From header and compares it to an address book of known "real names" of domain users.  If a name-based match is found but the sending email address is not a known address of that person, the message is tagged as a possible spoofing attempt.

It currently handles all the cases where two or more of the words in the person's real name appear in the display name.  A future iteration will add detections for common known substitutions (eg: Jeff for Jeffrey, Jon for Jonathan, etc), common homoglyph tricks, and name-initials (eg: Davis, J. or Jeffrey D.)

As for how this feature will affect the message, there are initially two options (not mutually exclusive):
  1. Add a visual warning message into the email body:  "This sender ({{email_address}}) is not a recognized email address of {{real_name}}. This may be a phishing attempt."

  2. Add a message header "X-PhishProtection-Warning" with value "senderspoof"