How to Stop Email Spoofing

Question

Apart from SPF, what else can be done to stop hackers from spoofing your company's email addresses?

Answer 1

Set up Domain Keys Identified Mail on your own domain. That will digitally sign legitimate outgoing from your domain. More and more email providers are rejecting or flagging spoofed email where legit email is identified with a Domain Key signature.

Your question says, "apart from SPF..." and that's what I answered. However, for others who might use this answer, SPF is another deterrent. It is easy to set up, but has some limitations that should be considered carefully. You probably want to start with a SOFTFAIL policy.

Answer 2

There isn't a way to stop email from being spoofed. Anyone can spoof an email. The trick is adjusting your spam filtering to identify spoofed emails. It also depends how email is being spoofed.

• Spoofed email without authentication - Require authentication before allowing users to send email. Then adjust your spam filter to flag emails sent anonymously so they're delivered to the "Spam" folder. This should provide a sufficient indication to your users to proceed with caution.
• Spoofed email from an authenticated user - This would indicate an account compromise and should be looked into immediately.

An alternative to adjusting spam filtering would be to use S/MIME to sign emails. Taking it a step further would be educating users how to verify S/MIME certificates. The downside with this technique is it would be administratively heavy. Each user would need to obtain a certificate and have it available in every email client (including browsers when using web access). So to start S/MIME could be used when sending "official" company emails such as those coming from Human Resources and/or Payroll. As your company becomes familiar with this approach, roll it out to the rest of your users.

Answer 3

Education, to ensure that all email users worldwide understand that the From: header can't be relied upon.