Have you been getting “Mail Delivery Failed” or “returning to sender” messages in your inbox? When you read the contents, does the message that failed look like it came from your email account, but you never sent those emails? If you have answered yes to these questions, then you are most likely the victim of a spammer who is “spoofing” your email address to send spam emails. I decided to write this article today because I have had clients who have had this happen to their business emails in the past, and yesterday I found that my own email address had fallen victim to spammers sending mail to Russian email addresses from servers in Russia. If you are also a victim of spammers spoofing your email account, then this post should help you fix the issue. Just so you know, this was my first time fixing this issue myself, so if you don’t have experience, do not worry because this should work for a beginner as well.
Before I discuss how to deal with “spoofing” its a good idea to make sure that your account is being “spoofed” and has not been hacked or compromised. To be sure that your account is being spoofed and not hacked, try changing your email password. Remember to update all of your devices and email clients with the new password for inbound and outbound emails. If you still are receiving the same amount of “Message Delivery Failed” notices after 24 hrs, then you have verified that your account has not been hacked, and is most likely being “spoofed.” If you do see a significant drop, then your email password was compromised, and your account was hacked. If your account was hacked, then you can stop reading here, and make your best efforts to better protect your email password in the future. If changing the password did not decrease the volume of “Mail Delivery Failed” messages, then someone is “spoofing” your email address.
What is email “spoofing”?
Basically, “spoofing” an email address is when someone makes it look like an email was sent from your email address when in fact it was sent from somewhere else. In the real world, it is the equivalent of writing someone else’s address as the return address on an envelope so the receiver does not know it came from you. This is a tactic frequently used by spammers and scammers to try to deceive mail servers into allowing the message to be sent, and to deceive the receiver into trusting the message enough to open and even respond to the message. There is no legitimate reason to spoof a “sent from” address.
What can be learned from the “Message Delivery Failed” notifications?
While you can possibly learn some things from the content of the email, the first and primary thing is that you verify that your email address is being used to originate the message. You may also be able to learn what the subject line and content of the email that is being sent using your name. In the past, I was able to learn that my clients email address was being used to send messages which were claiming to be from Bank of America and tried to get people to use a link in the message to “reset their password,” which most likely would take people to a fake page where the spammer would capture any info to steal account access info. In my case, both the subject line and content have been obfuscated using base64 code, which basically looks like an incoherent and unreadable string of characters. While the messages also contains an IP address where the mail appears to be sent from, this can be forged and may not be reliable.
How to fix your email account to prevent it from sending these emails
What you will need to do is create a SPF record which can be done from your hosting account. SPF stands for Sender Policy Framework. By creating a SPF record, you will be able to limit who can send mails which originate from email addresses on your domain. The SPF record can be used to authorize senders based on mail server domain names, IP4 addresses, and IP6 addresses. For this article, we will use server domains as that is how I set mine up. In order to create your SPF record, you will need to collect some information before proceeding. This is an advanced operation, and if you don’t do it right you will have issues with sending emails that you want to send. Here is what you need:[list-ul type=”check”][li-row]Make a list of all the ways you use your domain to send emails, including email services like Mailchimp or Constant Contact[/li-row][li-row]Verify that you have access to your hosting account and can add txt records (contact your host or IT dept for info)[/li-row][li-row]Look for info from your host about how to add SPF records (google “godaddy spf record,” “1and1 spf record,” or “<insert host name> spf record”)[/li-row][li-row]Read through the information on openspf.org to familiarize yourself with SPF records[/li-row][/list-ul]
Once you have done the research and know who should be able to send emails from your domain, do a Google search for information on what servers will need to be allowed to send email from your domain. In my case, I collected the mail server info from:
- godaddy, where my domain resides (secureserver.net)
- 1and1, where I host my site (spf.perfora.net, spf.kundenserver.de)
- mailchimp, which I use to send newsletters (servers.mcsv.net)
Since these are the only places where my legitimate email should originate from, these are the only mail servers I authorized to send mail on my behalf. Since I had not personally set up a SPF record before, I found a useful tool called an SPF Generator which allowed me to input information and would then output text for an SPF record which was properly formatted that I copied and pasted into my DNS settings. The SPF Generator I used can be found here.
To use the generator, enter your email address domain name (what comes after the @ in your email address) where it says “Your domain” and input the mail server domains you collected where it says “Any domains that may deliver or relay mail for this domain.” Right below this box is a drop down which you should change to “fail” so that mail not from these servers is not allowed to be sent. Now, highlight and copy the information in the box under “The DNS entry.” I only had to copy the info within the quotes, but follow the formatting rules that you found when checking your hosts instructions for adding an SPF record. When adding my SPF record, I found that I needed to add a underscore before each server domain (i.e. secureserver.net became _secureserver.net) in order to work correctly. Save your entry and make sure it saved correctly.
Test your SPF record to verify success
Before thinking that your work is done, you need to test to verify that you can still send and receive emails. Wait 5 minutes to be safe so the new info is live, then try sending an email from your email address to another address you can check. You should also send a test email from Mailchimp, Constant Contact, or any other service you use and included in your SPF records. If the second email address was able to receive all the test emails sent from the address which was being “spoofed” then your tests were successful, and everyone who should be able to send mail from your domain is able to do so.
The next thing you need to do is wait and see if you receive any more “Message Delivery Failed” notifications. You may still receive a few of these as some mail servers will attempt to deliver mail for a set period of time. If you are still receiving the messages after 48 hours, chances are you may have done something wrong when creating the SPF record, and it is not rejecting other servers not on your list. However, it is much more likely that you will not get any more of these messages, and you have successfully stopped those evil spammers from being able to use your email address. Congratulations! Give yourself a round of applause and revel in the accomplishment.
If you have any questions feel free to reply to this post and I will help as best as I can!
Image from Pixabay used under Creative Commons CC 0