5

I recently registered a domain name, and set up an email account tied to it with Zoho mail. I'm concerned about making sure all emails from this domain are signed to prevent spoofing.

I've enabled SPF and DKIM on Zoho and my domain, but is this enough? For example, here's a phising email I received which is successfully spoofed with signature:

enter image description here

I'm confused by a couple of things:

  • How is it that the "to" address is the same as the "from" address?
  • How is it that the messaged is Signed by outlook.com?

How can I protect this from happening on my own domain, and how can I try sending testing-spoofs to check its security?

P.S.

I've attempted using telnet to send emails from my domain, but I receive a 553 Relaying disallowed error in reply to my RCPT TO message. The same thing happens when testing mx.zoho.com with the mxtoolbox SMPT diagnostics.

Related: Can I spoof email?

Myridium
  • 156
  • 1
  • 8
  • Anyone can register an Outlook address (and chances are verificationsecurity004132013@outlook.com wasn't taken when the phishers wanted it, or they could have just used ...2014) As long as they've registered the address and are using the Outlook servers, the email will be signed by Outlook (it's sent by Outlook after all). If you don't allow users to sign up for any address, you don't have that risk. – user2313067 Mar 22 '17 at 06:30
  • @user2313067 - D'oh! Of course! They signed up for accounts legitimately... well, I'd still like to know how to protect my own domain from spoofing. – Myridium Mar 22 '17 at 06:33

2 Answers2

2

You could go beyond SPF - add DKIM to the mix, and you can use DMARC, which will not only prevent spoofed emails, but also allows you to receive reports of them.

SPF basically lets you list your legitimate servers, and DKIM signs emails to attest to their validity. DMARC then allows you to define how receivers should deal with email that fails SPF or DKIM tests, and how they can send you reports.

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
0

Maybe take a look into SPF records? Some registrars do not support it, so be prepared for that. If spoofed emails are internal then this won't really help.

Mainly this will protect you from people spoofing your domain. i.e. pretending to be someguy@yourdomain.TLD

Kevin
  • 13
  • 5