There are several good resources on our website and blog that describe what email spoofing is , how impacts your business and what you can do to prevent it on Connect Xf
It is strongly recommended that you enable the spoof check feature on your server to prevent internal spam attacks which eventually lead to a lot of junk mail escaping your servers into the Internet. Once this impacts your IP reputation, the outbound IP addresses of your server are likely to get blacklisted in RBL sites worldwide, causing a major impact on all your users
This article is about describing the full impact and plan to enable the spoof check feature on your Connect Xf server.
Step 1: What is the Expected and Correct client configuration if Spoof check is enabled?
Essentially when a user sends a mail using a mobile client like android, IOS, etc or desktop client like Outlook, Thunderbird etc. it is important that the following two configurations carry the same value:
- The email id configured for the account.
- The authentication email id configured for the account.
Only if these two email id values are the same, will the mail from this user be allowed to pass through the server.
The Reply to address can be same as the email or different if the recipient’s reply must land somewhere else
Why do users set these two email ids differently, while configuring their email account?
Typically most email servers will relay any type of mail once the user has authenticated himself. This means that once I have connected to a server, authenticated myself, the server now will become my servant and relay any mail for me (from anyone to anyone)
Lets see some typical reasons why users specify different email ids for authentication and for their account.
I am James and I work in the support department of Acme corp.
I configure my MS Outlook to authenticate with my email id: firstname.lastname@example.org
However I want replies to my email to come to email@example.com
So I will configure the account email id as firstname.lastname@example.org
I am Mary and I work in the marketing department of Acme corp.
I want to shoot a mail campaign to about 1000 users but any replies to the campaign mail should come to email@example.com
So I configure my Thunderbird to authenticate with my email id: firstname.lastname@example.org
And I will configure the account email id as email@example.com
Essentially this configuration, where the authentication email id is different from the account email is is always done so that the replies come to a different email id.
Alright, I will make the changes you suggested, but I still want to achieve the objectives in the above scenarios.
You can still achieve the objective of having replies come to a different email id by configuring the “Reply To” email id in your account. This will ensure that when the recipient replies, the reply will be sent to the email id specified in the “Reply to” box. An image for this is shown below.
Check screen shots below of the WRONG configuration and the CORRECT configuration to be done on clients.
Step 2: Enabling spoof check on the server
Only after all the clients are configured as above, should you get into this step where you enable Spoof check for the “Default” SMTP address such that any connection from the end users will get checked for spoof check
Command to enable spoof check for the default SMTP control :
/mithi/mcs/bin/setsmtpcontrols.sh default -spoofcheck 2
How the spoof check feature will work?
On enabling the spoof check feature, clients configured with invalid SMTP address are restricted to send mails.
Below are the sample error messages received.