ESET Online Help

Search English
Select the topic

Sender spoofing protection

Email sender spoofing is common when an attacker forges the sender's name or email address to deceive the recipient. To the email recipient, a spoofed email appears indistinguishable from a genuine one, posing a risk. One type of sender spoofing is called CEO fraud (where the attacker impersonates the CEO).

Employees would not question the emails, allowing the attacker to succeed. This is not exclusive to the CEO. Sender spoofing often impersonates any real sender, usually someone in your organization's Active Directory. A spoofed email message looks very convincing to an unsuspecting recipient, easily gaining trust.

ESET Mail Security provides you with protection against email sender spoofing. Using several methods, sender spoofing protection verifies whether the sender's information is valid.

Sender spoofing protection looks for the domain in the "From:" email header field and Envelope sender, then compares the found domain against the domain lists. If the domain differs, the message is considered valid (not spoofed) and further processed by other ESET Mail Security protection layers. However, if the domain matches a domain on the list, it may be spoofed and requires further verification.

Depending on the setting, further verification is performed: an SPF check, the Envelope IP address is checked against IP lists, or the message is automatically considered spoofed. If the SPF check result is pass, or the Envelope IP address matches an IP address from the list, the message is valid; if not, it is spoofed. Action is taken with the spoofed message.

You can use sender spoofing protection in two ways:

Enable Sender spoofing protection, configure its settings and optionally specify domains and IP lists. The default action with spoofed email messages is Quarantine message. To change what action is taken, go to Mail transport protection advanced settings.

Use Mail transport protection rules: SPF result - From header or Envelope sender and From header comparison result conditions with an action of your choice. Rules provide you with more options and combinations if you want to achieve specific behavior with spoofed email messages.

When Sender spoofing protection is used, or if a rule action type Log to events is specified, all messages that have been evaluated by Sender spoofing protection are recorded in the Log files. Similarly, you can find spoofed email messages in Mail Quarantine when an action is set to Quarantine message in Mail transport protection or defined in rules.

Enable sender spoofing protection

Activate the sender spoofing protection to prevent email attacks that try to mislead the recipients about the message's origin (spoofed sender).

Enable incoming email with my own domain in the sender address

Allow messages that contain your own domain in the "From:" email header or Envelope sender (thus suspected as being spoofed) to be further verified:

Only when they pass the SPF check—This relies on SPF being enabled. If the SPF result is Pass, the message is considered valid and processed for delivery. If the SPF result is fail, the message is spoofed (and an action takes place). Optionally, you can enable the Automatically reject messages if SPF check fails feature.

Only when the IP address is on the infrastructure IP list—Compares the Envelope IP address against the IP lists (a list of your own IP addresses and the Ignored IP list are marked as Is part of internal infrastructure). If the IP address is a match, the message is valid and processed for delivery. If the IP address does not match, the message is spoofed (and an action takes place).

Never—If an incoming message contains your own domain in "From:" email header or Envelope sender, it is automatically considered spoofed without being further verified. An action is taken with the message; see Mail transport protection for action options.

Automatically load my own domains from the Accepted domain list

We highly recommend that you have this option enabled to keep the highest level of protection. This way, the domains and IP addresses from your infrastructure are considered during evaluation by sender spoofing protection.

List of my own domains

These domains are considered to be your own. Add domains that will be used during the evaluation, in addition to the automatically loaded domains from your Active Directory. Sender's domain(s) will be compared against the domains in these lists. If the domain does not match, the message is valid. If the domain is a match, further verification is performed according to the Enable incoming email with my own domain in the sender address setting.

List of my own IP addresses

IP addresses that are considered credible. Add IP addresses to be used during the evaluation, in addition to the IP addresses on the Ignored IP list marked as Is part of internal infrastructure. The sender's Envelope IP address is compared against the IP addresses in these lists. If the Envelope IP address is a match, the message is valid. If the IP address does not match, the message is spoofed, and an action takes place.