Need help stopping email spoffing from my domain


I’m trying to stop someone from spoofing my domain and sending out spamming emails. I’ve already set up SPF (Sender Policy Framework). I thought that would block these from being sent, but it didn’t. It seems like the received from server in the header is always different. I’ve seen: (unknown [] ( [] ( [] (unknown [] ( []

Here is the header from an email that bounced back to me because I have a catch-all email setup. Any help is greatly appreciated.

Return-Path: <>
Received: from (unknown [])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by (Postfix) with ESMTPS id A6F7D27844D
for; Thu, 28 Jun 2012 20:19:22 -0700 (PDT)
Received: from localhost (localhost)
by (8.13.8/8.13.8) id q5T2xcIb003499;
Thu, 28 Jun 2012 22:59:38 -0400
Date: Thu, 28 Jun 2012 22:59:38 -0400
From: Mail Delivery Subsystem
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message


The original message was received at Thu, 28 Jun 2012 22:59:37 -0400
from []

----- The following addresses had permanent fatal errors -----

----- Transcript of session follows -----
554 5.2.2 Mail system full.
554 5.0.0 Service unavailable

Content-Type: message/delivery-status

Reporting-MTA: dns;
Received-From-MTA: DNS; []
Arrival-Date: Thu, 28 Jun 2012 22:59:37 -0400

Final-Recipient: RFC822;
Action: failed
Status: 5.5.0
Last-Attempt-Date: Thu, 28 Jun 2012 22:59:38 -0400

Content-Type: text/rfc822-headers

Received: from ([])
by (8.13.8/8.13.8) with ESMTP id q5T2xZIb003483
for; Thu, 28 Jun 2012 22:59:37 -0400
Date: Thu, 28 Jun 2012 22:59:35 -0400
Message-Id: 20120629061918.FE0508BDF74D125374F6@NJM-PC
From: Lavonne Livingston
To: etbunch
Reply-To: Irma Durham
Subject: Hi etbunch
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit



You’re getting backscatter which is not surprising considering you are using a “catch all” mailbox. It could be that the machine that is receiving messages is going to send bounces to forged From/Sender addresses regardless of whether or not the machine sending the message is blacklisted.


You can’t prevent anyone from sending an e-mail that spoofs your domain, even with SPF. What SPF does is to allow the recipient of such e-mails to detect if an e-mail is sent from an authorized server, thus making it easier to detect spam.

It would make sense for the servers that deal with such messages not to send failure messages to a spoofed address. If so that would reduce the backscatter. I don’t know if this is common behavior, but given that you are still receiving them after setting up SPF, I guess the answer is that it’s not.