1

We have websites hosted on AWS, are using SES to send out mailings, and use Google Mail for sending and receiving company mail.

Every so often I receive SPAM emails to my Priority Inbox in Google because they are marked as coming from our domain with both SPF and DKIM pass, even though they were sent from a spammer on another server.

Here are some sample headers: https://pastebin.com/JjvYSq0A

I believe this may be happening because we are using both SES and Google Mail and have designated both as trusted sources for e-mail.

I guess I'm wondering whether there is any way to keep spoofed messages from being signed as from us. We've had this problem for a while.

Jordan Reiter
  • 201
  • 2
  • 5
  • Yes, this can be fixed, but it all comes down to how you configed your SPF and DKIM. My guess is that you allowed all of Google and SES to be authorised senders. The fix is to limit the scope. But, you would need to post your configs for me to verify this. – schroeder Nov 12 '17 at 16:03

2 Answers2

1

From the header you posted, "WEBSITE-DOMAIN.org" is your domain, correct? If so, then this spammer is spoofing the header from address. You can prevent header from spoofing with DMARC.

DMARC confirms that the header from address domain is "in alignment" with either the MAIL FROM domain or the DKIM signing domain. "Alignment" means that either the domains match exactly (strict mode) or it's a subdomain of the header from address domain (relaxed mode).

Implementing DMARC can be a little complicated depending on your specific configuration, and it's easy to accidentally block your own legitimate email if not done correctly. The details will vary, but here's the basic process:

  1. Create a list of all legitimate sources of email from your domain. You mentioned SES and GSuite, but there may be others you don't know about (from shadow IT, for instance).
  2. Create a DMARC DNS record, making sure to set the policy to monitor mode ("none")
  3. Configure all known legitimate email sources to use your domain/subdomain for DKIM signing or use your domain/subdomain for MAIL FROM (preferably both, but not necessary), adding/modifying SPF and DKIM records as appropriate. Most mainstream email services accommodate this, including SES and GSuite, but unfortunately some still don't.
  4. You'll start receiving aggregate DMARC reports at the email address specified in your DMARC record. Review these for at least a few weeks to make sure you haven't overlooked a source of legitimate email from your domain. Also review the headers from emails sent by your company to confirm that they're passing DMARC. Check the headers from as many different receiving services as possible, because they don't all handle DMARC the same way (especially if automatic email forwarding is involved)
  5. When you're sure all of your domain's legitimate emails are passing DMARC, change the DMARC policy specified in the DNS record to "quarantine" or "reject"
Sequoyah
  • 146
  • 3
0

That certainly appears to be the case.

Unfortunately I don't know enough about Google mail and SES to say if it can be improved upon, I would contact the support for both of them to find out. On Office 365 that certainly isn't a problem since you get your own Exchange service.

Julian Knight
  • 7,092
  • 17
  • 23