Posted by on February 4, 2025

Email Verification

phishing-for-email-addresses-from-laptop-image-from-shutterstock

Email Verification: a reader asks…

As a small business owner, I get a lot of junk email. Sometimes from ‘myself’ in that an email comes from me (but not really me). I have my own domain and get my email from the same company that hosts my website. My domain name is reserved from one company, and I had them setup that domain to point to the company that hosts my website. How can I make sure that nobody else can send email through my email service?

Email authentication is a fairly complex subject and there’s no easy answer that covers all situations. That said, the most likely issue is that the email didn’t come from your email service or your domain. An inherent problem in most email service providers’ interfaces and apps is that the Inbox shows you the From field, but that field doesn’t show the email address of the person who sent it to you, but rather their ‘friendly name’. Anyone setting up an email account can put whatever name they want, which makes this an absurdly easy way to fake email senders. Hackers’ phishing campaigns often use a random email account to send the fake emails, but those accounts have a friendly name which makes the email appear to come from someone else.

So the first thing you should do is check that the email is actually coming from your email account (or your domain). If it’s not, the fake email is relatively easy to recognize, but it does take more work than simply looking at the entry in your Inbox.

I really wish that email service providers and app developers would stop using the friendly name in their email interfaces’ From field. Or at least give users the ability to decide for themselves which to use. But nobody seems to want to do this. Since it’s so simple to put whatever name you want into that name field when setting up an email account, companies like Google and Microsoft should take action to correct this deficiency – but they haven’t.

Click to visit feedback site

At least in Microsoft’s case, they do have a feedback website (e.g., a suggestion box) where you can suggest that they make this change. Someone already did this over a year ago, and so rather than create a new suggestion, you can simply upvote theirs (as many other people have done). If you use Microsoft Outlook, visit their feedback website, and upvote that suggestion, which is at https://feedbackportal.microsoft.com/feedback/idea/6f783689-929d-ee11-92bd-0022484eec36. You’ll need to log in with your Microsoft account to add your voice to this suggestion.

If the fake email did in fact come from your email address, then you have a more serious issue. One possibility is that your email account has been hacked, and someone else is using it. In this case, you need to change the password to your email account and also boot anyone else out of that account so they can’t use it. Perhaps just to be on the safe side, do this anyway. You can contact your service provider’s tech support to force all users out of your account.

Advertisement

Another possibility is that your domain name reservation agent (or your website hosting provider) hasn’t setup appropriate controls to prevent unauthorized entities from using your domain name. One common method to validate email is by a special record in your Domain Name Service (DNS), called a Sender Policy Framework (SPF) record. If your domain has this record, every email service provider who receives email from you or your domain checks that record each time, and accepts or rejects the email based on whether the sender’s server is authorized or not (aka “authentication”). The next step is to check your SPF record.

It can be a little confusing because your domain’s DNS records can be at your domain name registration agent’s website, or they can be at your website hosting provider’s website. That depends on what you meant when you say you “had them setup that domain to point to…”. Most likely, you had them setup nameservers to your website hosting provider, in which case your DNS records are at the website hosting provider. In that case…

Visit your website hosting provider’s control panel (often labeled “cPanel”), and check the DNS records for your domain. You’ll see a number of different DNS records of different types such as A records, CNAME records, MX records, and TXT records.

Click to view larger

Look for a DNS TXT record where the record starts “v=spf1”. That is your domain’s SPF record. If not written correctly, this record can allow other non-authorized senders to send email from your domain name. Think of the SPF record text in three parts. The first part is that “v=spf1” part which identifies the record as a Sender Policy Framework type of record. The middle part is a listing of all the entities that are authorized to send email using your domain name, usually by Internet Protocol (IP) address. The ending part is pretty simple, it’s just 2 characters, either “-a” or “~a”. Check this last part:

  • -a is a hard fail rule, emails that don’t come from the list of authorized entities should be rejected. This is quite secure, and most ISPs will honor that rule and reject emails that fail the test.
  • ~a is a soft fail rule, emails that don’t come from the list of authorized entities will still be delivered, but should be marked as junk mail. The ways different ISPs interpret this is variable, so this should only be used temporarily when validating that the SPF record is working.
Click to view larger

If your SPF record has the tilde, edit the SPF record and replace that with a dash, then save the record. If the record already has the -a, then you probably want to contact your hosting provider (or use their online tools) to make sure that you have a properly constructed SPF record. Many cPanel setups have a “Email Deliverability” menu option, which can check and update the SPF record to provide a valid authentication method for your domain. There may also be other authentication methods, such as DKIM and Reverse DNS (PTR).

If you check the Email Deliverability section of your cPanel and your SPF record is valid (and any others that page shows), then you may want to contact your service provider and ask for help. They’ll probably want you to send them the fake email, which you should do as an attachment (versus simply forwarding the email).

If you read this far, you know that there’s more than a bit of complication in your query, and you may want to do some research to learn more about email authentication. I’d suggest you start at https://easydmarc.com/blog/how-to-check-spf-records-with-easydmarc-tools/.

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:

Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek
(@PosiTek)

Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to support@positek.net
(Support@PosiTek.net)

Click or tap to open a new browser tab or your Paypal app to send money using your credit card to support@positek.net (no Paypal account required)
(using any credit card)

or by mailing a check/cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!

Share This

Author: Your Tech Coach at PosiTek.net
There are currently 1285 reader comments on published articles, care to join in? Use the Leave a Comment form below/at the bottom of any existing comments. This is a good place to ask follow-on questions on this subject.

Leave a Comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

This site uses Akismet to reduce spam. Learn how your comment data is processed.