Good afternoon! We've been dealing with spoofed emails where messages appear to come from our internal users. Recently, one of our users received an email that seemed to originate from themselves, often with random subject lines like "Voicemail at 12:34 PM." When I conducted a message trace, both the sender's address and the return path indicated the internal user's email. However, the Message_ID presented a different domain, like "[email protected]." My question is, should we block this "randomdomain.home"? While the email failed all checks and wasn't delivered, I'm looking for ways to identify and block these spoofed senders effectively. Thanks in advance for your assistance!
5 Answers
Definitely add that domain to the 'blocked senders' list in your email filter. We use Mimecast, and it's been effective for us, although it seems like your existing filters are working well already.
You’re ensuring you have DKIM, SPF, and DANE configured in your email systems, right? Those mechanisms are crucial for preventing spoofing.
Try using the header information in a header analyzer like the one at mxtoolbox.com. It can give you insights, including any domains that don’t belong, which might help identify the true sender.
Thanks! I did that and found '[email protected]' listed under references.
It sounds like you've already stopped that spoofed email since it failed all checks, but I get you're looking to bolster your defenses. The Message_ID is usually created by the sending domain, so that 'randomdomain.home' could be a good candidate to block, but maybe consider why you want to go further if the current system is doing its job?
This is just informational—I'm trying to learn more about email security.
Typically, the Message_ID is unique to the sender, generated by their mail server. You can't rely on it alone for verification, but it is a strong indicator of the sender's identity.
Are we referring to '[email protected]', right?