Spam email “via” my domain, but SPF record existsWhy set up DMARC for SPF if it's already set up for DKIM?Best email SPF practice for dispersed users?Security of SPF vs SPF and DKIM in emailAre high levels of email spam normal?What does a failed SPF record tell me from a DMARC Aggregate report?Email SPF record integritySPF and DKIM passes for SPAM message when using SES and Google MailDMARC and SPF are setup for my non-www domain but doesn't work for wwwCan SPF be bypassed by using a shared email server?Is it safe to add IP address to SPF recordDoes it make sense to check SPF Record if a majority of customers don't abide their own Records?
Watching something be written to a file live with tail
What is going on with Captain Marvel's blood colour?
How to take photos in burst mode, without vibration?
A reference to a well-known characterization of scattered compact spaces
Has there ever been an airliner design involving reducing generator load by installing solar panels?
In Romance of the Three Kingdoms why do people still use bamboo sticks when papers are already invented?
How can I make my BBEG immortal short of making them a Lich or Vampire?
UK: Is there precedent for the governments e-petition site changing the direction of a government decision?
Why is Collection not simply treated as Collection<?>
Facing a paradox: Earnshaw's theorem in one dimension
How to draw the figure with four pentagons?
Reserved de-dupe rules
Emailing HOD to enhance faculty application
What does it mean to describe someone as a butt steak?
Can one be a co-translator of a book, if he does not know the language that the book is translated into?
Did Shadowfax go to Valinor?
In a Spin are Both Wings Stalled?
Why does Arabsat 6A need a Falcon Heavy to launch
How do I write bicross product symbols in latex?
Why is consensus so controversial in Britain?
Neighboring nodes in the network
Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?
Fully-Firstable Anagram Sets
Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?
Spam email “via” my domain, but SPF record exists
Why set up DMARC for SPF if it's already set up for DKIM?Best email SPF practice for dispersed users?Security of SPF vs SPF and DKIM in emailAre high levels of email spam normal?What does a failed SPF record tell me from a DMARC Aggregate report?Email SPF record integritySPF and DKIM passes for SPAM message when using SES and Google MailDMARC and SPF are setup for my non-www domain but doesn't work for wwwCan SPF be bypassed by using a shared email server?Is it safe to add IP address to SPF recordDoes it make sense to check SPF Record if a majority of customers don't abide their own Records?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I just got an email from some random person's name "via" info@mydomain.com, although info@mydomain.com is just a distribution group within G Suite.
We have an up-to-date SPF record added from Google, and I'm not quite sure what or how another person is able to send an email via my domain.
Here are some references from the message source, without giving any specific information to my domain or the receipients:
Date: Mon, 01 Apr 2019 23:41:44 -0500
Subject: Mass Shootings orchestrated to pass gun control for the Federal
Reserve Shareholders planned U.S. Holocaust- How can your industry help?
From: 'Random Person' via Info <info@mydomain.com>
<snipped>
Message-ID: <186271992.14957742.1554180104822@mail.yahoo.com>
Thread-Topic: Mass Shootings orchestrated to pass gun control for the Federal
Reserve Shareholders planned U.S. Holocaust- How can your industry help?
Thread-Index: AWY0NTc5UrmPA22gl2edULFwYvLC7TIwMTU5
References: <186271992.14957742.1554180104822.ref@mail.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative;
boundary="B_3637013229_1574776269"
All of our users have 2FA enabled, although I don't think that's relevant here. This is clearly a spoofed emailed as info@mydomain.com is not a registered account within the domain (just verified it).
Any ideas how this may have happened and how to prevent it?
Also, this message doesn't seem to contain any valuable information other than it was potentially leveraging Yahoo to send email on "behalf" of my domain, which I'm not quite sure how that worked.
spoofing spf
asked 2 days ago
LewlSauceLewlSauce
14815
New contributor
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 5 more comments
I just got an email from some random person's name "via" info@mydomain.com, although info@mydomain.com is just a distribution group within G Suite.
We have an up-to-date SPF record added from Google, and I'm not quite sure what or how another person is able to send an email via my domain.
Here are some references from the message source, without giving any specific information to my domain or the receipients:
Date: Mon, 01 Apr 2019 23:41:44 -0500
Subject: Mass Shootings orchestrated to pass gun control for the Federal
Reserve Shareholders planned U.S. Holocaust- How can your industry help?
