• Protected email viewer:
  • Blog
  • FAQ
  • About

Who can send spam from your own domain name? Everyone!

The sending of emails using your domain name looks presentable and officially, but what if someone suddenly starts sending spam using your domain name.

How does this happen? Consider the situation:

  • The attacker sends emails using your own domain name.
  • Emails arrive from user with email address that is not registered in the domain group, for example, spammer@yourdomain.com.
  • Spammer's real email address is spammer@fakeemail.com.
  • This email message can contain very different information from A to Z and a web link.

It is not recommended to open such questionable links without verifying the authenticity of a sender. You can do it as follows: it is necessary to send a new message on the sender’s email address. More than likely, you will receive an automatic answer that this email message cannot be delivered because the recipient address does not exist. However, spammer can use an existing email address.

How it happened? And how it can be stopped?

The fact is that SMTP, an Internet standard for electronic mail (email) transmission, does not control some fillable fields such as "From" and "To" while sending. An electronic mail can be sent on behalf of any email address you want, if you are using SMTP-server.

It turns out that everyone can use your domain name for spamming. Even the most ordinary users can use whichever email address by specifying it in the settings. Attackers typically use real domain names in order to avoid blocking their emails.

Online email services, such as Gmail, require validation of return address, which you use when you send an email message. But there are no such restrictions if you use a remote email client with authorization by POP3/IMAP. And if a spammer uses its own email server, he/she can set any address as a sender email.

Since you cannot directly prevent spamming from your domain name or from the name of your email address, you need to act by indirect methods. For example, you can inform all email servers how to distinguish your real email message from a fake one.

SPF (Sender Policy Framework)

One way to protect yourself from fake emails sent under your domain name is to use SPF. It is SMTP extension, which passes through DNS server (Domain Name System). It makes the Internet aware what servers are allowed to send emails from the name of your domain. It looks like this:

  • yourdomain.com.¬† IN TXT “v=spf1 mx ip4: -all”

It means that only email servers with certain IP-addresses are allowed to send emails from yourdomain.com. If an email server with another IP-address tries to send emails from the name of user of this domain, then a secondary server can reject emails or mark it as spam, it depends on the settings.  Most of the existing email servers will check this record in DNS and act accordingly.

DKIM or digital signature

While SPF is easy to configure, DKIM validation system requires more effort and should be installed additionally by an email server administrator. If you send an email message through an ISP server, it should have ready mechanisms for a quick DKIM setup.

DKIM works like SSL certificates - generates a pair of public and private keys. A private key is known only for the email server, and it signs all outgoing emails.

A public key is published using DNS. Thus, any server that receives emails sent from your domain can verify the correctness of digital signature and the key. If this signature is absent or it is incorrect, then email message will be marked as spam.

How do email services solve this problem?

The problem of domain name substitution can occur when you use a remote email client with authorization via POP3/IMAP. Some email services, such as Gmail.com, are looking for their own unique ways to deal with this problem, but it is not particularly effective yet. Usually, some indirect methods are used: when spammer's atypical activity is identified, his or her account will be blocked.

SFletter.com, a secure email service, acts this way.