Enabling Email Spoof prevention on Connect Xf: Impact and Client configurations

There are several good resources on our website and blog that describe what email spoofing is , how impacts your business  and what you can do to prevent it on Connect Xf

It is strongly recommended that you enable the spoof check feature on your server to prevent internal spam attacks which eventually lead to a lot of junk mail escaping your servers into the Internet. Once this impacts your IP reputation, the outbound IP addresses of your server are likely to get blacklisted in RBL sites worldwide, causing a major impact on all your users

This article is about describing the full impact and plan to enable the spoof check feature on your Connect Xf server.

Step 1: What is the Expected and Correct client configuration if Spoof check is enabled?

Essentially when a user sends a mail using a mobile client like android, IOS, etc or desktop client like Outlook, Thunderbird etc. it is important that the following two configurations carry the same value:

  • The email id configured for the account.
  • The authentication email id configured for the account.

Only if these two email id values are the same, will the mail from this user be allowed to pass through the server.

The Reply to address can be same as the email or different if the recipient’s reply must land somewhere else

Why do users set these two email ids differently, while configuring their email account?

Typically most email servers will relay any type of mail once the user has authenticated himself. This means that once I have connected to a server, authenticated myself, the server now will become my servant and relay any mail for me (from anyone to anyone)

Lets see some typical reasons why users specify different email ids for authentication and for their account.

Scenario 1:

I am James and I work in the support department of Acme corp.
I configure my MS Outlook to authenticate with my email id: [email protected]
However I want replies to my email to come to [email protected]
So I will configure the account email id as [email protected]

Scenario 2:

I am Mary and I work in the marketing department of Acme corp.
I want to shoot a mail campaign to about 1000 users but any replies to the campaign mail should come to [email protected]
So I configure my Thunderbird to authenticate with my email id: [email protected]
And I will configure the account email id as [email protected]

Essentially this configuration, where the authentication email id is different from the account email is is always done so that the replies come to a different email id.

Alright, I will make the changes you suggested, but I still want to achieve the objectives in the above scenarios.

You can still achieve the objective of having replies come to a different email id by configuring the “Reply To” email id in your account. This will ensure that when the recipient replies, the reply will be sent to the email id specified in the “Reply to” box. An image for this is shown below.

Check screen shots below of the WRONG configuration and the CORRECT configuration to be done on clients.

Android


iPhone


Thunderbird


MS Outlook

Step 2: Enabling spoof check on the server

Only after all the clients are configured as above, should you get into this step where you enable Spoof check for the “Default” SMTP address such that any connection from the end users will get checked for spoof check

Command to enable spoof check for the default SMTP control :

/mithi/mcs/bin/setsmtpcontrols.sh default -spoofcheck 2

Click here to learn more about SMTP controls

How the spoof check feature will work?

On enabling the spoof check feature, clients configured with invalid SMTP address are restricted to send mails.
Below are the sample error messages received.

Android

iPhone

Outlook

Thunderbird

Leave a Reply

Your email address will not be published. Required fields are marked *