From: 'Random Person' via Info <info@mydomain.com>
<snipped>
Message-ID: <186271992.14957742.1554180104822@mail.yahoo.com>
Thread-Topic: Mass Shootings orchestrated to pass gun control for the Federal
Reserve Shareholders planned U.S. Holocaust- How can your industry help?
Thread-Index: AWY0NTc5UrmPA22gl2edULFwYvLC7TIwMTU5
References: <186271992.14957742.1554180104822.ref@mail.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative;
boundary="B_3637013229_1574776269"
All of our users have 2FA enabled, although I don't think that's relevant here. This is clearly a spoofed emailed as info@mydomain.com is not a registered account within the domain (just verified it).
Any ideas how this may have happened and how to prevent it?
Also, this message doesn't seem to contain any valuable information other than it was potentially leveraging Yahoo to send email on "behalf" of my domain, which I'm not quite sure how that worked.
spoofing spf
asked 2 days ago
LewlSauceLewlSauce
14815
New contributor
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
9
You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?
– schroeder♦
2 days ago
1
Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.
– LewlSauce
2 days ago
1
You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?
– schroeder♦
2 days ago
1
No images of text please. What you originally had was perfect.
– schroeder♦
2 days ago
1
@Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite@mydomain.cominbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.
– LewlSauce
2 days ago
|
show 5 more comments
I just got an email from some random person's name "via" info@mydomain.com, although info@mydomain.com is just a distribution group within G Suite.
We have an up-to-date SPF record added from Google, and I'm not quite sure what or how another person is able to send an email via my domain.
Here are some references from the message source, without giving any specific information to my domain or the receipients:
Date: Mon, 01 Apr 2019 23:41:44 -0500
Subject: Mass Shootings orchestrated to pass gun control for the Federal
Reserve Shareholders planned U.S. Holocaust- How can your industry help?
From: 'Random Person' via Info <info@mydomain.com>
<snipped>
Message-ID: <186271992.14957742.1554180104822@mail.yahoo.com>
Thread-Topic: Mass Shootings orchestrated to pass gun control for the Federal
Reserve Shareholders planned U.S. Holocaust- How can your industry help?
Thread-Index: AWY0NTc5UrmPA22gl2edULFwYvLC7TIwMTU5
References: <186271992.14957742.1554180104822.ref@mail.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative;
boundary="B_3637013229_1574776269"
All of our users have 2FA enabled, although I don't think that's relevant here. This is clearly a spoofed emailed as info@mydomain.com is not a registered account within the domain (just verified it).
Any ideas how this may have happened and how to prevent it?
Also, this message doesn't seem to contain any valuable information other than it was potentially leveraging Yahoo to send email on "behalf" of my domain, which I'm not quite sure how that worked.
spoofing spf
asked 2 days ago
LewlSauceLewlSauce
14815
New contributor
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I just got an email from some random person's name "via" info@mydomain.com, although info@mydomain.com is just a distribution group within G Suite.
We have an up-to-date SPF record added from Google, and I'm not quite sure what or how another person is able to send an email via my domain.
Here are some references from the message source, without giving any specific information to my domain or the receipients:
Date: Mon, 01 Apr 2019 23:41:44 -0500
Subject: Mass Shootings orchestrated to pass gun control for the Federal
Reserve Shareholders planned U.S. Holocaust- How can your industry help?
From: 'Random Person' via Info <info@mydomain.com>
<snipped>
Message-ID: <186271992.14957742.1554180104822@mail.yahoo.com>
Thread-Topic: Mass Shootings orchestrated to pass gun control for the Federal
Reserve Shareholders planned U.S. Holocaust- How can your industry help?
Thread-Index: AWY0NTc5UrmPA22gl2edULFwYvLC7TIwMTU5
References: <186271992.14957742.1554180104822.ref@mail.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative;
boundary="B_3637013229_1574776269"
All of our users have 2FA enabled, although I don't think that's relevant here. This is clearly a spoofed emailed as info@mydomain.com is not a registered account within the domain (just verified it).
Any ideas how this may have happened and how to prevent it?
