Blog

Have you ever received an email bounce for an email from your email address, or your email domain, that you never sent? We get a lot of emails and calls from people that this has happened to with the concern that their email accounts have been hacked.

While this may be the case, it's not the only reason why this could have occurred.

It's actually quite easy to send email email purporting to be from a different email address. The code below shows how you can send an email saying that you're the CEO of Microsoft.

SmtpClient smtp = new SmtpClient();
MailMessage fakeemail = new MailMessage();
fakeemail.Subject = "You've won a free copy of Windows";
fakeemail.Body = "Click this suspicious link to get your free copy of Windows";           
fakeemail.From = new MailAddress("ceo@microsoft.com");
fakeemail.To.Add(new MailAddress("joe@bloggs.com"));
smtp.Send(fakeemail);

If I run this code and send it through an email server, it will go to joe@bloggs.com and look like it's from ceo@microsoft.com
There is a mechanism in place to help stop this from happening called Sender Policy Framework, commonly known as SPF. SPF is a DNS TXT record that lists what servers are allowed to send on behalf of this domain. An example of an SPF record is

"v=spf1 a mx -all"

Lets say this SPF record is for the bloggs.com domain from our example above

What this is saying is that for this domain, the only servers that may send on behalf of bloggs.com are those with a A record listed for bloggs.com, or those servers listed as part of the MX record for bloggs.com

Looking at the example below, email would be allowed from the servers with the IP's 202.136.99.90 (the blank A record), and from 202.136.110.111 (the IP of mail.bloggs.com in the MX record)

The "-all"" on the end says that no other server can send and if they try they should do a hard fail. A hard fail means that the email should be rejected. If you want email to do a soft fail from other servers, which usually means that the email will be tagged as having failed SPF, but still be allowed through, you would set the all to be "~all", rather than "-all"

If you send email out via your ISP's email server rather than the same server that your email is received to (via your MX record), then you should ask your ISP what information needs to be added to your SPF record to allow this. The same applies if you send email from your domain via an online newsletter tool such as MailChimp.

If you host your email (and DNS) with Expeed, then the default SPF record above is added to your DNS as soon as you add an email account to your domain.

If you're not sure if this record exists for your domain, you can contact our support department.

This Sender Policy Framework is an optional framework and is not implemented on all email servers, so it is not the silver bullet to solve this issue, but it always pays to ensure that it is correctly configured to try to minimise the issue. If you want to find out more about the SPF syntax, then head over to the Sender Policy Framework record syntax page

As mentioned above, there is still a possibility  that the password for your email account has been compromised, so if you're not sure, change your password and be sure to set it to a long complex password.