Spam from my domain RSS Back to forum
@bnefedov:
Hello bnefedov,
If you have a syntactically valid DMARC (TXT) record published for your domain in the DNS zone file of "_dmarc.domain.ru", and a valid SPF record for "domain.ru" then ORF should block these "self-spam" emails.
Note, however, that if your domain has a "p=none" policy in its DMARC record (i.e. you are still testing DMARC), ORF will not blacklist the spoofed emails by default. You can change this by removing the checkmark from the "Take not action if a 'p=none' policy is discovered" option, in the DMARC Test Settings dialog, or, by replacing the "p=none" policy with a "p=reject" or "p=quarantine" policy in the DMARC record of your domain.
You should also make sure that the emails in question were not "whitelisted" due to some configuration error: Start the ORF Log Viewer, load the log file from the day of the incident, then look for the spoofed emails (Ctrl + F / Ctrl + Shift + F) and check the information in the "Message" column. If the emails were "whitelisted", copy-paste the event message into your reply and I will tell you how to fix the issue.
This is how we block emails that say they are from our domain but didn't come from our server.
Create a Keyword blacklist.
Select Email header (raw MIME)
Under filter expression, keyword will be:
.*^From:[^\r\n]*\b[^\r\n]*@domain\.ru\b[^\r\n]*\s$
Select "regular expression"
We have had this implemented for years and works great.
Comes spam from himself or from another existing mailbox in our domain @ domain.ru How to block this? Spf, dkim, dmarc installed, letters still reach our mail server allegedly from us