Also, this message doesn't seem to contain any valuable information other than it was potentially leveraging Yahoo to send email on "behalf" of my domain, which I'm not quite sure how that worked.
spoofing spf
spoofing spf
asked 2 days ago
LewlSauceLewlSauce
14815
New contributor
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
LewlSauceLewlSauce
14815
New contributor
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
LewlSauce
asked 2 days ago
LewlSauceLewlSauce
14815
New contributor
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
LewlSauceLewlSauce
14815
asked 2 days ago
LewlSauceLewlSauce
14815
14815
New contributor
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
LewlSauce is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
9
You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?
– schroeder♦
2 days ago
1
Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.
– LewlSauce
2 days ago
1
You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?
– schroeder♦
2 days ago
1
No images of text please. What you originally had was perfect.
– schroeder♦
2 days ago
1
@Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite@mydomain.cominbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.
– LewlSauce
2 days ago
|
show 5 more comments
9
You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?
– schroeder♦
2 days ago
1
Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.
– LewlSauce
2 days ago
1
You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?
– schroeder♦
2 days ago
1
No images of text please. What you originally had was perfect.
– schroeder♦
2 days ago
1
@Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite@mydomain.cominbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.
– LewlSauce
2 days ago
9
9
You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?
– schroeder♦
2 days ago
You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?
– schroeder♦
2 days ago
1
1
Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.
– LewlSauce
2 days ago
Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.
– LewlSauce
2 days ago
1
1
You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?
– schroeder♦
2 days ago
You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?
– schroeder♦
2 days ago
1
1
No images of text please. What you originally had was perfect.
– schroeder♦
2 days ago
No images of text please. What you originally had was perfect.
– schroeder♦
2 days ago
1
1
@Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite
@mydomain.com inbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.– LewlSauce
2 days ago
@Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite
@mydomain.com inbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.– LewlSauce
2 days ago
|
show 5 more comments
3 Answers
3
active
oldest
votes
Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.
If the sending IP is on the list, then the email is likely OK.
If the sending IP is not on the list, then it should be treated suspiciously.
This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.
If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.
You need to look up your email service documentation to figure out how to turn on SPF checking.
answered 2 days ago
schroeder♦schroeder
78.8k30175211
Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?
– LewlSauce
2 days ago
Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).
– schroeder♦
2 days ago
SPF, DMARC, DKIM protect you from more than just spam.
– schroeder♦
2 days ago
1
Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.
– schroeder♦
2 days ago
1
@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?
– MadHatter
2 days ago
|
show 3 more comments
Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.
First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.
And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.
For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.
answered 2 days ago
Steffen UllrichSteffen Ullrich
120k16209277
The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.
– Calimo
2 days ago
add a comment |
Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).
Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.
Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.
answered 2 days ago
P. GoetterupP. Goetterup
1111
New contributor
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.
– LewlSauce
2 days ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
LewlSauce is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206601%2fspam-email-via-my-domain-but-spf-record-exists%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.
If the sending IP is on the list, then the email is likely OK.
If the sending IP is not on the list, then it should be treated suspiciously.
This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.
If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.
You need to look up your email service documentation to figure out how to turn on SPF checking.
answered 2 days ago
schroeder♦schroeder
78.8k30175211
Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?
– LewlSauce
2 days ago
Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).
– schroeder♦
2 days ago
SPF, DMARC, DKIM protect you from more than just spam.
– schroeder♦
2 days ago
1
Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.
– schroeder♦
2 days ago
1
@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?
– MadHatter
2 days ago
|
show 3 more comments
Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.
If the sending IP is on the list, then the email is likely OK.
If the sending IP is not on the list, then it should be treated suspiciously.
This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.
If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.
You need to look up your email service documentation to figure out how to turn on SPF checking.
answered 2 days ago
schroeder♦schroeder
78.8k30175211
Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?
– LewlSauce
2 days ago
Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).
– schroeder♦
2 days ago
SPF, DMARC, DKIM protect you from more than just spam.
– schroeder♦
2 days ago
1
Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.
– schroeder♦
2 days ago
1
@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?
– MadHatter
2 days ago
|
show 3 more comments
Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.
If the sending IP is on the list, then the email is likely OK.
If the sending IP is not on the list, then it should be treated suspiciously.
This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.
If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.
You need to look up your email service documentation to figure out how to turn on SPF checking.
answered 2 days ago
schroeder♦schroeder
78.8k30175211
Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.
If the sending IP is on the list, then the email is likely OK.
