Rejecting spoofed email?

Is there a way to filter spoofed email at the receiving end? Essentially I’m getting a lot of spoofed spam & blackmail style emails from “me” to myself, some claiming to have hacked my computer and demanding Bitcoin ransom :roll_eyes:. These are obviously spoofed. Sorry if this is a noob question, but I haven’t had a lot of time to research.

In theory, having a strict DMARC record (and associated DKIM/SPF records) should prevent spoofing. I.e. if the DMARC record says to reject or quarantine spoofed mail, then your receiving mail system should reject or junk the mail before you see it.

Just a FYI - having a strict DMARC will interfere with your contact form or order form ‘reply to’ address. Most often the email will be blocked and you’ll never know and your customers will wonder why you never replied.

This is because by including your customer’s email address that doesn’t match your domain, you become the spoofer.

Definitely one has to check that any software is DMARC compatible before activating a strict policy, but about the “‘reply to’ address”:

My understanding is that the Reply-To: header isn’t covered by DMARC, only the Return-Path: (aka Envelope From) and From: headers. If I’m wrong, I’ll have to go fix some of my email code!

“In theory there is no difference between theory and practice. In practice there is.” - Yogi Berra

I should have been more specific. I’m using dreamhost’s mail servers. I pretty much just use my domain & hosting for email & picture sharing, so I’m not really administering a site or know much about that. I was hoping there would be a way to enhance the spam filtering through dreamhost…?

Assuming DMARC is setup, then you could add a filter to your DH email at https://mailboxes.dreamhost.com to catch spoofed email. Some like this (untested):

OK good to know. The remaining issue is Gmail’s, Yahoo’s, Outlook’s and the numerous carrier’s DMARC settings that have been blocking Reply to: when their email addresses are being used from a 3rd party domain.

I had to remove all my Send Mail forms when I noticed my orders & inquiries slowed to a trickle. People who used their domain alias email address got through but not the major players.

In case it is useful for you or future readers, here’s an extract of the PHPMailer code I use to send DMARC-compliant form submissions. Note that the email is always from forms@example.com, not the user’s address (user@random.example). The destination is my Gmail address. I haven’t seen any blocking due to the Reply-To header yet (fingers crossed!).

$mail = new PHPMailer(true);
$mail->Host       = 'smtp.dreamhost.com';
$mail->Username   = 'forms@example.com';
$mail->Password   = '........';
// ...
$mail->setFrom('forms@example.com', 'Example Form');
$mail->addAddress('me@gmail.com');
$mail->addReplyTo('user@random.example');
// ...
$mail->send();

Resulting email:

From: Example Form <forms@example.com>
To: me@gmail.com
Reply To: user@random.example
Authentication-Results: mx.google.com; ... dmarc=pass ...
...