Spam email “via” my domain, but SPF record exists Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Why set up DMARC for SPF if it's already set up for DKIM?Best email SPF practice for dispersed users?Security of SPF vs SPF and DKIM in emailAre high levels of email spam normal?What does a failed SPF record tell me from a DMARC Aggregate report?Email SPF record integritySPF and DKIM passes for SPAM message when using SES and Google MailDMARC and SPF are setup for my non-www domain but doesn't work for wwwCan SPF be bypassed by using a shared email server?Is it safe to add IP address to SPF recordDoes it make sense to check SPF Record if a majority of customers don't abide their own Records?

Is it possible to add Lighting Web Component in the Visual force Page?

Is there a kind of relay only consumes power when switching?

hookrightarrow with ebgaramond-math

Amount of permutations on an NxNxN Rubik's Cube

Selecting user stories during sprint planning

Dating a Former Employee

Can family of EU Blue Card holder travel freely in the Schengen Area with a German Aufenthaltstitel?

How to write this math term? with cases it isn't working

How do I make this wiring inside cabinet safer? (Pic)

Trademark violation for app?

Using et al. for a last / senior author rather than for a first author

Chinese Seal on silk painting - what does it mean?

Maximum summed subsequences with non-adjacent items

How to convince students of the implication truth values?

Why wasn't DOSKEY integrated with COMMAND.COM?

As a beginner, should I get a Squier Strat with a SSS config or a HSS?

What would be the ideal power source for a cybernetic eye?

Can an alien society believe that their star system is the universe?

Redirect to div in page with #

why is Nikon 1.4g better when Nikon 1.8g is sharper?

Withdrew £2800, but only £2000 shows as withdrawn on online banking; what are my obligations?

Is it fair for a professor to grade us on the possession of past papers?

How do I use the new nonlinear finite element in Mathematica 12 for this equation?

Are there mentions in Hinduism about instruments which allows one to know others thoughts and influence them? And is it sinful?



Spam email “via” my domain, but SPF record exists



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Why set up DMARC for SPF if it's already set up for DKIM?Best email SPF practice for dispersed users?Security of SPF vs SPF and DKIM in emailAre high levels of email spam normal?What does a failed SPF record tell me from a DMARC Aggregate report?Email SPF record integritySPF and DKIM passes for SPAM message when using SES and Google MailDMARC and SPF are setup for my non-www domain but doesn't work for wwwCan SPF be bypassed by using a shared email server?Is it safe to add IP address to SPF recordDoes it make sense to check SPF Record if a majority of customers don't abide their own Records?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








9















I just got an email from some random person's name "via" info@mydomain.com, although info@mydomain.com is just a distribution group within G Suite.



We have an up-to-date SPF record added from Google, and I'm not quite sure what or how another person is able to send an email via my domain.



Here are some references from the message source, without giving any specific information to my domain or the receipients:



Date: Mon, 01 Apr 2019 23:41:44 -0500
Subject: Mass Shootings orchestrated to pass gun control for the Federal
 Reserve Shareholders planned U.S. Holocaust- How can your industry help?
From: 'Random Person' via Info <info@mydomain.com>
<snipped>
Message-ID: <186271992.14957742.1554180104822@mail.yahoo.com>
Thread-Topic: Mass Shootings orchestrated to pass gun control for the Federal
 Reserve Shareholders planned U.S. Holocaust- How can your industry help?
Thread-Index: AWY0NTc5UrmPA22gl2edULFwYvLC7TIwMTU5
References: <186271992.14957742.1554180104822.ref@mail.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative;
 boundary="B_3637013229_1574776269"


All of our users have 2FA enabled, although I don't think that's relevant here. This is clearly a spoofed emailed as info@mydomain.com is not a registered account within the domain (just verified it).



Any ideas how this may have happened and how to prevent it?



Also, this message doesn't seem to contain any valuable information other than it was potentially leveraging Yahoo to send email on "behalf" of my domain, which I'm not quite sure how that worked.






spoofing spf







share|improve this question



















  • 9





    You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?

