Over the last few years there has been a marked acceleration towards the use and adoption of email authentication techniques such as SPF, DKIM and DMARC. With phishing, email impersonation and other scams a common part of our digital world, companies and private individuals are more than ever now wishing to know if they can trust the sender of email. We are therefore introducing our third-party validation and anti-spoofing features to help further harden and secure our service.

While spoofing attacks are usually problematic or malicious in nature, many companies also regularly and legitimately send email on behalf of one another as part of a business relationship. For example, Company B may email on behalf of Company A. In this case, the mail can be sent from the IP address of Company B and with the domain of Company A. If both Company A and B are Symantec Email Security Service (ESS) customers hosted in the same email cluster, then the email will pass through the Symantec cloud infrastructure and be processed using the policy of Company A. This is clearly both fine and convenient when both parties agree on the sending relationship, but for those customers wishing to prevent unauthorized third-parties (who are also ESS customers) from spoofing email from them that could then seem valid by sending through the ESS, we have the following options:

1.    DMARC Authentication.

A. Ensure all email leverages DKIM signing outbound through the service; AND

B. Remove the Symantec ESS service’s global IP address range from your SPF record and switch to soft fail.  

Caution: The above option will prevent any other ESS customers who are today sending email on your behalf from achieving DMARC validation by the recipient so you should be sure that you have no existing business relationships that will be disrupted.

2.    Third-Party Domain Registration and Anti-spoofing Tool. 
In order to allow absolute control over other ESS customers sending emails on your behalf or your organization sending emails on behalf of other ESS customers you should consider Symantec’s anti-spoofing feature coming soon (Q1 2020), and in preparation for this you should start now establishing legitimate sending domains and registering them within ClientNet as this feature is available to use today.  To enable this feature, the following steps should be considered.  

As the first step, it is now easy to register any third-party domains on whose behalf the customers will send email and vice versa. The domain configuration page in the management console (ClientNet) allows a customer to explicitly register authorized third-party domains.  Additional information on configuring third party domains can be obtained here.  If you are unsure of the third-party customers that are sending emails on behalf of your organization then log a case via the MySymantec customer portal and we will generate a report to help guide you.  This report can provide insights on how best to configure the service for authorized domains.  

As the next step, request anti-spoofing (feature coming in Q1 2020) to be enabled on your account by logging a case in the MySymantec portal and the ESS will reject all spoofed mails with an SMTP 550 error unless a formal business relationship has been established and authenticated via the ClientNet portal. You will then have full control over who can spoof email within the ESS environment on your behalf.