What should I do about a weird SPF domain/IP sending from my client's domain?

Summary

When a client's domain is being used by a suspicious SPF domain/IP, the primary recommendation is a layered approach to security, combining proactive measures with monitoring and response. Implement and strictly enforce DMARC policies (quarantine or reject) and enhance domain security by carefully reviewing and configuring SPF/DKIM records. Ongoing monitoring of SPF records, DNS settings, and email headers is crucial for detecting unauthorized changes. If you suspect malicious activity, investigate unusual email activity from your domain, consider listing the IP on a blocklist, and report incidents to relevant authorities. Experts also highlight the importance of understanding domain spoofing. Furthermore, if there are signs of compromised accounts/infrastructure locking them down, changing credentials, assessing damage, identifying source of breach and fixing vulnerabilities is crucial.

Key findings

  • DMARC enforcement: Implementing DMARC policies with 'quarantine' or 'reject' actions is critical for managing unauthenticated emails.
  • Security Enhancement: Enhancing domain security using properly configured SPF and DKIM records.
  • Continuous Monitoring: Regular monitoring of SPF, DNS, and email headers helps identify anomalies quickly.
  • Investigation of Activity: Investigating unusual email activity through email logs and monitoring user accounts for any signs of compromise.
  • Threat Response: Blocklisting suspicious IPs and reporting domain spoofing to the relevant authorities.
  • Account/Infrastructure compromise response: For a compromised account/infrastructure, locking it down, assessing damage, and identifying source of breach are necessary.

Key considerations

  • Domain Spoofing Understanding: Gain a solid understanding of domain spoofing and its potential harm to brand and customer trust.
  • Proactive Security Measures: Implement strict security settings as a first-line defense against future attacks.
  • Authorized Sending Sources: Specify and confirm only authorized hosts for your domain in SPF records.
  • Incident Reporting: Don't hesitate to report incidents of spoofing to law enforcement.
  • Evaluate compromise: If compromise is indicated evaluate and follow escalation procedures.

What email marketers say
11Marketer opinions

When dealing with a suspicious SPF domain/IP sending from your client's domain, the consensus is to take a multi-faceted approach focusing on detection, prevention, and reporting. Recommendations include: setting SPF policies to 'quarantine' or 'reject' instead of 'none' to actively block unauthorized emails, implementing and monitoring DMARC to manage emails failing authentication checks, and enhancing domain security through DKIM and SPF records. Regular monitoring of SPF records, DNS settings, and email headers is crucial for identifying unauthorized changes and suspicious origins. If malicious activity is confirmed, consider listing the IP on a blocklist and reporting the incidents to relevant authorities. A foundational understanding of domain spoofing and its potential impact on brand and customer trust is also essential.

Key opinions

  • Policy Enforcement: Changing SPF policies from 'none' to 'quarantine' or 'reject' can help prevent unauthorized emails from being delivered.
  • DMARC Implementation: Implementing and monitoring DMARC policies is vital for managing emails that fail authentication and for gaining insights into authentication results.
  • Enhanced Security: Using DKIM and SPF records enhances domain security and verifies the authenticity of sent emails.
  • Regular Monitoring: Continuous monitoring of SPF records, DNS settings, and email headers is crucial to detect unauthorized activity.
  • Reporting Abuse: Confirmed malicious behavior should be reported to blocklists and relevant authorities.

Key considerations

  • Understanding Spoofing: A deep understanding of domain spoofing and its implications is important for protecting your brand and customers.
  • Proactive Measures: Adopting proactive measures to tighten security will help to prevent this problem from happening in the future
  • Review Records: Carefully review SPF and DKIM records to identify any unauthorized services or IP addresses
  • Setup Alerts: Set up alerts to notify you of any modifications
Marketer view

Email marketer from Email Vendor Guide recommends enhancing domain security by implementing DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records. These records help verify the authenticity of your emails.

July 2022 - Email Vendor Guide
Marketer view

Email marketer from AuthSMTP suggests changing from a policy of 'none' to 'quarantine' or 'reject'. This will tell the server to treat any invalid emails as spam or reject them.

March 2024 - AuthSMTP
Marketer view

Email marketer from DNS Records suggest listing the sending IP on a blocklist. If it is confirmed malicious behaviour then putting the IP on a RBL will help prevent future attacks.

April 2021 - DNS Records
Marketer view

Email marketer from Neil Patel Blog explains that if a domain is being spoofed, you should implement DMARC policies to instruct receiving servers on how to handle emails that fail authentication checks.

May 2023 - Neil Patel Blog
Marketer view

Email marketer from StackExchange suggests examining email headers to identify the origin of the suspicious emails and determine if they are indeed being sent from unauthorized sources.

May 2023 - StackExchange
Marketer view

Email marketer from Reddit recommends regularly monitoring your SPF records and DNS settings to detect any unauthorized changes or additions. Set up alerts to notify you of any modifications.

August 2022 - Reddit
Marketer view

Email marketer from Mailjet responds with instructions to carefully review SPF and DKIM records to identify any unauthorized services or IP addresses that may be sending emails on your behalf.

July 2021 - Mailjet
Marketer view

Email marketer from EmailToolTester recommends reporting any instances of domain spoofing to the appropriate authorities, such as the Anti-Phishing Working Group (APWG) or law enforcement agencies.

March 2022 - EmailToolTester
Marketer view

Email marketer from Proofpoint advises that it's important to understand what domain name spoofing is and how it works so you can protect your brand, employees, and customers. Domain name spoofing is a type of email phishing scam in which cybercriminals forge the sender address to make it appear as though the email is coming from a legitimate source.