    – schroeder
    Apr 2 at 6:44






  • 2





    Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.

    – LewlSauce
    Apr 2 at 6:45







  • 1





    You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?

    – schroeder
    Apr 2 at 6:45






  • 1





    No images of text please. What you originally had was perfect.

    – schroeder
    Apr 2 at 6:53






  • 1





    @Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite @mydomain.com inbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.

    – LewlSauce
    Apr 2 at 17:50

















9















I just got an email from some random person's name "via" info@mydomain.com, although info@mydomain.com is just a distribution group within G Suite.



We have an up-to-date SPF record added from Google, and I'm not quite sure what or how another person is able to send an email via my domain.



Here are some references from the message source, without giving any specific information to my domain or the receipients:



Date: Mon, 01 Apr 2019 23:41:44 -0500
Subject: Mass Shootings orchestrated to pass gun control for the Federal
 Reserve Shareholders planned U.S. Holocaust- How can your industry help?
From: 'Random Person' via Info <info@mydomain.com>
<snipped>
Message-ID: <186271992.14957742.1554180104822@mail.yahoo.com>
Thread-Topic: Mass Shootings orchestrated to pass gun control for the Federal
 Reserve Shareholders planned U.S. Holocaust- How can your industry help?
Thread-Index: AWY0NTc5UrmPA22gl2edULFwYvLC7TIwMTU5
References: <186271992.14957742.1554180104822.ref@mail.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative;
 boundary="B_3637013229_1574776269"


All of our users have 2FA enabled, although I don't think that's relevant here. This is clearly a spoofed emailed as info@mydomain.com is not a registered account within the domain (just verified it).



Any ideas how this may have happened and how to prevent it?



Also, this message doesn't seem to contain any valuable information other than it was potentially leveraging Yahoo to send email on "behalf" of my domain, which I'm not quite sure how that worked.






spoofing spf







share|improve this question



















  • 9





    You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?

    – schroeder
    Apr 2 at 6:44






  • 2





    Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.

    – LewlSauce
    Apr 2 at 6:45







  • 1





    You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?

    – schroeder
    Apr 2 at 6:45






  • 1





    No images of text please. What you originally had was perfect.

    – schroeder
    Apr 2 at 6:53






  • 1





    @Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite @mydomain.com inbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.

    – LewlSauce
    Apr 2 at 17:50













9












9








9


2






I just got an email from some random person's name "via" info@mydomain.com, although info@mydomain.com is just a distribution group within G Suite.



We have an up-to-date SPF record added from Google, and I'm not quite sure what or how another person is able to send an email via my domain.



Here are some references from the message source, without giving any specific information to my domain or the receipients:



Date: Mon, 01 Apr 2019 23:41:44 -0500
Subject: Mass Shootings orchestrated to pass gun control for the Federal
 Reserve Shareholders planned U.S. Holocaust- How can your industry help?
From: 'Random Person' via Info <info@mydomain.com>
<snipped>
Message-ID: <186271992.14957742.1554180104822@mail.yahoo.com>
Thread-Topic: Mass Shootings orchestrated to pass gun control for the Federal
 Reserve Shareholders planned U.S. Holocaust- How can your industry help?
Thread-Index: AWY0NTc5UrmPA22gl2edULFwYvLC7TIwMTU5
References: <186271992.14957742.1554180104822.ref@mail.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative;
 boundary="B_3637013229_1574776269"


All of our users have 2FA enabled, although I don't think that's relevant here. This is clearly a spoofed emailed as info@mydomain.com is not a registered account within the domain (just verified it).



Any ideas how this may have happened and how to prevent it?



Also, this message doesn't seem to contain any valuable information other than it was potentially leveraging Yahoo to send email on "behalf" of my domain, which I'm not quite sure how that worked.






spoofing spf







share|improve this question
















I just got an email from some random person's name "via" info@mydomain.com, although info@mydomain.com is just a distribution group within G Suite.



We have an up-to-date SPF record added from Google, and I'm not quite sure what or how another person is able to send an email via my domain.



