My domain is being spoofed

Hi all

My domain is being spoofed - customers receive emails from my domain addresses and they are not marked as spam/junk/phishing by recipient email providers. I made sure that those emails don’t originate from my email system. So far some AOL users reported it, but there are others as well.

My settings are:

SPF: soft-fail
DKIM: enabled
DMARC: none

I read on forums that these are recommended settings and I don’t need to change anything. If so, what should I do?

Welcome to the Cloudflare Community. :logodrop:

Whatever forum suggested that a DMARC policy of none is “recommended” is sorely mistaken. A DMARC policy of none is the same as having no DMARC policy and does absolutely nothing to prevent email impersonation.

At a minimum, you need a DMARC policy of quarantine to indicate that you do not want spoofed email to be delivered. Before increasing your DMARC policy, make sure that you are regularly reviewing aggregate DMARC reports. The last thing you want is to send all of your mails to spam because you don’t know that you had an SPF or DKIM problem.

Thanks. Are aggregate DMARC reports the ones available to me in the DMARC management dashboard in Cloudlare?
image

1 Like

Yes. Aggregate reports refers to data collected from multiple individual reports, versus the contents of an individual report, which isn’t as useful and is a lot harder to read.

Got it… So with my current SPF and DKIM settings is it safe to change DMARC from none to quarantine or I need to do anything with SPF/DKIM first?

I don’t have access to your DMARC reporting data, nor do i know if your SPF and DKIM are correctly configured and working as expected, so I cannot answer that question.

Are your genuine emails passing DMARC? If they all are, you should be okay to increase your DMARC policy. You need to make that determination based on the results of your DMARC reports.

I really appreciate your help. My records look like this: (sensitive info removed)

v=DMARC1; p=none; rua=cloudflare

v=spf1 include: google, a few more providers and outlook

v=DKIM1; k=rsa; p=mycode

These DNS records do not contain sensitive information, they are public by design.

When you send an email to someone, the receiving mail server will look these records up to verify the email was sent from you.

By hiding the relevant information, you’re just making it impossible for anyone to help you.

Do you actually use all these services to send email? That seems somewhat unlikely to me.

It is impossible to verify DKIM is working without actually sending an email. I recommend testing your setup with https://www.mail-tester.com to see if there are any problems.

Thanks for sharing the additional details. I was attempting to imply that only you can make the call on whether the time is right to increase your DMARC policy. If you have observed that all of your email is passing DMARC, you should be fine.

This is my SPF record.

Google is our email provider, Zendesk and Mailgun are authorized vendors. Do I have to have Outlook in my SPF record? Some of my users use Outlook

No, you don’t need Outlook in your SPF records if Google is your email provider.

An SPF record is essentially a list of IP addresses that are allowed to sent emails from your domain. If Google is your email provider, then your emails will be sent from Google IP addresses, even if you use the Outlook email client.

But you need to keep Zendesk and Mailgun in the record.

Also, have you tried mail-tester to see if DKIM is working?

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.