When you start receiving bounce messages for emails you never sent, you're experiencing a classic case of email spoofing. The attacker isn't actually compromising your email account - they're forging the "From" header in SMTP transactions. This is like writing any return address on a physical envelope.
// Example of SMTP raw commands showing how easy spoofing is
MAIL FROM: <spoofed@yourdomain.com>
RCPT TO: <victim@example.com>
DATA
From: "Your CEO" <ceo@yourdomain.com>
To: "Employee" <victim@example.com>
Subject: Urgent wire transfer needed
Please send $50,000 to account 12345 immediately.
Changing your email password has no effect because the attacker isn't logging into your account. They're directly connecting to SMTP servers (often open relays) and injecting messages with forged headers. Your shared hosting provider's default configuration likely doesn't enforce proper authentication for outbound mail.
The proper solution involves implementing three key email authentication protocols:
1. SPF (Sender Policy Framework)
SPF allows you to specify which servers are authorized to send email for your domain via DNS TXT records:
// Example SPF record for shared hosting
v=spf1 include:sharedhostingprovider.com ~all
// More restrictive option if you only send webmail
v=spf1 ip4:192.0.2.1 ip4:198.51.100.1 -all
2. DKIM (DomainKeys Identified Mail)
DKIM adds cryptographic signatures to your outgoing emails. Most shared hosts provide DKIM configuration in cPanel/Plesk:
// Example DKIM signature in email headers
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=default;
c=relaxed/relaxed; q=dns/txt; t=1625097600;
h=from:to:subject:date:message-id;
bh=YzQ0YWY5ODkwZTk5OWYwOTk5NDFlNzExY2M3MTA5N2UyMTk0YzM3Yg==;
b=eBw7PZbzwk5TJf3R9n8kqw3R9n8kqw3R9n8kqw3R9n8kqw3R9n8kqw3R9n8kqw
3. DMARC (Domain-based Message Authentication)
DMARC tells receiving servers what to do with messages that fail SPF/DKIM checks:
// Example DMARC DNS record
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com"
Here's how to implement these protections on typical shared hosting:
1. Log in to cPanel
2. Navigate to "Email Authentication"
3. Enable both SPF and DKIM
4. For DMARC, create a TXT record in Advanced DNS Zone Editor:
- Name: _dmarc
- Value: v=DMARC1; p=none; rua=mailto:you@yourdomain.com
5. Monitor reports for 2 weeks
6. Gradually tighten policy from "none" to "quarantine" to "reject"
Beyond the big three protocols, consider these measures:
- Enable SMTP authentication requirement in hosting control panel
- Implement reverse DNS (PTR) records if you send marketing emails
- Set up a dedicated SMTP relay service (e.g., SendGrid, Mailgun)
- Configure rate limiting for outbound emails in hosting settings
After implementation, regularly:
# Check your domain's authentication status
dig +short txt yourdomain.com
dig +short txt _dmarc.yourdomain.com
dig +short txt default._domainkey.yourdomain.com
# Analyze DMARC reports (install parser if needed)
python3 dmarc-parser.py -f /path/to/report.xml
Remember that email authentication is about making your domain harder to spoof, not about completely stopping spammers. The goal is to ensure legitimate emails get delivered while making it obvious when messages are forged.
When your email address is being used to send spam without your consent, you're experiencing email spoofing. The SMTP protocol, designed in 1982, doesn't inherently authenticate sender addresses, making this a decades-old vulnerability.
Changing passwords won't help because the spammers aren't actually logging into your account. They're simply forging the "From" header in SMTP transactions, much like writing a fake return address on physical mail.
// Example of how simple SMTP forgery can be (Python)
import smtplib
server = smtplib.SMTP('spammer.smtp.com', 587)
server.starttls()
server.login("hacker@example.com", "password")
msg = """From: your.legit.address@yourdomain.com
To: victim@example.com
Subject: Urgent!
This is a forged message."""
server.sendmail("hacker@example.com", "victim@example.com", msg)
SPF (Sender Policy Framework)
Create a TXT record in your DNS that specifies which servers are authorized to send mail from your domain:
v=spf1 include:_spf.yourhostingprovider.com ~allDKIM (DomainKeys Identified Mail)
While more complex to implement in shared hosting, DKIM adds a digital signature to your outgoing emails. Contact your hosting provider to enable it:
# Typical DKIM DNS record
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrL...
DMARC (Domain-based Message Authentication)
Combine SPF and DKIM with a DMARC policy to tell receivers what to do with failed messages:
v=DMARC1; p=quarantine; rua=mailto:postmaster@yourdomain.com- Contact your hosting provider to confirm their SMTP server addresses
- Implement SPF immediately (easiest first step)
- Request DKIM support if not already enabled
- Start with a relaxed DMARC policy (p=none) and monitor reports
Once DMARC is setup, you'll receive aggregate reports showing authentication results. Parse these XML reports to identify spoofing attempts:
// Sample Python snippet to parse DMARC reports
import xml.etree.ElementTree as ET
def parse_dmarc_report(xml_file):
ns = {'dmarc': 'http://dmarc.org/dmarc-xml/0.1'}
tree = ET.parse(xml_file)
root = tree.getroot()
for record in root.findall('.//dmarc:record', ns):
source_ip = record.find('dmarc:row/dmarc:source_ip', ns).text
count = record.find('dmarc:row/dmarc:count', ns).text
print(f"IP {source_ip} sent {count} messages")
For existing bouncebacks flooding your inbox, create server-side filters using Sieve scripts if your host supports them:
# Example Sieve filter for cPanel
require ["fileinto", "reject"];
if header :contains "X-Failed-Recipients" {
fileinto "Bounced Spam";
}
Remember that complete prevention is impossible due to SMTP's design, but these measures will significantly reduce abuse and improve your domain's email reputation.