How to stop people from using my domain to send spam? [duplicate]

Since it hasn't been explicitly stated yet, I'll state it.

No one's using your domain to send spam.

They're using spoofed sender data to generate an email that looks like it's from your domain. It's about as easy as putting a fake return address on a piece of postal mail, so no, there's really no way to stop it. SPF (as suggested) can make it easier for other mail servers to identify email that actually comes from your domain and email that doesn't, but just like you can't stop me from putting your postal address as the return address on all the death threats I mail, you can't stop someone from putting your domain as the reply-to address on their spam.

SMTP just wasn't designed to be secure, and it isn't.


It is the nature of SMTP (the protocol used to transfer mail) that no validation is done on the sender address listed in an email. If you want to send an email that appears to come from [email protected]...you can go ahead and do that, and in many cases there's nothing anyone can do to stop you.

Having said that, if you establish SPF records for your domain, there's a better chance that receiving systems will recognize the forged email as spam. An SPF records identifies systems that are allowed to originate mail for your domain. Not all receiving systems pay attention to SPF records, but larger email providers will use this information.


I endorse the answers already given regarding SPF (+1, each of you!) but please note that if you decide to go this way - and it's a good way - there is no point in doing it unless you identify and advertise all hosts that are approved to send email for your domain, and hard-disallow all others with -all.

Not only will ?all and ~all not have the desired effect, but some mail admins on SF regard them as a sign of a positively-spammy sender domain.


Sender Policy Framework (SPF) can help. It is an email validation system designed to prevent email spam by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.