Spamming is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
If you have a domain name, you will most likely receive more spam. Spammers will find your domain (just like your customers would via Google search) and then send spam to This email address is being protected from spambots. You need JavaScript enabled to view it..
In addition, Spammers can use your domain name to disguise their spam. This type of abuse happens frequently since spammers rarely use their own domain names.
Forging is when spammers use your domain name as a reply address to send out their spam (like This email address is being protected from spambots. You need JavaScript enabled to view it.).
Anyone with Outlook or any other email program can forge an address using the FROM field of an email. Its because SMTP allows any computer to send emails claiming to be from anyone. There is nothing that the rightful owner of a domain name can do to stop people from doing this. But there are measures we can to help SPAM engines identify and detect if your email address was forged.
The most annoying part of having someone forge your email address for SPAM, is the nondelivery and bounce notifications you will receive. This is because some of the outgoing emails used by the spammer will not exist - and the Postmaster will think it came from your address. This is an automated reply from a computer.
If you are getting a lot of nondelivery notifications due to somebody forging your email address, we would suggest the following -
- Manually Delete Notifications (recommended) - The bounce back emails usually only continue for a couple of days. During this period, you can quickly sort your email by sender - and delete all Postmaster emails in one clump. The bounce back emails will generally disappear in a couple of days.
- Disable Default Address - Ask to Disable the catch all email address for you domain. By disabling your "catch all" email address, it means that any messages sent to an email address that you have not specifically setup as an email account will be rejected. The downside of this is if a customer or friend mistypes your real email, you will not get it.
- Block Postmaster Emails - you can block the postmaster emails. This is not recommended because you will not see any bouncebacks yourself if you mistype an email.
We recommend that you do not reply to any of these emails. Most of these emails will auto generated. As for angry recipients of the forged email, its best that they get advice from their IT people (who should be able to tell that the email was forged and not from you). Engaging in correspondence to angry recipients may get you in a debate on an issue that is not in your control.
Although this type of activity can be extremely annoying you do not need to worry about being blacklisted by the anti-SPAM databases. None of the major anti-SPAM databases block a server based on the FROM address of the SPAM message as they are aware of this common practice used by spammers.
Reporting Spam
If you are using GMail or Google Apps Mail, you can flag an email as SPAM - or move it to the SPAM folder/label. That will help to Google mail servers to learn what is SPAM.
In Australia you can report spam to the ACMA by forwarding the email to This email address is being protected from spambots. You need JavaScript enabled to view it.. This is the most effective for Australian based spam. For more info on ACMA spam definitions, visit
For international spam, forward the email to the Federal Trade Commission at This email address is being protected from spambots. You need JavaScript enabled to view it. and include the email header.
Advanced measures
The next set of tips require knowledge of domain name management. These steps are not recommend an average user - we suggest you ask your domain manager or webdesigner to carry out the following.
SPF Validation
SPF validation (Sender Policy Framework) helps to prevent other users from forging the "From" field with your email address if they are not from your domain. Its a mechanism to allow the email recipient mail server to verify that the server sending the email is authorized to do so.
If you are a Google app user, and you have a website that sends out messages on your behalf, use a TXT DNS record like...
"v=spf1 IP4:111.222.333.444 include:_spf.google.com ~all"
Where 111.222.333.444 is the ip of your website email. The _spf.google.com field is a list of all the Google IP's. This tells receiving mail server that only email from your webserver or google mail are validated.
Another variation we use at OrganicWebs, which includes all MX and A IP's for that domain is
"v=spf1 mx a include:_spf.google.com ~all"
To test the SPF records, send a blank email to This email address is being protected from spambots. You need JavaScript enabled to view it. using your SPF protected email.
More on SPF here...
- Google Support: http://support.google.com/a/bin/answer.py?hl=en&answer=33786
- Open SPF: http://www.openspf.org/
- cPanel Wiki (in cPanel - not WHM): http://docs.cpanel.net/twiki/bin/view/11_30/CpanelDocs/EmailAuthentication
Authenticate email with DKIM
Some email platforms, like Google Apps, enables you to add a digital "signature" to the header of mail messages sent from your domain. Recipients can check the domain signature to verify that the message really comes from your domain and that it has not been changed along the way.
Step 1: First you will need to generate the domain key. For Google accounts this is done in the Google Apps Console. [Apps > Google Apps > Gmail > Authenticate email]
Step 2: Then you will need to create a DNS TXT record with that key for the DNS of the Domain. It will look something like...
google._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvW..."
Step 3: Wait 48 hrs - then in Google Apps, Start Authentication. [Apps > Google Apps > Gmail > Authenticate email]
Prevent outgoing spam with DMARC
Spammers can sometimes forge the "From" address on mail messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google uses DMARC.org, which gives domain owners more control over what Gmail does with spam emails from their domain.
DKIM does not prevent spoofing of incoming messages from outside email servers. To help prevent email spoofing on incoming messages, use Domain-based Message, Authentication, Reporting & Conformance (DMARC).
How DMARC works
DMARC helps email senders and receivers verify messages, and defines what action to take on suspicious messages. When an incoming message does not pass the DKIM check, DMARC specifies what happens to these messages:
- No action on the message
- Reject the message
- Hold the message for more processing (quarantine)