Spoofing: What is email and inbound domain spoofing and how do I prevent it?
| Situation | Your domain or email messages are being spoofed through forged domains or other credentials. Your account domain is being spoofed in either the from header or the envelope sender. |
|---|---|
| Solution | Activate Inbound Domain Spoofing Protection on the Essentials console. |
Inbound domain spoofing protection
What is domain spoofing?
Domain spoofing is a common type of phishing scam where an attacker uses a company’s domain to impersonate the business or its employees by attempting to imitate the sending server or sending domain.
What does the inbound domain spoofing rule do?
This rule is designed to quarantine 'external' inbound messages that appear to come from your organization. This option will only assist you when you are using internal delivered mail. If you are using a third party mailing service or expecting to utilize a different relay or mail server in part of your expected mail flow, this option will mark any email that was not delivered internally as Spam/Quarantine due to Inbound Domain Spoofing being enabled.
How to enable
- Navigate to Security Settings> Email > Spam.
- Enable Inbound domain spoofing protection.
Messages in the quarantine should now appear with a new category: Domain Spoofing
Email Spoofing
What Is Email Spoofing?
Email spoofing is the creation of email messages with a forged sender address (such as your own email address). It is easy to do because the core protocols do not have any mechanism for authentication. It can be accomplished from within a LAN (Local Area Network) or from an external environment.
Why Do People Spoof My Company's Email Addresses And Others?
Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message. For more details and even some history regarding this type of behavior, you can refer to the link below:
https://www.proofpoint.com/us/threat-reference/email-spoofing
How Do I Help Prevent People Spoofing Me Or My Domain?
By adding SPF (Sender Policy Framework) records to your existing DNS information, this will increase the chances that any spoofed email will be detected and is an added security measure, as all incoming emails will have the sender information validated. Adding an SPF record will help dramatically reduce any attempted phishing or spoofed messages from being delivered as this creates a trusted path for your email communications to be verified against.
SPF RECORDS
For our up-to-date SPF Records, smarthost, and IP connection information, refer to this article: connection details
At the time of updating this article (3/31/2021):
SPF Records:
- US1-US5 - "v=spf1 a:dispatch-us.ppe-hosted.com ~all"
- EU1 - "v=spf1 a:dispatch-eu.ppe-hosted.com ~all"
Please Note: Proofpoint Essentials does not block an email outright for the SPF entry. This is because there are a large number of domains that have an incorrect SPF record. We will just increase the overall spam score.
A soft fail (~all) will increase the spam score moderately (which may not quarantine a message dependent on your spam threshold specified) whereas a hard fail (-all) will increase the score aggressively and quarantine the message if triggered.
Troubleshooting
Encountering any issues with spoofing? Check out these articles about some common issues: