What can I do to stop spammers using my company name in email from field?

Key findings

• Limited prevention: Standard email authentication (SPF, DKIM, DMARC) primarily protects the sender domain in the email's technical headers (e.g., 5322.From or 5321.MAILFROM fields), not the display name that appears to recipients. This means spammers can use your company name in the "From" field while sending from an unrelated domain.
• Impact on reputation: If the fraudulent emails are not authenticated as coming from your domain or IP addresses, they are unlikely to directly damage your official sender reputation or email deliverability with legitimate customers.
• Customer service burden: The primary impact of name spoofing is the increased volume of customer complaints and reports, as recipients mistakenly believe the spam originates from your company, leading to significant overhead.
• Spam filtering: Emails that violate standard SMTP specifications (e.g., using hostnames in the "From" header that do not match the real email address) are likely to be caught by spam filters and routed to junk folders, reducing their visibility.
• Affiliate fraud: In some cases, name spoofing can be related to affiliate fraud or competitive sabotage, where bad actors use recognizable brand names to gain clicks or damage a competitor's image.

Key considerations

• Implement DMARC with enforcement: While not a direct solution for display name spoofing, setting your DMARC policy to quarantine or reject is crucial for preventing more severe forms of domain spoofing and phishing that could harm your deliverability. Ensure you are monitoring your DMARC reports to understand your email ecosystem.
• Educate customers: Inform your customers about how to identify legitimate emails from your company, emphasizing that they should always check the sender's actual email address (domain) and not just the display name. The FTC provides general advice on identifying spam.
• Analyze headers and links: Examine the full email headers of reported spam to identify the actual sender IP, return-path, and any links (especially call-to-action links). This can help uncover the true source or motive behind the spam. If links point back to your site, it is a mild concern.
• Review affiliate programs: If the spam uses templates or content similar to your affiliate marketing, investigate your affiliate partners for potential fraudulent activity. Immediately shut down suspicious links and payments related to such activities.

Key opinions

• Display name vulnerability: Marketers acknowledge that using a company name in the display name (e.g., "Company Name" <sender@otherdomain.com>) is a common form of abuse that current authentication standards cannot fully prevent.
• Focus on domain protection: The primary defense remains implementing robust SPF, DKIM, and DMARC records to protect the actual sending domains from being spoofed, ensuring that emails originating from your infrastructure are legitimate.
• User confusion: The main concern for marketers is the confusion caused to recipients, who then contact the legitimate company with complaints, creating an administrative burden.
• Affiliate-related issues: Some marketers suspect that if the spam resembles their marketing materials, it could be a rogue affiliate or a competitor attempting to damage their brand's reputation.

Key considerations

• Monitor complaints: Keep track of incoming complaints and reports to gauge the scale and impact of the name spoofing issue. While your reputation might not be directly harmed, customer perception matters.
• Check email headers: Obtain full email headers from reported spam to understand the actual sending infrastructure, return path, and authentication results. This can help confirm if your domain is truly untouched.
• Educate recipients: Create content for your customers on how to identify legitimate emails, emphasizing the importance of checking the actual sender email address (the domain) rather than just the display name. This is crucial for avoiding phishing scams, as highlighted by Evolve Media.
• Strengthen domain authentication: Ensure your DMARC policy is set to an enforcing policy (e.g., p=quarantine or p=reject) to tell recipient servers what to do with unauthenticated emails claiming to be from your domain. This will help protect against actual domain spoofing, as outlined in guides like how to protect your domain from being spoofed.

Key opinions

• DMARC limitations: DMARC (when enabled with enforcement) primarily prevents domain spoofing in the 5322.From field and does not inherently protect against the use of a company's name in the display name with an unrelated domain.
• No direct solution: If only the company name is being spoofed (not the domain), there is currently no direct technical measure an organization can take to stop it, as it falls outside the scope of current email authentication.
• Reputation largely unaffected: Since these emails are not authenticated as coming from the legitimate domain, they do not typically harm the sender's actual email deliverability or domain reputation with mail service providers.
• Underlying motives: Experts suggest that such activity might stem from random spam campaigns, compromised accounts, or even malicious affiliate fraud where the goal is to drive traffic or muddy a competitor's reputation.
• SMTP violations: Emails using mismatched hostnames in the "From" header are blatant violations of SMTP specifications, meaning they are very likely to be filtered into spam folders by recipient systems.

Key considerations

• Analyze full headers: Always examine the complete email headers to ascertain the true source IP address and return-path, which can sometimes reveal insights into the sender's identity or compromised networks.
• Enable DMARC enforcement: While it won't stop name spoofing with non-matching domains, transitioning your DMARC policy to an enforcing state is a critical step to protect against direct domain spoofing and phishing, as well as for overall domain health, as explained in our guide to mitigating damage from email spoofing.
• Investigate links: Crucially, check where the call-to-action (CTA) links in the fraudulent emails lead. If they point to your services or affiliate programs, it might indicate affiliate fraud that needs immediate attention. Expert perspectives on this can be found on Spam Resource.
• Prepare for support inquiries: Anticipate and prepare your customer support team to handle inquiries from confused or concerned recipients, providing clear explanations that these emails are not from your company.

Key findings

• Authentication scope: Documentation confirms that SPF, DKIM, and DMARC are designed to verify the authenticity of the sender's domain (technical email address), not the display name (Friendly From). This means display name spoofing is not directly prevented by these protocols if the domain is not also spoofed.
• User vigilance encouraged: Most official guidance stresses the role of the end-user in identifying fraudulent emails by checking the full email address, not just the display name, and looking for other signs of phishing or spam.
• CAN-SPAM compliance: Legitimate senders are mandated to adhere to laws like the CAN-SPAM Act, which prohibits false or misleading header information, but this applies to the sender of the actual email, not an unrelated party.
• Email filters as a defense: Recipient email systems utilize various filtering mechanisms that may detect and block emails based on content, sender IP reputation, or other anomalies, even if authentication records pass for the sending domain.

Key considerations

• Maintain strong authentication: While display name spoofing is an ongoing challenge, maintaining a robust SPF, DKIM, and DMARC setup (especially with an enforcing DMARC policy) is fundamental to protecting your domain from more direct and damaging forms of spoofing. Learn more about DMARC, SPF, and DKIM.
• Educate internal teams: Ensure your customer support, sales, and marketing teams understand the difference between domain and display name spoofing so they can accurately respond to customer inquiries.
• Report abuse: Encourage recipients to report suspicious emails to their email providers (e.g., mark as spam/junk) and, if possible, to your company, providing the full email headers for investigation.
• Secure internal accounts: Implement multi-factor authentication and strong password policies for all internal email accounts to prevent them from being compromised and used to send spam. This is a baseline security measure often advised in documentation from cybersecurity resources.