Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
0
Helpful
2
Replies

Can't use DMARC, how to label msg with spoof of our domain?

ScottLoveland8675309
Level 1
Level 1

‎07-15-2022 12:15 PM

We're unable to block incoming messages that don't meet DKIM / SPF requirements. And our own DMARC record is set to p=none for reasons. 

That means that email from (spoofed address) "Voicemail Delivery Service <executive@domain.ca>" will get through to staff@domain.ca.

We have a filter that labels messages from "Mr. Executive <spammer@spammer.com>" based on "Mr. Executive" (executive spoof filter). A rule that checks that validates "Mr. Executive <mr.executive@domain.ca>" isn't going to work as that can be spoofed. 

Can I write a DKIM / SPF checking filter for only our domain? Suggestions as to how?

 

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎07-15-2022 12:54 PM

You can write DKIM, SPF record rule for only your domain...
Easiest way is a simple content filter where the conditions are:
Envelope sender ends with domain.ca (mail-from == "domain.ca$")
SPF Verification status is fail (spf-status == "fail")
Then do what you want to with the mail... drop, quarantine, put in spam quarantine, whatever...
You might want to check the From header instead, and check contains, instead of ends with.
header("From") == "domain.ca"

0 Helpful

tminchin
Level 1
Level 1
In response to Ken Stieers

‎07-21-2022 05:47 AM

We have a similarish situation - but we have added a big ugly tag to the subject if they fail incoming SPF.

However, you will no doubt still find people will respond to random emails say "Hi, I'm [your CEO] please do this" regardless of what domain it comes from.

0 Helpful
Customers Also Viewed These Support Documents