Reputation: 1
Can anyone on the same shared hosting send emails using my domain with a PASS on both SPF and DKIM?
I have multiple domains pointing at nameservers of a shared hosting platform and manage all the emails of these domains using just one address called [email protected] as an example.
Because all of these domains work under one business and I don't want to manage multiple accounts, this address also receives all the emails for my other domains domain-b.com and domain-c.com using forwarders.
Sometimes I still need to change the From address, which is why I set up identities in Thunderbird using domain-a.com as the host with [email protected] and [email protected] as the From addresses. While doing that, I realized that I didn't need to create these accounts on the mail server and all emails that were sent by either [email protected] or [email protected] had a PASS on both SPF and DKIM.
This made me wonder, whether someone else on the same shared hosting platform (whois checkup shows there are more than 600 other domains) could also just use any of my domains to send emails and would get a PASS on both SPF and DKIM, basically making it useless in that specific scenario.
- Can anyone on the same shared hosting send emails using my domain with a PASS on both SPF and DKIM?
- Why is it possible to use domain-a.com as the host and [email protected] or [email protected] as From addresses and still send messages that way? The test messages I have sent using that method don't show domain-a.com but the domain of the From address in their headers. Is this normal behavior? Since I didn't set up any individual accounts for domain-b.com and domain-c.com, I honestly didn't expect this to work.
Thanks in advance.
Upvotes: 0
Views: 676
Answers (1)
Reputation: 37770
If someone is on the same shared host as you, they will likely have the same IP address, and so if your SPF includes that IP, they will indeed be allowed to send messages from your domain. The simple solution to that by itself is don't do that – don't put critical content on shared hosting.
The next step is DKIM. DKIM has nothing to do with IP addresses, and sending from a shared host will have no effect, so this is your best defence against this kind of spoofing. A DKIM signature is signed by your private key (which nobody else should be able to access, even on shared hosting – though it is far more at risk there than on your own server). Because they can't see your key, they can't produce DKIM signatures for your domain, and thus messages they try to send from your domain will not contain a valid DKIM signature and they will not be able to get a DKIM pass result.
It could be that your hosting provider is also adding a DKIM signature of their own as an intermediary, though it will match their domain, not yours. You can add your own as well as messages can contain more than one DKIM signature.
To force alignment of From address with the envelope sender (which ends up in a return-path header at the receiver), you need to look at DMARC, specifically the adkim and aspf parameters.
Another approach would be to not send mail through your hosting provider but via some other mail server. This would let you have an SPF record that does not include your hosting provider's IPs. You may find however that you can't do this because low-end hosts tend to block outbound SMTP.
Upvotes: 0
Related Questions
- Gmail Spam Issue - How to properly setup DKIM & DMARC
- Why SPF fail and DKIM passed in DMARC reports?
- DMARC without SPF
- SPF Record for Multiple DKIMs (including MX)
- If my domain is using gsuite and I am using gmail's DKIM, will that DKIM setting be used by another sender on my spf? ie. Klaviyo?
- SPF + DKIM + DMARC = Passed yet message ends in spam
- SPF Verfication schema MS portion GoDaddy email hosting
- SPF = Hotmail : Pass / Gmail : Fail
- Signing PHP emails on shared hosting
- Sending e-mail via PHP, on behalf of someone else