SPAM Domain Spoofing through SES
A spammer seems to be running spam through SES and spoofing our domain.
We are using SPF and DKIM so I’m not sure what is going on.
This is our SPF record:
v=spf1 a mx include:amazonses.com include:_spf.google.com include:secureserver.net ~all
I had one of the recipients of the spam send me their header file. I've attached the results from Google's Email Header Analysis Tool for both the spam email and a legit email from our domain.
Here's the analysis of the spam email headers:
Here's the analysis of the legit email headers:
As can be seen in the reports, the SPF and DKIM results show as “neutral” for the spam email and “pass” for the legit email. The spam one also gets routed through a third party server that looks suspect.
Does anyone have any ideas what might be going on and how to stop it?
Solution 1:
You need to set up DMARC in order to prevent this kind of spoofing.
You can find lots of documentation online about DMARC.
Keep in mind two important things:
-
any email has two different sender addresses: envelope-from and header-from, they may differ and this is legit. E-mail clients only show the header-from.
-
SPF protects from spoofing of the envelope-from, DMARC protects from spoofing of the header-from.