What should I do about a weird SPF domain/IP sending from my client's domain?
Summary
What email marketers say11Marketer opinions
Email marketer from Email Vendor Guide recommends enhancing domain security by implementing DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records. These records help verify the authenticity of your emails.
Email marketer from AuthSMTP suggests changing from a policy of 'none' to 'quarantine' or 'reject'. This will tell the server to treat any invalid emails as spam or reject them.
Email marketer from DNS Records suggest listing the sending IP on a blocklist. If it is confirmed malicious behaviour then putting the IP on a RBL will help prevent future attacks.
Email marketer from Neil Patel Blog explains that if a domain is being spoofed, you should implement DMARC policies to instruct receiving servers on how to handle emails that fail authentication checks.
Email marketer from StackExchange suggests examining email headers to identify the origin of the suspicious emails and determine if they are indeed being sent from unauthorized sources.
Email marketer from Reddit recommends regularly monitoring your SPF records and DNS settings to detect any unauthorized changes or additions. Set up alerts to notify you of any modifications.
Email marketer from Mailjet responds with instructions to carefully review SPF and DKIM records to identify any unauthorized services or IP addresses that may be sending emails on your behalf.
Email marketer from EmailToolTester recommends reporting any instances of domain spoofing to the appropriate authorities, such as the Anti-Phishing Working Group (APWG) or law enforcement agencies.
Email marketer from Proofpoint advises that it's important to understand what domain name spoofing is and how it works so you can protect your brand, employees, and customers. Domain name spoofing is a type of email phishing scam in which cybercriminals forge the sender address to make it appear as though the email is coming from a legitimate source.
Marketer from Email Geeks shares that they’d love for senders to set a policy other than none as it actually helps. Because otherwise they might be forced to set a policy for you if you get abused.
Email marketer from Spamhaus suggests to increase your monitoring as it will alert you to potential ongoing abuse of your domain.
What the experts say5Expert opinions
Expert from Spamresource.com responds that email authentication improves trust, enables better spam filtering, and protects brands from phishing and spoofing attacks.
Expert from Word to the Wise explains if you determine that it is a compromised account, you'll need to lock down the affected account, change credentials and assess the damage. Check sent items, filters, and forwarding rules.
Expert from Word to the Wise says, in case of compromised infrastructure, work with your IT team to identify the source of the breach and take steps to remediate it. This may involve patching vulnerabilities, reconfiguring security settings, or even rebuilding affected systems.
Expert from Email Geeks says not to worry about setting it to quarantine/reject. A lot of places aren’t following quarantine / reject anyway, and it’s likely they are noticing the spoofing anyway and the mail is going to spam anyway.
Expert from Email Geeks suggests it looks like someone is spoofing the client's domain, possibly by hijacking someone’s SendGrid account. They add there isn’t much the original poster can do about it.
What the documentation says5Technical articles
Documentation from IETF explains that email authentication mechanisms allow a receiving organization to verify that a message was sent by a domain authorized to send on behalf of the apparent sender. Authentication reduces the effectiveness of many email-based attacks, including phishing, business email compromise, and malware delivery.
Documentation from Microsoft states that SPF records allow an organization to specify the authorized hosts which are allowed to send mail from a given domain by creating a specific record in the Domain Name System (DNS).
Documentation from DMARC.org shares that implement DMARC with a policy of 'quarantine' or 'reject' to instruct recipient mail servers to handle unauthenticated emails from your domain appropriately. Monitor DMARC reports to gain insights into email authentication results.
Documentation from RFC 4408 explains the process to check the domain sending and verify whether it is coming from a source listed as valid. If it isn't it will be marked as an authentication failure.
Documentation from Google Workspace Admin Help shares to investigate unusual email activity originating from your domain by analyzing email logs and monitoring user accounts for any signs of compromise.