Here are some references from the message source, without giving any specific information to my domain or the receipients:



Date: Mon, 01 Apr 2019 23:41:44 -0500
Subject: Mass Shootings orchestrated to pass gun control for the Federal
 Reserve Shareholders planned U.S. Holocaust- How can your industry help?
From: 'Random Person' via Info <info@mydomain.com>
<snipped>
Message-ID: <186271992.14957742.1554180104822@mail.yahoo.com>
Thread-Topic: Mass Shootings orchestrated to pass gun control for the Federal
 Reserve Shareholders planned U.S. Holocaust- How can your industry help?
Thread-Index: AWY0NTc5UrmPA22gl2edULFwYvLC7TIwMTU5
References: <186271992.14957742.1554180104822.ref@mail.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative;
 boundary="B_3637013229_1574776269"


All of our users have 2FA enabled, although I don't think that's relevant here. This is clearly a spoofed emailed as info@mydomain.com is not a registered account within the domain (just verified it).



Any ideas how this may have happened and how to prevent it?



Also, this message doesn't seem to contain any valuable information other than it was potentially leveraging Yahoo to send email on "behalf" of my domain, which I'm not quite sure how that worked.






spoofing spf




spoofing spf






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 2 at 7:00







LewlSauce

















asked Apr 2 at 6:38









LewlSauceLewlSauce

14815




14815







  • 9





    You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?

    – schroeder
    Apr 2 at 6:44






  • 2





    Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.

    – LewlSauce
    Apr 2 at 6:45







  • 1





    You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?

    – schroeder
    Apr 2 at 6:45






  • 1





    No images of text please. What you originally had was perfect.

    – schroeder
    Apr 2 at 6:53






  • 1





    @Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite @mydomain.com inbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.

    – LewlSauce
    Apr 2 at 17:50












  • 9





    You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?

    – schroeder
    Apr 2 at 6:44






  • 2





    Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.

    – LewlSauce
    Apr 2 at 6:45







  • 1





    You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?

    – schroeder
    Apr 2 at 6:45






  • 1





    No images of text please. What you originally had was perfect.

    – schroeder
    Apr 2 at 6:53






  • 1





    @Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite @mydomain.com inbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.

    – LewlSauce
    Apr 2 at 17:50







9




9





You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?

– schroeder
Apr 2 at 6:44





You snipped out every single piece of the header that would help to figure this out. What did the SPF part of the header say? What were all the "from" addresses?

– schroeder
Apr 2 at 6:44




2




2





Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.

– LewlSauce
Apr 2 at 6:45






Actually, and this surprised me too, this is all of the email content except for the "To" recipients. Everything underneath "boundary=" is the body of the email which contains the long paragraphs of text. It doesn't make sense to me either and I've personally investigated message headers for other resources. This got me a little stumped.

– LewlSauce
Apr 2 at 6:45





1




1





You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?

– schroeder
Apr 2 at 6:45





You seem to contradict yourself: "info@mydomain.com is just a distribution group within G Suite" and "info@mydomain.com is not a registered account within the domain". Can you explain?

– schroeder
Apr 2 at 6:45




1




1





No images of text please. What you originally had was perfect.

– schroeder
Apr 2 at 6:53





No images of text please. What you originally had was perfect.

– schroeder
Apr 2 at 6:53




1




1





@Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite @mydomain.com inbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.

– LewlSauce
Apr 2 at 17:50





@Kevin Nope, no messages show up in the google groups interface. It only shows up in the G Suite @mydomain.com inbox. I remember trying to find a way to disable messages from posting there (like a forum) awhile ago too, so perhaps that may be why.

– LewlSauce
Apr 2 at 17:50










3 Answers
3






active

oldest

votes


















16














Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.



  1. If the sending IP is on the list, then the email is likely OK.


  2. If the sending IP is not on the list, then it should be treated suspiciously.


This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.



If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.



You need to look up your email service documentation to figure out how to turn on SPF checking.






share|improve this answer























  • Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?

    – LewlSauce
    Apr 2 at 6:54











  • Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).

    – schroeder
    Apr 2 at 6:56











  • SPF, DMARC, DKIM protect you from more than just spam.

