Prevent from being spoofed by sendgrid

Question

Recently we received an odd mail coming from [email protected] to [email protected]

The problem is that address1 didn't send any email to address2. The email was sent using sendgrid. Sendgrid has to be in our SPF due to the use of freshdesk which uses their system.

I was able to recreate the situation with the following: - create a free sendgrid account with a fake email address ([email protected]) - send a transactional email from: [email protected] ([email protected]) to [email protected]. The email goes straight to spam but it stills delivered. However I would like to reject this email.

I have dkim for our principal server, and freshdesk (sendgrid), and SPF for our principal server and once again freshdesk.

I tried with dmarc to reject but the email is still being delivered. At this point I'm out of ideas and I don't know what could be missing.

If the email is sent by freshdesk then it's signed by company.com and if it's spoofed like I mentioned above it will be signed by sendgrid which is generating their own DKIM keys (apparently).

Our server runs in postfix with debian9. Thank you, Diogo Jesus

Your question might be easier to understand if you indicated which of the placeholder domain indicates domains under your control. What did did the *SendGrid* abuse team say about your complaint anyway? — anx, Jun 20 '19 at 22:47
the thing is that we're not sendgrid costumers. I don't understand how they can have a such breach in their systems were they allow users to send transitional emails without even verifying their account. It's just pure nonsense. — Diogo Jesus, Jun 24 '19 at 06:35

score 2 · Accepted Answer · answered Jun 23 '19 at 20:03

2

SPF / DKIM / DMARC won't necessarily solve this problem, perhaps better to find a way of adding a header (tag) to the freshdesk emails that you can use header checks to validate if the email is genuine.

i.e.

email delivered via sendgrid and tagged with the secret freshdesk tag is genuine,

email sent via sendgrid without the tag is not and can be binned.

answered Jun 23 '19 at 20:03

Allan Wallace

271
1
4

I will validate this question since it was close enough to what I managed to do. Basically mails from sendgrid had a return path like [email protected] and those from freshdesk were [email protected] So adding a sender.pcre to smtpd_recipient_restrictions with a rule to block from any [email protected] fixed the issue. – Diogo Jesus Jun 24 '19 at 06:26
1

Great response and helpful to others who encounter similar, cheers! – Allan Wallace Jun 24 '19 at 17:48

Prevent from being spoofed by sendgrid

1 Answers1