Join Log in
Score:-1
avatar Server

Prevent spoofing - SPF, DKIM, DMARC in place

cn flag
Apeksha

I am just a developer handling this issue for our small organization, so apologies in advance if I have missed anything obvious.

We use Rackspace Cloud as our email provider. Our emails started going to spam folders for our customers in recent weeks. We raised the issue with Rackspace and found that we did not have a DMARC record, which we added about a week ago (SPF and DKIM were added a long time ago). On inspecting email logs from Rackspace, we found that one of the distribution lists was showing as the sender of thousands of spam emails (clearly spoofed) from our domain. Hundreds of different IP addresses were being used. We deleted that DL about 10 days ago. We still see the (now non-existent) DL as sender of spam emails. This is causing our domain to be marked as suspicious by major email providers such as gmail. Many of our customers use gmail as their email provider and this is causing a huge business impact for us. Rackspace customer support has been terrible and utterly unhelpful, but I would rather not get into it here.

I have searched extensively for this issue and I cannot find any suggestions beyond the standard SPF, DKIM, DMARC records. So my questions are:

  1. How is that a non-existent DL is considered a valid sender and passes all the checks that (I hope) the mail server performs before sending an email?
  2. Is there anything specific I could ask Rackspace to do for us, as they have no clue how to fix this?
  3. As the last resort, is switching to a different email provider (we are considering Office 365) likely to fix this problem?

Any insight into understanding the issue and getting closer to a solution is appreciated!

81
0 + 0
Paul avatar
cn flag
Paul
Do you mean that you currently have unauthorized messages passing tests for your domain?
0
Reply
cn flag
Apeksha
@paul yes that is what it looks like from my limited knowledge
0
Reply
Paul avatar
cn flag
Paul
Is it possible to provide the mail headers of a spoofed message? Maybe you have an email address that was on that list?
0
Reply
cn flag
Apeksha
@Paul Unfortunately not. Most recipients are gmail, yahoo, and outlook. There are thousands being sent every day. I scanned through recipient email addresses and they appear quite random. Is there any other way to obtain these headers?
0
Reply
Score:3
Appleoddity avatar Server
ng flag
Appleoddity

Unfortunately, there is nothing you can do about spammers spoofing your domain.

The mechanisms you mentioned (SPF, DKIM, and DMARC) are all used to assist the receiving servers in determining if the message is being received from a legitimate source or not.

What should happen is that the servers see the spoofed email is not legitimate and discards or quarantines it. While they see the messages from your servers are legitimate.

Without actually being able to review the configuration, it's impossible to say if you have it setup properly. But, it really looks like you do not have it setup properly as either legitimate email is not passing the checks, or illegitimate email is. You may want to maintain your privacy, but I'm not sure there is any other way to assist without seeing the config and knowing a little bit more detail about your hosting providers email servers.

0 + 0
cn flag
Apeksha
Thank you for the reply. Can you please elaborate which aspects of the configuration you are referring to? I could probably look up more info on those so I could check them myself
0
Reply
cn flag
Apeksha
Your answer makes me think that this is something Rackspace should know how to handle, but they don't. Do you know if switching email providers will fix this?
0
Reply
Appleoddity avatar
ng flag
Appleoddity
@Apeksha it just comes down to making sure you know the source IP of every authorized email server, making sure those servers are properly signing the email (dkim) and that the spf, dkim, and dmarc records are configured properly. It sounds like your records may not be correct. But without being able to see them it’s hard to say. Rack space should be able to provide the info needed to build an SPF record and should provide a key for a DKIM record. Additionally, reviewing the headers of a junked email (recipient side) would provide further insight in to why.
0
Reply
cn flag
Apeksha
Thank you, I will recreate the SPF and DKIM records just to be sure. I am not sure how to obtain headers of one of these junk emails as the recipients are random email addresses, mostly for gmail, yahoo, and outlook.
0
Reply
Appleoddity avatar
ng flag
Appleoddity
@Apeksha you can ask one of your recipients to save the email and send it to you as an attachment.
0
Reply
cn flag
Apeksha
It will be tricky to do... to contact someone random on the internet to do that for us. Our email with such request would go to spam for them in the first place I believe.
0
Reply
Appleoddity avatar
ng flag
Appleoddity
@Apeksha your response raises some questions. If these are random people you are contacting, this suggests you yourself are either sending bulk mail or spam. And how do you know it is going to spam if you’re not in contact with these people? FYI, if you are sending bulk or unsolicited email, all bets are off. There are very specific guidelines you’ll need to follow, and those vary from provider to provider (gmail, office 365, etc) and those providers will aggressively filter your email in to user’s junk folders regardless of your domain records, and for good reason.
0
Reply
cn flag
Apeksha
Sorry for the confusion. We are not contacting random people. When you asked for headers of a "junked" email, I interpreted it as headers from an email that was spoofed using this non-existent mailbox of our domain. We have obtained headers from the legitimate emails we have sent to our customers and haven't found anything suspicious there (as per Rackspace). They were sent to spam by Gmail because they marked our domain as suspicious, which in turn happened because of the large amount of spam sent by the spoofers. Please let me know if I can clarify further.
0
Reply
Score:0
avatar Server
cn flag
Apeksha

Regenerating the DKIM key and applying it on our DNS ultimately stopped the spam. It still took a few weeks for Google to stop marking our email as spam.

Oh, and Rackspace support sucks!

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.