question

JanusBarinan-8508 avatar image
0 Votes"
JanusBarinan-8508 asked KaelYao-MSFT commented

question on email header from and reply-to

Hi,

Just like to understand about the email header particularly the From and Reply-To section.

First Question:
I received an email coming from this [sample email address and names]
From: Joe Satriani <customercare@gotowebinar.com>
Reply-To: presales@serviceit.com

Does this mean that gotowebinar.com mail servers is sending in behalf of serviceit.com domain? And when I reply to that email Joe Satriani <customercare@gotowebinar.com> it will be forwarded to presales@serviceit.com ?


Second Question:
I received an email that goes like this:
From: 'Ahmed G' via SPECIAL GROUP <specialgroup@mydomain.com>
Reply-To: ahmed@ahmeddomain.com

How was it that the From field is using my specialgroup distro list? I did not allow Ahmed and other external domains from using our mail servers as sender on behalf of our domain. It's not just that but other external domains as well we see in the reply-to field but using our distro in the From field.

Can anybody shed light?

Thanks!





office-outlook-itprooffice-exchange-online-itpromicrosoft-graph-mail
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Adding right tags/teams to assist further.

0 Votes 0 ·

Please check whether you specified any other account in the From field(in case if you tried onbehalf of scenarios)?

0 Votes 0 ·

No, have not done that. No accounts where added in the form field. I'm particular with the second question though.

0 Votes 0 ·
JanusBarinan-8508 avatar image
0 Votes"
JanusBarinan-8508 answered KaelYao-MSFT commented

I found out now why it is so. This applies if DMARC policy has p=reject or p=quarantine. The receiver's delivery system will allow the use of via so not to trigger the DMARC policy of the sender thus delivering the mail successfully.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your sharing!

0 Votes 0 ·
KaelYao-MSFT avatar image
0 Votes"
KaelYao-MSFT answered KaelYao-MSFT edited

@JanusBarinan-8508
Hi,

First Question:
To my knowledge,the Reply-to email address can be modified via many email clients when sending emails.

Let's take Outlook for example:
When you are going to use email address (userA@Domain-A.com for example) to send a new email, you can configure the Reply-to address to be anotheruser@Domain-B.com like in the following screenshot:
55874-75.png
In this case, when the recipient replies to the email, only the anotheruser@Domain-B.com will get the reply email, while the userA@Domain-A.com won't.

And in your case, if you reply to the email, only presales@serviceit.com will get your response.
Unless there are some forwarding rules or settings to forward the email to Joe Satriani <customercare@gotowebinar.com> in their environment.

I think it is maybe because Joe Satriani <customercare@gotowebinar.com> set the Reply-to address himself when sending the email.
Or it may also be someone hacked the sender's account and changed the Reply-to address to send the spoofed emails which you need to pay attention to.

Second Question:
I think it should be Email spoofing.
Have you configured SPF,DKIM or DMARC records for your email domain?
If haven't yet, please take it into consideration for security.
Here is an article on this topic for your reference: Office 365: Using SPF, DKIM and DMARC for Secure Messaging


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


75.png (48.9 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for shedding light on my first question.

For the second question yes we have spf, dkim and dmarc. What I noticed is that all external domains who seems to reply using the distro mail seems to have this 'Name of Person who replied' via SPECIAL GROUP <specialgroup@mydomain.com>

0 Votes 0 ·

I suppose that it is because the name of this special group has been exposed to these senders.
As they know it is an active address, they use it to send spoof emails.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

I dont think they are using it for spoofing but their emails are legit. Some are business related, their domains are from partners while other emails came from legit companies trying to sell something.

0 Votes 0 ·
Show more comments