Someone is sending spam using my domain name
Lets call my domain name mdn.com for simplicity.
Every day (last 5 days), I am getting bounced mail delivery errors in my spam folder (I have catchall enabled for mdn.com).
The bounced mail is due to spam messages being sent 'supposedly' from [email protected] and all of them are in Japanese (something about iphone).
So could this cause mdn.com's reputation for email delivery to be affected ?
Also is there anyway to 'restrict' this sender from using mdn.com ?
I already have SPF, DKIM setup for mdn.com
Comments
You set up SPF/DKIM records for your domain, and set DMARC policy to reject or quarantine the emails.
You will still receive bounce mails, but won’t affect your relations with the email giants
Domain-based Message Authentication, Reporting and Conformance (DMARC)
vps9hostname is available. affbrrWhen setting up DMARC, you can use this for free weekly reports: https://dmarc.postmarkapp.com/
Thanks everyone, DMARC now setup and hopefully weekly reports being produced.
Will tighten restrictions after a couple of weeks when I know everything is working.
A mail server sending bounces is unlikely to care about your DMARC records - so I wouldn't expect this to change anything.
did you check with @imok , he fingers mailers all the time.
Yes
I would also recommend you to add rua (addresses to which aggregate feedback is to be sent) and ruf (addresses to which message-specific failure information is be reported) in your DMARC record. Configure a separate mailbox for them (ideally something like dmarc-reports@mdn[dot]com). You can later automate parse of the received reports using parsedmarc.
Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden
I'd also keep a close eye on blacklists in case your IP has been flagged. Certainly not impossible to get yourself removed but it can sometimes be a bit of a pain. IP reputation for email sending is definitely something you want to try to manage.
I'd also look at rate limiting so that outgoing emails can only happen at a certain speed e.g. 30 emails per minute (or whatever works for you). This gives you more time to react in case a script or your server has been compromised somehow and it's sending out massive emails
UK Shared Hosting | 10TB Storage KVM | UK KVM VPS | NAT KVM VPS
postie pokes
Some of those bounced emails could be SPAM as well, as the bounced emails gets to skip the spam folder and gets delivered to your inbox... I was receiving them as well since I setup my own mail servers. Tweaking the spamassassin settings helped to flag those bounces as spam as well.
Never make the same mistake twice. There are so many new ones to make.
It’s OK if you disagree with me. I can’t force you to be right.
Also don't forget to put "-" on SPF record.
See: https://proton.me/blog/what-is-sender-policy-framework-spf
SPF record example
Here’s an example of an SPF record with an explanation of what it means below:
v=spf1 ip4:185.70.40.111 include:_spf.protonmail.ch mx ~allv=spf1: The SPF version number. Every SPF record must begin with this tag.
ip4: The IP address(es) of the servers authorized to send email from your domain. They can be IPv4 or IPv6 addresses(new window); IPv6 addresses use the tag ip6.
include: Instructs the server to check the SPF records of the additional domain mentioned. In this example, the server would look up _spf.protonmail.ch and add the IP addresses found there to the list of authorized addresses.
mx: Any IP addresses that match the mail servers listed in the MX records(new window) of the sending domain. For example, Proton Mail uses mail.protonmail.ch and mailsec.protonmail.ch.
~all: Tells receiving email servers what to do if an email doesn’t pass SPF. The three most common all tags are:
~all: Mark the message as suspicious
–all: Reject the message
?all: Receiving email server decides (neutral recommendation)
I also got one domain that was sending to the same domain spam and I opened a ticket to MXRoute and they told me to do that so..
Thanks once again - all very useful info.
Email is not originating from my domain, it is just someone spoofing it, so I assume IP reputation is not an issue?
I have setup rua and as @bdl suggested I am also using https://dmarc.postmarkapp.com/
Once you implement DMARC on top of both SPF and DKIM, then receiving party can confirm it is actually spoofed and you shouldn't be punished.
