How to Block Spoofed Email That Looks Like it is From our Domain, if SPF isn't an Option?

How can I block spoofed email that looks like it is from our domain? SPF isn't working on these since the Return Path line (address that GWAVA uses for scanning) is not our domain. But, the 'From' line is our domain. The users see it as from a trusted person in our company.

If spoofed email that appears to be from your domain is not blocked via SPF, for various reasons you can create a Message Header filter to block them:

1) In the GWAVA Management web page, go to Scanner/Policy Management | scanner name | scanning configuration | MIME filtering | Message header filter.

2) Make sure 'Enable message header filter' is checked.

3) Click on 'New filter' and type in the following: From:*yourdomain.com

4) Make sure the box for 'Block the message' is checked, and 'Quarantine the message' if desired.

5) Hit 'save changes'.

6) Make sure you aren't scanning this event on outbound email, otherwise all your outbound email will get blocked. Go HERE to find out how to disable a certain event for outbound scanning. Make sure 'Header filter' is unchecked for the Scan Outbound column.

7) If you have any source address exceptions for your domain, make sure to include Message Header Filter in the list of events to exclude.

This article was originally published in the GWAVA knowledgebase as article ID 2790.