Our email users are getting spoofed. How can I stop this?
Email spoofing is when a spammer or spambot sends emails out to the world (or to users on your domain), pretending to be a user on your domain. The email therefore looks like it came from someone you know. These spoofing emails may contain phishing schemes, or have other malicious intent.
To help reduce the spoofing emails, here are some things you can do:
- Report the message as spam.
- Ensure that your domain has an SPF record.
An SPF record is a DNS record that defines what servers are authorized to send for your domain. By creating an SPF record, it will help other domains that receive spoofed messages recognize when they receive spoofed email "from" your domain. SPF by itself is not perfect solution because it only authenticates the "envelope sender". A spammer could still use a different email address as their envelope sender but put your domain in their "From:" address and still pass SPF checks. But SPF records are still helpful. You can check if your domain has an SPF record here:
If you don't have an SPF record, you can create one by adding a TXT record to your domain's DNS. The following tool can help you to create the record:
Be sure to enter spf.spamhero.com here:
Assuming you're using your domain's DNS control panel at your hosting provider to create a TXT record, you would copy just the portion of the text that is inside the quotes here:
If you're not sure how to add a DNS record, send the text inside the quotes to your hosting provider or mail server administrator and they should be able to help you add it.
- Once you have your own SPF record in place, you can block all email from your own domain that fails SPF or fails to align (meaning, the email is "from" your domain, but the "return path" address's domain isn't your domain). To do this, go to the Settings > Approved senders page and add your own domain name. Before saving, click the Advanced drop down, and ensure to use the option Allow messages that meet one of these conditions (recommended).... This will ensure the sender is verified as authentic (with help of SPF, DKIM, and DMARC). Then, enable the option to "quarantine" messages that fail verification.
This settings will block spammers that try to use a different envelope sender but put your domain in the "From:" address. When selecting the above Approved Sender options for your domain, you must make sure your SPF record includes all the IPs that your users send from and that their email is configured to set the envelope sender properly so that it matches their From address.
You will also want to consider if your website sends emails on behalf of your domain (e.g. via a web form) and make sure the IP of your web server is included in your SPF record and that the script that sends the emails uses the proper envelope sender (aka "return path"). After setting the options above, you will want to watch your quarantine to make sure important messages are not being held in the Quarantine+ viewer.
If the envelope sender/return path must be a domain that doesn't match your From domain, you can add that domain to the Approved sources section.
- We also have a general SPF checking policy that can be enabled from the Settings > filtering policies tab:
If you use this policy, any message that fails the SPF check, will be deep filtered. The deep filter will cause a message to be delayed and rescanned for spam after the delay. During the delay, the core filtering engine should be collecting new rules to help detect and stop spam.