    – schroeder
    Apr 2 at 6:57






  • 2





    Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.

    – schroeder
    Apr 2 at 7:08







  • 1





    @schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?

    – MadHatter
    Apr 2 at 19:01


















7














Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.



First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.



And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.



For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.






share|improve this answer























  • The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.

    – Calimo
    Apr 2 at 9:49


















2














Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).



Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.



Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.






share|improve this answer























  • Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.

    – LewlSauce
    Apr 2 at 13:35











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206601%2fspam-email-via-my-domain-but-spf-record-exists%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









16














Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.



  1. If the sending IP is on the list, then the email is likely OK.


  2. If the sending IP is not on the list, then it should be treated suspiciously.


This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.



If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.



You need to look up your email service documentation to figure out how to turn on SPF checking.






share|improve this answer























  • Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?

    – LewlSauce
    Apr 2 at 6:54











  • Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).

    – schroeder
    Apr 2 at 6:56











  • SPF, DMARC, DKIM protect you from more than just spam.

    – schroeder
    Apr 2 at 6:57






  • 2





    Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.

    – schroeder
    Apr 2 at 7:08







  • 1





    @schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?

    – MadHatter
    Apr 2 at 19:01















16














Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.



  1. If the sending IP is on the list, then the email is likely OK.


  2. If the sending IP is not on the list, then it should be treated suspiciously.


This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.



If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.



You need to look up your email service documentation to figure out how to turn on SPF checking.






share|improve this answer























  • Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?

    – LewlSauce
    Apr 2 at 6:54











  • Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).

    – schroeder
    Apr 2 at 6:56











  • SPF, DMARC, DKIM protect you from more than just spam.

    – schroeder
    Apr 2 at 6:57






  • 2





    Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.

    – schroeder
    Apr 2 at 7:08







  • 1





    @schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?

    – MadHatter
    Apr 2 at 19:01













16












16








16







Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.



  1. If the sending IP is on the list, then the email is likely OK.


  2. If the sending IP is not on the list, then it should be treated suspiciously.


This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.



If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.



You need to look up your email service documentation to figure out how to turn on SPF checking.






share|improve this answer













Having an SPF record in your DNS records helps the recipient know which email server is legtimiate for your domain. The recipient looks up the sending domain for the valid server IPs and then decides what to do with the email.



  1. If the sending IP is on the list, then the email is likely OK.


  2. If the sending IP is not on the list, then it should be treated suspiciously.


This checking logic requires that the receiving email server is configured to check for SPF records. If you are not checking for SPF records, then the entire SPF checking process is not done.



If your email headers do not include the SPF fields, then your email server is not set up to check for SPF and it is not protecting your company in this way.



You need to look up your email service documentation to figure out how to turn on SPF checking.







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 2 at 6:50









schroederschroeder

79.4k30176213




79.4k30176213












  • Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?

    – LewlSauce
    Apr 2 at 6:54











  • Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).

    – schroeder
    Apr 2 at 6:56











  • SPF, DMARC, DKIM protect you from more than just spam.

    – schroeder
    Apr 2 at 6:57






  • 2





    Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.

    – schroeder
    Apr 2 at 7:08







  • 1





    @schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?

    – MadHatter
    Apr 2 at 19:01

















  • Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?

    – LewlSauce
    Apr 2 at 6:54











  • Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).

    – schroeder
    Apr 2 at 6:56











  • SPF, DMARC, DKIM protect you from more than just spam.

    – schroeder
    Apr 2 at 6:57






  • 2





    Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.

    – schroeder
    Apr 2 at 7:08







  • 1





    @schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?

    – MadHatter
    Apr 2 at 19:01
















Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?

– LewlSauce
Apr 2 at 6:54





Gotcha. Sounds great. I'm using G Suite and will look up additional information. I sincerely appreciate your help. So from what it sounds like, there's technically no way to prevent someone from spoofing your domain; only ways to ensure checks are in place so that recipients can validate whether or not it's spam (aka SPF and DMARC) records. Is that correct?

– LewlSauce
Apr 2 at 6:54













Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).

