I'm looking for help in tracking down any spoofed emails that might be coming into my company via direct send. I've done a mail trace, but it seems that emails coming through Proofpoint or other third-party services might not be using a connector since nothing was listed in the report. I don't want to just disable direct send because that could block legitimate communications. I've heard there's a method in PowerShell that allows for spoofing a domain via direct send, which could sidestep SPF and DMARC protections. Anyone have advice on how to get a clearer picture of what's going on?
1 Answer
If you're using Proofpoint, it should already be checking for DKIM and SPF to block those spoofed domains. Another thing you could consider is limiting inbound SMTP connections to only the IPs of Proofpoint. That can really help tighten things up!
My manager hesitated to enable that option. I think he mentioned that some of our devices, like printers, rely on direct send, so we would have to reconfigure those to go through Proofpoint. I'm still picking things up in my first month here and some of the setups seem a bit silly.