If the sending IP is not on the list, then it should be treated suspiciously.
This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.
If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.
You need to look up your email service documentation to figure out how to turn on SPF checking.
answered 2 days ago
schroeder♦schroeder
78.8k30175211
answered 2 days ago
schroeder♦schroeder
78.8k30175211
answered 2 days ago
schroeder♦schroeder
78.8k30175211
answered 2 days ago
schroeder♦schroeder
78.8k30175211
78.8k30175211
Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?
– LewlSauce
2 days ago
Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).
– schroeder♦
2 days ago
SPF, DMARC, DKIM protect you from more than just spam.
– schroeder♦
2 days ago
1
Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.
– schroeder♦
2 days ago
1
@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?
– MadHatter
2 days ago
|
show 3 more comments
Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?
– LewlSauce
2 days ago
Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).
– schroeder♦
2 days ago
SPF, DMARC, DKIM protect you from more than just spam.
– schroeder♦
2 days ago
1
Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.
– schroeder♦
2 days ago
1
@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?
– MadHatter
2 days ago
Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?
– LewlSauce
2 days ago
Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?
– LewlSauce
2 days ago
Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).
– schroeder♦
2 days ago
Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).
– schroeder♦
2 days ago
SPF, DMARC, DKIM protect you from more than just spam.
– schroeder♦
2 days ago
SPF, DMARC, DKIM protect you from more than just spam.
– schroeder♦
2 days ago
1
1
Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.
– schroeder♦
2 days ago
Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.
– schroeder♦
2 days ago
1
1
@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?
– MadHatter
2 days ago
@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?
– MadHatter
2 days ago
|
show 3 more comments
Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.
First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.
And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.
For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.
answered 2 days ago
Steffen UllrichSteffen Ullrich
120k16209277
The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.
– Calimo
2 days ago
add a comment |
Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.
First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.
And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.
For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.
answered 2 days ago
Steffen UllrichSteffen Ullrich
120k16209277
The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.
– Calimo
2 days ago
add a comment |
Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.
First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.
And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.
For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.
answered 2 days ago
Steffen UllrichSteffen Ullrich
120k16209277
Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.
First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.
And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.
For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.
answered 2 days ago
Steffen UllrichSteffen Ullrich
120k16209277
answered 2 days ago
Steffen UllrichSteffen Ullrich
120k16209277
answered 2 days ago
Steffen UllrichSteffen Ullrich
120k16209277
answered 2 days ago
Steffen UllrichSteffen Ullrich
120k16209277
120k16209277
The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.
– Calimo
2 days ago
add a comment |
The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.
– Calimo
2 days ago
The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.
– Calimo
2 days ago
The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.
– Calimo
2 days ago
add a comment |
Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).
Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.
Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.
answered 2 days ago
P. GoetterupP. Goetterup
1111
New contributor
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.
– LewlSauce
2 days ago
add a comment |
Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).
Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.
Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.
answered 2 days ago
P. GoetterupP. Goetterup
1111
New contributor
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.
– LewlSauce
2 days ago
add a comment |
Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).
Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.
Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.
answered 2 days ago
P. GoetterupP. Goetterup
1111
New contributor
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).
Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.
Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.
answered 2 days ago
P. GoetterupP. Goetterup
1111
New contributor
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 2 days ago
P. GoetterupP. Goetterup
1111
New contributor
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 2 days ago
P. GoetterupP. Goetterup
1111
answered 2 days ago
P. GoetterupP. Goetterup
1111
1111
New contributor
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
P. Goetterup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.
– LewlSauce
2 days ago
add a comment |
Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.
– LewlSauce
2 days ago
Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.
– LewlSauce
2 days ago
Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.
– LewlSauce
2 days ago
add a comment |
LewlSauce is a new contributor. Be nice, and check out our Code of Conduct.
LewlSauce is a new contributor. Be nice, and check out our Code of Conduct.
LewlSauce is a new contributor. Be nice, and check out our Code of Conduct.
LewlSauce is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206601%2fspam-email-via-my-domain-but-spf-record-exists%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
9
You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?
– schroeder♦
2 days ago
1
Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.
– LewlSauce
2 days ago
1
You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?
– schroeder♦
2 days ago
1
No images of text please. What you originally had was perfect.
– schroeder♦
2 days ago
1
@Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite
@mydomain.cominbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.– LewlSauce
2 days ago