It's understandable that within any organization there will be suppliers, partners, customers, etc. that need to be allow-listed in order to ensure that none of the sender's messages will be denied or quarantined for spam. This is as simple as adding the Sender's domain to your sender allow list, and after the minimum replication time (20-30 minutes), the sender is exempt from Spam Filtering, Content Filtering, and Attachment Policy Filtering. However, without adding some additional layers of security, if that sender is spoofed, those spoofed mails will be delivered.
Why does McAfee deliver spoofed mail?
We handle Spoofed mail the same as any other message for a very simple reason: there are thousands of legitimate uses for spoofing. The spoofed address may be an alias of the base email address, perhaps it is a form coming from a web-server that must appear to be coming from "firstname.lastname@example.org", but really comes from some other email address.
How can I stop spoofed spam?
In my experience, the single largest cause for spam messages with spoofed email addresses being delivered are insecure allow-list entries. Zero-day attacks and new threats pale in comparison to allow-list entries in causes for spam being delivered. The good news is that you can take steps to stop spoofed email from ever being delivered!
There are actually two options that can be taken together, or individually, but will help shore-up allow-list entries to prevent those from being compromised.
First, when adding a domain to the allow list, determine if the allow list also has SPF Records created. You can check this yourself by searching Mxtoolbox.com (using spf:domain.com as your query) or any number of other online SPF checkers. Once you've validated SPF Records exist for a sending domain, enable SPF Validation checking on your allow list entries.
Another section of your inbound filter policies is the Email Authentication tab. If you know the sending domain is utilizing SPF records or DKIM (What is DKIM?), you can also add those domains to the SPF or DKIM enforcement tabs, which will require these authentication methods to pass before allowing delivery. There is a risk involved, and it does require the sending organization to manage their SPF Records or DKIM installation. However, that is the responsibility of the sending organization, not yours.
My business partner does not use SPF Records or DKIM! What do I do?
It may be best practice a this point to create an internal policy that states that no allow list entries will be created unless one of the two authentication methods are available. If a business partner, customer, etc. chooses not to utilize SPF Records or DKIM, allowing you to verify the authenticity of the sending server and appropriately apply exemptions, then your organization should communicate clearly that an allow list entry would compromise your organization's security, and that other methods of dealing with the situation will be pursued. For example, spam false positives can be reported to email@example.com. Other issues can be discussed with the support team that works with your account.
It's important though to take security above convenience, and as recipients of spam campaigns involving large organizations being spoofed will tell you, a little headache now saves a lot of headache later. Most large organizations are good about keeping up on their SPF Records or implementing DKIM, and smaller organizations either do not implement these at all, or, fail to keep them maintained. Encouraging business partners, clients, vendors, etc. to use available technologies to authenticate email and cut down on spoofed-spam and phishing attacks will help to create a safer Internet.
You can do your part by ensuring your organization is itself using SPF Records and/or DKIM Authentication for your outbound emails. If you are using the McAfee SaaS Email Protection Outbound Service, we have Recommended SPF Records which will allow you to configure your SPF Records appropriately. You may also configure your own email to use DKIM (How to setup DKIM).
If you have any questions, please feel free to ask and I will do my best to answer them in a timely manner.