By default my firm blocks email spoofing using Mimecast. You can’t send a message from the Internet and claim that it is from our internal domain names. Occasionally we’ve had to make exceptions to the rules for particular public web sites that use email spoofing to send out email messages. Today’s case was The Wall Street Journal. If a user registers with an internal domain name email address and then tries to send an article to themselves, WSJ nicely uses the email address: no-reply@freerangeinc.com but when sending to anyone else it uses the registered users email address. When they send to another person at the firm, the email is bounced.
After some back and forth with WSJ support, they were able to provide me the external IP addresses that they use to send email:
208.144.115.183/32
205.203.128.129/32
205.203.128.130/32
205.203.128.166/32
Once we put those IP addresses in our Mimecast configuration the messages were no longer bouncing. Ideally web sites should NEVER spoof someone’s email address, but at least the IP addresses to allow it to work are available.
Did you talk to the folks at WSJ about this?
What was their reaction?
Having worked at Mimecast for many years, I have frequently seen this and have been largely sucessful in explaining to companies why they *should* not spoof.
If you made any contacts there I would be happy to get hold of them to see if we could change their thinking quickly 🙂
Barry Gill,
So far I’ve only just worked back and forth with their email support people and don’t have any contacts that are higher up than this. I can definitely follow up with support to see if they are willing to change their approach.