March 2023 - Proofpoint
Marketer view

Marketer from Email Geeks shares that they’d love for senders to set a policy other than none as it actually helps. Because otherwise they might be forced to set a policy for you if you get abused.

October 2022 - Email Geeks
Marketer view

Email marketer from Spamhaus suggests to increase your monitoring as it will alert you to potential ongoing abuse of your domain.

April 2024 - Spamhaus

What the experts say
5Expert opinions

Experts provide a range of advice regarding suspicious SPF domain/IP activity originating from a client's domain. One perspective suggests that it may be domain spoofing, and there might be limited immediate action to take, as ESPs may already be filtering the messages. An alternative view is to address the problem directly by securing potentially compromised accounts or infrastructure. If a compromised account is confirmed, locking down the account, changing credentials, and assessing damage is necessary. For compromised infrastructure, remediation involves identifying the source of the breach and fixing vulnerabilities. Regardless of approach, email authentication is seen as a valuable tool for increasing trust, improving spam filtering, and protecting against phishing and spoofing attacks.

Key opinions

  • Domain Spoofing: The issue could be domain spoofing, where the impact may be mitigated by existing ESP filtering.
  • Compromised Account: If a compromised account is identified, securing the account, changing credentials, and assessing the damage is essential.
  • Infrastructure Breach: Compromised infrastructure requires identification of the breach source and remediation of vulnerabilities.
  • Email Authentication: Email authentication strengthens trust and provides better spam protection.

Key considerations

  • Limited Action: There may be limited immediate action possible if ESPs are already handling spoofed emails.
  • Account Security: Focus on securing and remediating potentially compromised accounts by changing credentials and reviewing settings.
  • Infrastructure Security: Investigate and address potential infrastructure breaches through vulnerability patching and system rebuilding.
  • Authentication Benefits: Implementing and improving email authentication can increase trust and prevent phishing and spoofing.
Expert view

Expert from Spamresource.com responds that email authentication improves trust, enables better spam filtering, and protects brands from phishing and spoofing attacks.

February 2023 - Spamresource.com
Expert view

Expert from Word to the Wise explains if you determine that it is a compromised account, you'll need to lock down the affected account, change credentials and assess the damage. Check sent items, filters, and forwarding rules.

December 2022 - Word to the Wise
Expert view

Expert from Word to the Wise says, in case of compromised infrastructure, work with your IT team to identify the source of the breach and take steps to remediate it. This may involve patching vulnerabilities, reconfiguring security settings, or even rebuilding affected systems.

February 2022 - Word to the Wise
Expert view

Expert from Email Geeks says not to worry about setting it to quarantine/reject. A lot of places aren’t following quarantine / reject anyway, and it’s likely they are noticing the spoofing anyway and the mail is going to spam anyway.

May 2024 - Email Geeks
Expert view

Expert from Email Geeks suggests it looks like someone is spoofing the client's domain, possibly by hijacking someone’s SendGrid account. They add there isn’t much the original poster can do about it.

August 2021 - Email Geeks

What the documentation says
5Technical articles

Technical documentation emphasizes the importance of email authentication to address suspicious SPF domain/IP activity. Key actions include: implementing DMARC with a policy of 'quarantine' or 'reject' to manage unauthenticated emails and monitoring DMARC reports. SPF records enable organizations to designate authorized sending hosts within the DNS. Email authentication, in general, helps verify the legitimacy of senders, mitigating email-based attacks. Investigating unusual email activity through email logs and monitoring user accounts is crucial for detecting potential compromises.

Key findings

  • Authentication Failure: Unrecognized sending domains failing SPF checks should be marked as authentication failures.
  • DMARC Policy: Implementing DMARC with 'quarantine' or 'reject' policies helps manage unauthenticated emails.
  • SPF Records: SPF records allow specification of authorized sending hosts in the DNS.
  • Mitigating Attacks: Email authentication reduces the effectiveness of phishing, BEC, and malware delivery attacks.
  • Unusual Activity: Investigating unusual email activity is key to detecting potential compromises

Key considerations

  • Verification Process: Verify if the sending domain is listed as a valid source.
  • DMARC Reporting: Monitor DMARC reports for insights into authentication results.
  • Log Analysis: Analyze email logs to identify the source of the unusual activity.
  • Account Monitoring: Monitor user accounts for signs of compromise
  • SPF Configuration: Ensure SPF records are properly configured and up to date.
Technical article

Documentation from IETF explains that email authentication mechanisms allow a receiving organization to verify that a message was sent by a domain authorized to send on behalf of the apparent sender. Authentication reduces the effectiveness of many email-based attacks, including phishing, business email compromise, and malware delivery.

February 2023 - IETF
Technical article

Documentation from Microsoft states that SPF records allow an organization to specify the authorized hosts which are allowed to send mail from a given domain by creating a specific record in the Domain Name System (DNS).

July 2023 - Microsoft
Technical article

Documentation from DMARC.org shares that implement DMARC with a policy of 'quarantine' or 'reject' to instruct recipient mail servers to handle unauthenticated emails from your domain appropriately. Monitor DMARC reports to gain insights into email authentication results.

July 2023 - DMARC.org
Technical article

Documentation from RFC 4408 explains the process to check the domain sending and verify whether it is coming from a source listed as valid. If it isn't it will be marked as an authentication failure.

December 2024 - RFC 4408
Technical article

Documentation from Google Workspace Admin Help shares to investigate unusual email activity originating from your domain by analyzing email logs and monitoring user accounts for any signs of compromise.

August 2023 - Google