EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 5 Aug 2017, 05:31 AM   #1
digp
Master of the @
 
Join Date: May 2003
Posts: 1,195
spam issue (outgoing)

Email is being sent with links (presumably phishing) pretending to be from my email address.

My email is at FM (a none-FM domain).

Can the SPF setting be changed so that any email purporting to me if not sent through FM is rejected by recipient email providers?

Thanks.
digp is offline   Reply With Quote

Old 5 Aug 2017, 07:04 AM   #2
TenFour
Senior Member
 
Join Date: Feb 2017
Posts: 173
I think this is a pretty good explanation of what is probably happening: http://domainhelp.com/email/somebody...in-name-in-it/
TenFour is offline   Reply With Quote
Old 5 Aug 2017, 09:57 AM   #3
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 2,480
Quote:
Originally Posted by digp View Post
Email is being sent with links (presumably phishing) pretending to be from my email address.

My email is at FM (a none-FM domain).

Can the SPF setting be changed so that any email purporting to me if not sent through FM is rejected by recipient email providers?

Thanks.
SPF (and DMARC) can be used to advise recipients only to accept email sent from FastMail's servers. This does not guarantee that all recipient servers will reject incoming mail that does not conform to those policies.

The specific process you need to follow to set up SPF and DMARC for your domain depends on where the DNS for your domain is managed.
BritTim is offline   Reply With Quote
Old 6 Aug 2017, 03:26 PM   #4
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,204
As BritTim said, if you have control over the domain you can change the SPF and DMARC settings to anything you like, but different email providers will interpret or ignore those settings in various ways.
  • SPF can be used to specify which SMTP servers are allowed to send for your domain. All that is required is that the proper SPF record be added to the DNS for the sending domain.
  • DKIM allows a recipient system to determine if a message was originated by a source authorized by the domain owner, and whether the message was altered during transmission. DKIM uses cryptographic signatures added to the email headers, and requires that both a DNS record is added and the sending server adds the signature.
  • DMARC is a way for domain owners to specify what happens if both SPF and DKIM fail for a message. DKIM forces alignment between the SMTP envelope-From and the header From. This means that message forwarding breaks SPF when DMARC rules are applied. But if DKIM passes the message may be accepted.
  • The common DMARC rules which may be specified are:
    • p=none (no action is to be taken)
    • p=quarantine (the message should be treated differently from normal messages, such by moving it to a spam folder)
    • p=reject (the message should be rejected, which might mean discarded)
  • At this time, few email systems will reject (discard) messages only based on failing DMARC tests.
I can't tell if you meant to say that you use a Standard or higher Fastmail account and host your own domain DNS at Fastmail. If that is true, then (see the Fastmail Settings>Domains setup page for your domain):
  • By default, Fastmail will automatically publish the following DNS records related to this discussion:
    • An SPF record which allows receivers to know that you send your mail via Fastmail servers, but that you may also send using non-Fastmail servers. So this default SPF record won't cause any receiver to block any messages claiming to be from your domain, no matter which server sends the messages. So SPF will be effectively disabled (no blocking of other senders).
    • DKIM records which cause Fastmail to cryptographically sign your domain messages if they are sent through the Fastmail servers. So DKIM signing will be enabled.
    • No DMARC records.
  • If you want to enable SPF to only allow messages from your domain to be sent by Fastmail servers, you can disable the default SPF record and add a DNS record for your domain which only allows the Fastmail outgoing server to by used. The DNS entry you need to add is:
    Code:
    v=spf1 include:spf.messagingengine.com -all
  • If you want to add a DMARC record I can later assist you with this. If you get this wrong, you can prevent messages you send from being received.
Bill
n5bb is offline   Reply With Quote
Old 7 Aug 2017, 06:32 AM   #5
digp
Master of the @
 
Join Date: May 2003
Posts: 1,195
I think

v=spf1 include:spf.messagingengine.com -all

is the solution

Really this should be the FM default
digp is offline   Reply With Quote
Old 7 Aug 2017, 09:05 AM   #6
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,204
Arrow SPF and DMARC

Quote:
Originally Posted by digp View Post
I think v=spf1 include:spf.messagingengine.com -all is the solution Really this should be the FM default
Sorry that this post is so long!

That's what I have done for my domain. But if that was the Fastmail default, persons setting up new DNS hosting at Fastmail would find they could no longer send from other SMTP servers as they might have done before. And anyone you send to who forwards their email to another account for reading might not receive any of your messages (unless you set up DMARC for your domain), since SPF normally breaks email forwarding and only DMARC DKIM can be used on forwarded email.

