What is email spoofing?
Email spoofing is forging the sender's address, that is, impersonating them in emails. To the recipient, this can make emails appear as though they are really from the sender, so they open them.
Spoofed emails may have the same email address in the "From" and "To" fields to convince users that their mailbox has been compromised.
If your email account is being spoofed, it does not mean the spoofer has gained access to your mailbox — it only means that your address has been faked.
The message actually originates from a spammer's email account and is sent from the spammer's mail server.
Spoofed mailbox indications
There are two main red flags that can indicate that your email address is being spoofed:
- You receive bounce-backs of emails that you didn’t send. They might arrive in your inbox, but sometimes, they may be delivered to your Spam folder.
- You receive replies to emails that say they were sent from your email address that you didn’t send (you won’t find the original messages in your “Sent” folder).
Usually, bounce-backs like this include a reason, such as not passing the sender's policy (SPF/DKIM/DMARC failure). In some cases, these emails may be recognized as spam or are not accepted as the “recipient's mailbox does not exist”.
How to recognize spoofing emails
To confirm that your email address is being spoofed, analyze the email headers of any replies or bounce-backs you receive.
Email headers (or email message source, Internet headers, etc,) contain information about the place, time, and way the message is sent and transmitted to the recipient.
You can use this information to determine where a message originated, why it was rejected, and how it reached your inbox.
Our
User-friendly guide to email headers can help you understand them. You can also contact our
Support Team for more help.
Steps to take when your mailbox is being spoofed
First of all, you should understand that when a mailbox is spoofed, it does not mean that it is compromised (or that someone gained access to your emails).
Unfortunately, it is not possible to stop offenders from trying to forge email addresses using external SMTP servers. But you can prevent consequences from such attempts by
ensuring that emails with your forged email address do not reach the recipients.
Configure DNS records
To ensure that no one will receive emails with your forged email address in the "From" field (that you didn’t send), you can set up a strict SPF record for your domain. That way, if the attacker sends an email again, it will be rejected by the recipient's mail server, and they will not get it.
To do this, locate your SPF record (which is usually located with your email provider). In the ‘Value’ box, change "~all" to "-all".
For Private Email, a strict SPF record looks like the following.
example.com TXT "v=spf1 include:spf.privateemail.com -all"
Also, you can set up a
DMARC record with a
reject policy. In this case, if an attacker is trying to forge the "From" field in the email, their emails will be bounced back.
You can use online tools to generate a DMARC record, such as
Dmarcian Record Wizard.
A very basic DMARC record with a reject policy looks like this:
_dmarc.example.com TXT "v=DMARC1; p=reject;"
Deal with possible bounce-backs
When any email is not delivered, the mail system sends a bounce-back to the email address in the "From" field — that's why you may start getting bounce-backs for such not-delivered emails.
A simple solution for stopping the bounce-backs is to set up a mail filter that puts all messages with subjects that contain "Undeliverable", "Mail delivery failed" or "Delivery Status Notification" into a separate folder. That way your Inbox won’t be flooded, and deleting these messages later will be much easier.
Create a folder for such emails and set up a filter rule:
Conditions:
Subject >> Contains >> Undeliverable
Subject >> Contains >> Mail delivery failed
Subject >> Contains >> Delivery Status Notification
(make sure that Apply rule if any condition is met is selected at the top)
Actions:
File into >> select the folder in which you wish to keep such emails.
Alternatively, you can use the "Discard" action to not receive bounce-backs at all, as a temporary solution. Be sure to turn this rule off in a week or two, otherwise, this action will block all bounce-back messages, and you will be unaware of mail delivery issues in the future.
An end to spoofing
While these steps won’t stop scammers from attempting to forge your email address, they will prevent those spoofed emails from being delivered to recipients. Instead, they’ll be blocked or bounce back, leaving your inbox protected and helping to limit the damage if someone tries to misuse your domain.