– schroeder
Apr 2 at 6:56





Don't think of it as "spam" but as an illegitimate sender. SPF records list what you define as a legitimate sender. Recipient email servers perform a "lookup" when it receives an email to see if the sending IP is a legitimate sender for your domain (that's why the list is in DNS).

– schroeder
Apr 2 at 6:56













SPF, DMARC, DKIM protect you from more than just spam.

– schroeder
Apr 2 at 6:57





SPF, DMARC, DKIM protect you from more than just spam.

– schroeder
Apr 2 at 6:57




2




2





Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.

– schroeder
Apr 2 at 7:08






Anyone can spoof the "From" address. And there are/were lots of valid reason for this. SPF/DMARC prevents abuse of this feature.

– schroeder
Apr 2 at 7:08





1




1





@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?

– MadHatter
Apr 2 at 19:01





@schroeder from which I take it that you don't regard RFC-compliant mailing lists as a valid use of header-From "spoofing"?

– MadHatter
Apr 2 at 19:01













7














Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.



First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.



And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.



For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.






share|improve this answer























  • The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.

    – Calimo
    Apr 2 at 9:49















7














Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.



First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.



And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.



For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.






share|improve this answer























  • The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.

    – Calimo
    Apr 2 at 9:49













7












7








7







Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.



First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.



And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.



For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.






share|improve this answer













Just having a SPF record does not mean that nobody is able to use your email address as the claimed recipient for spoofed messages.



First, SPF only cares about the SMTP envelope and not about the From field in the mail header. It is no problem to send a mail where both are different. There are no information in your question of what the SMTP envelope was (usually shown as Return-Path field in the mail header) but it is actually common that both are different when spoofing mails. To care about the From you would additionally need to setup DMARC.



And even if both SPF and DMARC are setup the recipient of the mail would actually need to check this. While many check SPF most don't check DMARC.



For more information see also Why set up DMARC for SPF if it's already set up for DKIM?.







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 2 at 6:52









Steffen UllrichSteffen Ullrich

121k16209277




121k16209277












  • The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.

    – Calimo
    Apr 2 at 9:49

















  • The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.

    – Calimo
    Apr 2 at 9:49
















The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.

– Calimo
Apr 2 at 9:49





The OP is using G suite which checks SPF records. This answer sounds like far more likely to be correct than the accepted answer.

– Calimo
Apr 2 at 9:49











2














Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).



Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.



Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.






share|improve this answer























  • Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.

    – LewlSauce
    Apr 2 at 13:35















2














Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).



Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.



Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.






share|improve this answer























  • Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.

    – LewlSauce
    Apr 2 at 13:35













2












2








2







Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).



Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.



Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.






share|improve this answer













Actually the SPF record only tells which server(s) legitimate mails using your domain may come from - and we're talking envelope information (SMTP/RFC2821) here, not the From line inside the mails (RFC2822).



Inside your mail program you'll normally only see the mail content (RFC2822), so a mail using your domain in the From line may actually have been sent using a different envelope sender and you'll only be able to see that if you look at the headers where a line like 'X-Apparently-From' would reveal the sender used to deliver the mail.



Also, if one of the servers specified in your SPF is compromised, mails using your domain can be sent through it quite legitimately.







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 2 at 8:39









P. GoetterupP. Goetterup

1211




1211












  • Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.

    – LewlSauce
    Apr 2 at 13:35

















  • Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.

    – LewlSauce
    Apr 2 at 13:35
















Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.

– LewlSauce
Apr 2 at 13:35





Thanks. Based on the email headers, it looks like the email was sent from Yahoo, which makes no sense to me.