Without DMARC, receiving party can't know that it must expect either DKIM or SPF (or even both), hence reputation risk is possible.
Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden
https://cloudflare.com/learning/dns/dns-records/protect-domains-without-email/
I saw this Cloudflare article years ago and set it up.
As far a IP reputation, mdn.com was originally using gmail when the problems started (MX records pointing to them). So does that mean it would be gmails IP reputation effected
I have now moved the domain to NameCrane with the appropriate MX, DKIM, SPF and DMARK configured accordingly. Email sent via NameCrane is being delivered with 3 PASSes (DKIM, SPF & DMARK) to giants, so things are (I assume) looking good.
So far have had NO bounced spam messages to mdn.com catchall
I have setup
_dmarc.XXX.com. 300 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; sp=none; aspf=r;"
but as you say, still getting bounced messages back in my spam folder.
Is there anyway these could also be stopped ?
Complain to those mail servers that are sending bounced spam mails (and maybe block them if they don't fix it) - those mail severs are part of the problem by enabling that abuse and need to be fixed.
^ Totally agree - absolutely stupid and just creating more junk.
I see no reason for you to not enforce reject policy for any subdomain of your domain.
Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden
I don't think there's any way to completely remove the bounce mails. Just ignore those. Maybe @jarland or @Francisco can prove me wrong though
@sanvit - Thanks for the confirmation.
Just to mention as per @skhron I have changed the dmarc to
v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; sp=reject; aspf=r;
FYI, just setting up a TXT record with the domain pointing to your IP address is usually enough...
So just a TXT record with
v=spf1 a:mydomain.com -allThis says reject all emails not sent with the IP address that mydomain.com is pointing to.
Also, I am surprised no one asked you to setup DKIM certificate... That way all your mail are signed and the receiving party can validate that the email was sent from the correct mail server.
So another TXT record like
v=DKIM1; k=rsa; t=s; p=LONG_STRING_CONTAINING_PUBLIC_KEY_GOES_HEREEver since I set it up, my emails are no loner rejected by big providers like google, live, yahoo and etc.
Never make the same mistake twice. There are so many new ones to make.
It’s OK if you disagree with me. I can’t force you to be right.
DMARC enforces the policy, while SPF is only applicable for Envelope From (SMTP).
Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden
Erm, i am gonna need you to elaborate on that... (a mail noob here)
Never make the same mistake twice. There are so many new ones to make.
It’s OK if you disagree with me. I can’t force you to be right.
Citing Wikipedia (sorry I am just lazy explaining it myself):
You would ask me, why DKIM doesn't mentioned? Well the problem is that for spoofed email without DKIM you can't know if domain has DKIM unless you know selector (no one is going to bruteforce them, not feasible at all). Thus DMARC is required h it says that domain actually has SPF and DKIM and can define policies for both (relaxed or strict) and action (none, quarantine aka mark as spam and reject aka reject the email so that recipient doesn't see it but sending MTA seeing the problem - rejected letter)
Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden
So I am missing a step here... I setup spf and dkim but did not setup dmarc... lemme find some documentation on what needs to be done...
Never make the same mistake twice. There are so many new ones to make.
It’s OK if you disagree with me. I can’t force you to be right.
Just do a TXT record _dmarc.example.com "v=DMARC1; p=reject; pct=100" this is bare required minimum. Policy can be different, but personally I see no reason why you would prefer quarantine and not reject. Do not go for "none", it is useless and some big ESPs dislike it as well
For more advanced DMARC configuration there is nice tool at https://app.dmarcanalyzer.com/dns/setup
Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden
Followed your instructions and added the basic bare minimum DMARC. So now got 3 txt records... DMARC, SPF and DKIM... just to send email... No wonder all the online platforms stopped with the emails and started their own app notifications...
Never make the same mistake twice. There are so many new ones to make.
It’s OK if you disagree with me. I can’t force you to be right.