2

We've been receiving some spam/phishing emails that are managing to get through on occasion and the majority have a MAIL fROM our domain but their ENVELOPE from is whatever spammy address.

My understanding is that SPF only checks the envelope so I was thinking, if it was possible, to set up a rule that detects messages with a MAIL FROM using our domain and a mismatched ENVELOPE FROM address.

If MAILFROM = <ourDomain> then (If MAILFROM != ENVELOPEFROM then REJECT email)

Thanks in advance.

Crimsonfox
  • 353
  • 1
  • 3
  • 18
  • 2
    What is your DMARC POLICY? – Jacob Evans Nov 28 '18 at 10:51
  • @JacobEvans You know what, I thought DMARC was a combination of SPF and DKIM, so it would effectively operate on the enveloper details but looking into it, I think I'm wrong. I'll go and have a proper look now, thanks.. – Crimsonfox Nov 28 '18 at 12:14
  • Also, there are many legitimate reasons for the envelope sender and the From header not to match. Rejecting mails based on that is not a good idea. – Esa Jokinen Nov 28 '18 at 20:56
  • @EsaJokinen I'm well aware but this is a very specific situation and I'm not looking to blanket reject all mismatches, just those with our domain. – Crimsonfox Nov 29 '18 at 08:26
  • Then you should really deploy DKIM and DMARC and require them. – Esa Jokinen Nov 29 '18 at 09:18
  • @EsaJokinen DKIM is implemented and DMARC for inbound emails should be automatic as we're on O365. I just had a chat with MS about this because I don't understand why it's not failing DMARC – Crimsonfox Nov 29 '18 at 09:35
  • @EsaJokinen I think it just clicked. I still need to publish a DMARC policy for outgoing email because that's what the receiving server is going to check when it receives a spoof email with our domain in the 5322 FROM. I was under the impression there needed to be an inbound DMARC policy to do this check. I''ll implement a reporting policy and see how it goes, thanks for the help. – Crimsonfox Nov 29 '18 at 10:01

0 Answers0