– LewlSauce
Apr 2 at 13:35

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206601%2fspam-email-via-my-domain-but-spf-record-exists%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Adding axes to figuresAdding axes labels to LaTeX figuresLaTeX equivalent of ConTeXt buffersRotate a node but not its content: the case of the ellipse decorationHow to define the default vertical distance between nodes?TikZ scaling graphic and adjust node position and keep font sizeNumerical conditional within tikz keys?adding axes to shapesAlign axes across subfiguresAdding figures with a certain orderLine up nested tikz enviroments or how to get rid of themAdding axes labels to LaTeX figures

Image
Fear of getting stuck on one programming language / technology that is not used in my country Is there a single word describing earning money through any means? Why do we read the Megillah by night and by day? Pre-mixing cryogenic fuels and using only one fuel tank Is the U.S. Code copyrighted by the Government? Should I outline or discovery write my stories? What is this called? Old film camera viewer? Does the expansion of the universe explain why the universe doesn't collapse? Removing files under particular conditions (number of files, file age) Argument list too long when zipping large list of certain files in a folder When a Cleric spontaneously casts a Cure Light Wounds spell, will a Pearl of Power recover the original spell or Cure Light Wounds? Non-trope happy ending? Is it better practice to read straight from sheet music rather than memorize it? Do Legal Documents Require Signing In Standard Pen Colors? Does an advisor owe his/her student anyt
Read more

Luettelo Yhdysvaltain laivaston lentotukialuksista Lähteet | Navigointivalikko

Image
Yhdysvaltain lentotukialuksetLuettelot YhdysvalloistaLuettelot laivoista Yhdysvaltain laivastonlentotukialuksetsaattuetukialuksetluettelossa Tämä on luettelo Yhdysvaltain laivaston lentotukialuksista , jossa on lueteltuna luokitukseltaan CV-, CVA-, CVB-, CVL- ja CVN-tyyppiset Yhdysvaltain laivaston lentotukialukset. Pienemmät saattuetukialukset on listattu erillisessä luettelossa. USS Enterprise (CV-6) USS Langley (CV-1), 1920, vaurioitui ilmahyökkäyksessä, upotettu 1942 Lexington-luokka [1] USS Lexington (CV-2), 1925, vaurioitui ilmahyökkäyksessä, upotettu 1942 USS Saratoga (CV-3), 1925, upotettu atomipommitestissä 1946 USS Ranger (CV-4), 1933, ensimmäinen alun alkaen lentotukialukseksi rakennettu Yhdysvaltain laivaston alus, poistettu käytöstä 1946 [2] Yorktown-luokka [3] USS Yorktown (CV-5), 1936, upposi Midwayn taistelun seurauksena 1942 USS Enterprise (CV-6), 1936, poistettu käytöstä 1947 USS Hornet (CV-8), 1940, japanilaisten upottama 1942 USS Wasp (CV-7), 1939, sukell
Read more

Gary (muusikko) Sisällysluettelo Historia | Rockin' High | Lähteet | Aiheesta muualla | NavigointivalikkoInfobox OKTuomas "Gary" Keskinen Ancaran kitaristiksiProjekti Rockin' High

Image
Suomalaiset kitaristitSuomalaiset rockmuusikotVuonna 1980 syntyneet 18. syyskuuta1980LappajärvenTechnicolourNegativenAncaranJimmy WesterlundinUnirecordsinTechnicolourMondayNegativen Tuomas Keskinen Henkilötiedot Syntynyt 18. syyskuuta 1980 (ikä 38) Ammatti muusikko tuottaja säveltäjä Muusikko Taiteilijanimet Gary Tyylilajit rock Soittimet kitara Yhtyeet Technicolour Monday Ancara Negative Levy-yhtiöt EMI Warner Infobox OK Tuomas Mikael ”Gary” Keskinen (s. 18. syyskuuta 1980) on suomalainen kitaristi ja toimii nykyisin muusikkona freelancerina, sekä omassa Forte Silence yhtyeessä. Hänelle myönnettiin Lappajärven kulttuuripalkinto itsenäisyyspäivänä 2006. Keskinen soitti kitaraa myös Technicolour-yhtyeessä. Kevään ja kesän 2008 Keskinen toimi rockyhtye Negativen keikkakitaristina ja 2009 alusta lähtien Ancaran kitaristina. Ancara yhtyeessä Gary lopetti vuonna 2016. [1] . Gary omisti oman levy-yhtiön (Scandal Music Company), jonka artisteihin kuuluvat muun muassa Suomen eturivin Idols
Read more