To block emails spoofing a specific email address or domain, you will need to first approve the sender. This is because when you want to block unauthorized emails from a given sender, that generally means that you do want to receive legitimate emails from that sender.
- Find a message from the sender in the clean mail view in SpamHero that you are confident was not spoofed.
- Click on "Approve sender". Our systems will then analyze the message and determine the source and authentication message used to send the message. This will help SpamHero automatically determine the sending patterns for the sender, so that the filter knows what can be used to distinguish between spoofed emails and legitimate ones.
- Inside the "Approved sender" dialog, click on Advanced > If verification fails > Quarantine. This extra step will block messages claiming to be from the sender that are not from the same source as the clean message you identified.
- Watch carefully in the SpamHero quarantine in the coming weeks for messages from the sender that get blocked that should not have blocked. If you see any valid messages that get blocked, that means that the sender uses more than one source. If that happens, repeat steps 2 and 3 for every message that gets blocked that should not have.
Why can't I just flip a switch and block all spoofed messages?
Blocking spoofing for any given domain isn't always a consistent experience. Email authentication is tricky, and can be handled in several different ways. It actually depends a lot on the efforts of the sender's domain to maintain their email authentication. Some domains offer no method of authentication at all, which makes it impossible to determine with certainty that a given email came from their domain or not. A majority of domains that implement DMARC have their policy set to "none", which essentially means that they are not confident that their own legitimate messages will consistently pass their own authentication.
That's why SpamHero allows you to identify sending patterns, so you can block spoofed messages even when the sending domain is lacking a consistent authentication method.