So Fastmail requires you to disable the default SPF record contents and add your own custom SPF record so you don't accidentally block messages you send. The default SPF record for your domain is set to:
Code:
v=spf1 include:spf.messagingengine.com ?all
which currently expands to:
v=spf1 ip4:66.111.4.0/24 ip4:107.150.24.0/24 ?all
The default qualifier is "pass" or +. So the default SPF entry current used (which could change if Fastmail moves there server IP) means:
  • Messages sent from SMTP addresses 66.111.4.0 through 66.111.4.24 (Fastmail) are allowed.
  • Messages sent from SMTP addresses 107.150.24.0 through 107.150.24.24 (Fastmail) are allowed.
  • Messages sent from any other SMTP address are classified as "neutral".
  • This setup allows messages sent from Fastmail but does not block any other SMTP server, since Fastmail has no idea what other servers you might use to send your domain email. You should add any SMTP IP addresses you also use and change the ending tag to -all to block others. You can use the provided default SPF record as a template. So your final SPF record might be:
    Code:
    =spf1 include:spf.messagingengine.com +xxx.xxx.xx.xx -all
  • Please consider that SPF only checks the envelope-From address. It does not check that the header From (which is what the recipient sees). DMARC is an attempt to cause alignment between the envelope-From, header From, SPF specification of allowed sending SMTP servers, and DKIM cryptologic signing for your domain by the sending email system.
  • So (back to your original post), SPF will not cause the recipient server to reject a message based on the header From address. SPF usually won't cause rejection based on the envelope-From. Since SPF usually breaks email forwarding, rejecting SPF failures would usually not allow anyone automatically forwarding your message to another of their accounts for reading email to see your messages.
  • DMARC only rejects a message if both SPF and DKIM fail, and it forces the From header to be aligned (the same) as the envelope-From address, the SPF DNS record domain, and the DKIM encrypted signature for your domain. So DMARC does what you are asking for, not just SPF.
  • Before activating a reject (-all) SPF policy and reject DMARC policy, I recommend that you try using the default SPF and a quarantine DMARC policy similar to the following:
    Code:
    v=DMARC1; p=quarantine; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com
    This will send DMARC reports (in XML format) to your postmaster address (which should be inserted in place of postmaster@example.com). You can look at these reports and see if messages are passing or failing SPF and DKIM at recipient servers before you implement a reject policy. I get these delivered from several major email providers (Fastmail, Yahoo, Google/Gmail, Microsoft/Hotmail/Outlook.com, AOL.com). You can perform a web search for "DMARC reports" to discover more about these optional reports.
As you can see, proper SPF and DMARC implementation for your domain is not easy. You must be very careful which servers you use to send email from your domain (including automatic messages which use your domain) and you should use DMARC if possible. Forwarding and some email discussion groups are not fully compatible with SPF (as used with address alignment by DMARC).

Bill
n5bb is offline   Reply With Quote
Old 7 Aug 2017, 07:32 PM   #7
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,417
Quote:
Originally Posted by n5bb View Post
As you can see, proper SPF and DMARC implementation for your domain is not easy.
Amen to that

I wonder how to square the long procedure described by Bill with the stock advice frequently given here: "get your own domain and your email will be working smoothly forever after"
janusz is offline   Reply With Quote
Old 7 Aug 2017, 07:45 PM   #8
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 2,480
Quote:
Originally Posted by janusz View Post
Amen to that

I wonder how to square the long procedure described by Bill with the stock advice frequently given here: "get your own domain and your email will be working smoothly forever after"
Personally, I have never claimed that your own domain guarantees you will never have a problem again with your email. What it does ensure is
  • you will never lose your email address(es); and
  • if there are problems with your email, the solution generally lies in your own hands, not with the administrators of a shared service.
BritTim is offline   Reply With Quote
Old 8 Aug 2017, 02:38 AM   #9
FredOnline
Master of the @
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 1,903
Just looking at the DMARC record for fastmail.com:

v=DMARC1; p=none; fo=1; rua=mailto:etc

And noticed the additional "fo=1", which is Forensic reporting.

And I'm wondering if anyone here on the forum uses this option?

From my (admittedly not very good) knowledge of DMARC, this record seems to let e-mails pass but generates a report?
FredOnline is offline   Reply With Quote
Old 8 Aug 2017, 11:31 AM   #10
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,204
Quote:
Originally Posted by FredOnline View Post
... From my (admittedly not very good) knowledge of DMARC, this record seems to let e-mails pass but generates a report?
Yes, Fastmail has customers who use their email in various ways, and they may send via forwarding servers which break SPF and may even break DKIM in some cases. So forensic reporting (from a few big email systems) is a good way to see how well DMARC is working before establishing a reject policy.

Bill
n5bb is offline   Reply With Quote
Old 10 Aug 2017, 09:30 PM   #11
SideshowBob
Junior Member
 
Join Date: Jan 2017
Posts: 21
Quote:
Originally Posted by digp View Post
I think

v=spf1 include:spf.messagingengine.com -all

is the solution

Really this should be the FM default
The dmarc rfc cautions against using "-all" in combination with dmarc because your mail could get rejected before dmarc is applied.
SideshowBob is offline   Reply With Quote
Old 11 Aug 2017, 12:14 AM   #12
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 338
Quote:
Originally Posted by SideshowBob View Post
The dmarc rfc cautions against using "-all" in combination with dmarc because your mail could get rejected before dmarc is applied.
True, but it really depends on how much you know about what SMTP servers you're using.

If you ONLY ever send e-mail from your e-mail address through FastMail's servers (either the web interface, or using smtp.fastmail.com from your mail client), then there's absolutely no harm in using "-all" ... the danger is that many users don't fully understand these things, and may have mail clients configured to send through their ISP's SMTP servers, or sometimes even corporate servers depending on firewall issues.

Further, if you have third-party services that send out e-mails on your behalf these need to be included in the SPF record as well. For example, I send out invoices from Freshbooks from my e-mail address, so I've had to include Freshbooks' SPF records in my own as well, using a second "include" directive.
jhollington is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 12:00 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy