Short, practical guide to stop forged “From” headers, protect your IP reputation, and improve deliverability.
📌 Overview
Email spoofing is when attackers forge the From address so messages look like they came from a trusted domain. On shared hosting, this quickly destroys IP reputation and inbox placement. The fix: combine Exim ACL checks with SPF/DKIM/DMARC and sane SMTP restrictions.
You’ll achieve:
-
✅ Block users/scripts from sending as domains they don’t own
-
✅ Align authenticated user ↔ From address
-
✅ Improve inboxing and reduce abuse complaints
🎯 Quick-Fix Checklist
-
Enable SMTP Restrictions in WHM
-
Require TLS before AUTH (Exim)
-
Add Exim ACL rules (below)
-
Enable SPF & DKIM for all domains
-
Publish DMARC with
p=quarantineorp=reject -
Set per-domain outgoing rate limits
🧠 What Is Spoofing & Why It Hurts
Spoofing = forged From. Results:
-
Phishing & malware risk for recipients
-
Blacklists (Spamhaus, Microsoft SNDS, Gmail reputation)
-
Legit mail from all tenants gets filtered or rejected
Keep paragraphs tight and pages scannable to help users adopt controls fast. 💡
🛠 Step‑by‑Step: Block Authenticated Spoofing in Exim
Prereqs: WHM root access. Take a backup: WHM → Exim Configuration Manager → Backup.
1) Log in to Advanced Editor
WHM → Exim Configuration Manager → Advanced Editor
2) Define Allowed Domains
Use Add additional configuration setting:
# Recognize remote domains file along with local
domainlist remote_domains = lsearch;/etc/remotedomains
3) Block Non‑SMTP (e.g., PHP mail) with Mismatched From
In ACLs → acl_not_smtp → custom_begin_outgoing_notsmtp_checkall add:
deny
condition = ${if ! match_domain{${domain:${address:$h_From:}}}{ +local_domains : +remote_domains}}
message = Sorry, you don't have permission to send email from this server \
with a header 'From' that does not match a domain you own or host.
4) Enforce From ≡ Authenticated User for SMTP
Find acl_smtp_data → custom_begin_outgoing_smtp_checkall and add:
deny
authenticated = *
condition = ${if or { \
{ !eqi{$authenticated_id} {$sender_address} } \
{ !eqi{$authenticated_id} {${address:$header_From:}} } \
} }
message = Your FROM address ( $sender_address , $header_From ) must \
match your authenticated email user ( $authenticated_id ). \
Treating this as a spoofed email.
accept
5) Save & Restart Exim
Use the Save button; WHM applies and restarts Exim.
Tip: If you use EasyApache/Exim updates, re‑verify custom sections remain; WHM preserves
custom_begin_*blocks.
🔒 SMTP Security & Policy Settings (WHM)
-
SMTP Restrictions: WHM → Security Center → SMTP Restrictions → Enable
-
Require TLS before AUTH: WHM → Exim Configuration Manager → Basic Editor → Security
-
Hourly send limits: WHM → Tweak Settings → Mail (e.g., 100/hour/domain; 30% fail cap)
-
RBLs/SpamAssassin: Enable as appropriate for inbound hygiene (optional)
🌐 Authentication DNS (SPF/DKIM/DMARC)
Use cPanel → Email Deliverability for SPF & DKIM. Publish DMARC in Zone Editor.
SPF (example):
v=spf1 +a +mx +ip4:YOUR.SERVER.IP include:SPF-PROVIDER -all
DKIM: enable per domain in Email Deliverability (cPanel auto‑generates keys).
DMARC (start with quarantine):
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1; pct=100
Comparison Table
| Control | Purpose | Where to Set | Blocks Spoofing |
|---|---|---|---|
| Exim ACL (auth match) | Enforce From ≡ authenticated user | WHM → Exim Advanced | ✅ Outbound |
| SPF | Authorize sending hosts | DNS (cPanel) | ✅ Receiver‑side |
| DKIM | Sign messages | DNS + cPanel | ✅ Receiver‑side |
| DMARC | Policy on failures | DNS | ✅ Receiver‑side |
| SMTP Restrictions | Force authenticated routing | WHM Security Center | ✅ Server‑side |
🔍 Verify & Monitor
Trace a single message (replace ID):
exigrep 1XYZ-ABCDEF-12345 /var/log/exim/mainlog
zgrep -H "1XYZ-ABCDEF-12345" /var/log/exim/mainlog*
List SMTP‑AUTH sends w/ user & client IP:
zgrep -iE " <= .* P=esmtpa .* A=dovecot_login" /var/log/exim/mainlog* \
| awk '{print $0}'
Top client IPs used by AUTHed senders:
zgrep -iE " <= .* P=esmtpa .* A=dovecot_login" /var/log/exim/mainlog* \
| grep -oE "\[[0-9.]+\]" | tr -d "[]" | sort | uniq -c | sort -nr
How to Test Outbound Email and Spoofing Protection in cPanel
After configuring your cPanel server for secure outbound email and spoofing protection, you can perform two separate tests:
fter configuring your cPanel server for secure outbound email and spoofing protection, you can perform two separate tests:
1. Normal Outbound Email Test
Use SWAKS to send a test email from your server to an external recipient:
swaks \
--server 127.0.0.1 \
--port 587 --tls \
--auth LOGIN --auth-user user@example.com --auth-password 'PASSWORD' \
--from user@example.com \
--to recipient@example.net \
--h-Subject "Delivery test: example.com ➜ example.net" \
--body "Hello, this is a test from $(hostname) to confirm outbound mail to recipient@example.net."Expected result: The email should be delivered successfully to the remote inbox.
2. Spoofing Attempt Test
Send a test email using SWAKS where the From address does not match the authenticated account:
swaks \
--server 127.0.0.1 \
--port 587 --tls \
--auth LOGIN --auth-user user@example.com --auth-password 'PASSWORD' \
--from fakeuser@anotherdomain.com \
--to recipient@example.net \
--h-Subject "Spoofing test: anotherdomain.com via example.com" \
--body "This is a spoofing test. The server should reject this email if protections are enabled."Expected result: The server should reject the message with an error indicating that the sender is not authorized.
✅ Tip: Run both tests after making configuration changes to confirm that normal mail flow is working and spoofing attempts are blocked.
3. Manual SMTP “Spoof” Check with Telnet (Open‑Relay / Header Forgery)
Use this to verify the server won’t accept messages with a forged
From:over a raw SMTP session and that it isn’t an open relay.
From any external host (preferably not the mail server itself):
$ telnet your-server-ip 25
EHLO test
MAIL FROM:<fake@otherdomain.com>
RCPT TO:<your-real-email@example.com>
DATA
Subject: Spoof Test
Test spoof prevention.
.
QUITExpected results:
-
If relaying unauthenticated mail is blocked (correct): you should see a 550/553 relay/auth required style error before or after
RCPT TO. -
If your Exim ACLs require AUTH + From≡Auth, this raw telnet test will be blocked earlier (no AUTH), which is good. To specifically verify authenticated‑spoof blocking, use the SWAKS spoof test in Section 2.
🔎 Tip: You can also use TLS for manual testing:
openssl s_client -connect your-server-hostname:25 -starttls smtp -crlf
EHLO test
... (proceed as above)Using the hostname that matches your TLS certificate avoids host‑verification warnings.
Install SWAKS if Not Available
Choose your OS family and run one of the following:
RHEL / AlmaLinux / Rocky 8–9
dnf install -y swaks
# Not found? Enable EPEL then retry:
dnf install -y epel-release && dnf install -y swaksCentOS 7
yum install -y epel-release && yum install -y swaksDebian / Ubuntu
apt update && apt install -y swaksFallback (CPAN)
cpan -i App::swaksVerify install
swaks --version✅ Reminder: The telnet test checks open‑relay/basic acceptance. The SWAKS spoof test proves your authenticated From≡Auth ACL is working (the gold‑standard anti‑spoof check).
1. SWAKS Outbound Email Test
Use SWAKS to send a test email from your server to an external recipient:
swaks \
--server 127.0.0.1 \
--port 587 --tls \
--auth LOGIN --auth-user user@example.com --auth-password 'PASSWORD' \
--from user@example.com \
--to recipient@example.net \
--h-Subject "Delivery test: example.com ➜ example.net" \
--body "Hello, this is a test from $(hostname) to confirm outbound mail to recipient@example.net."Expected result: The email should be delivered successfully to the remote inbox.
2. SWAKS Spoofing Attempt Test
Send a test email using SWAKS where the From address does not match the authenticated account:
swaks \
--server 127.0.0.1 \
--port 587 --tls \
--auth LOGIN --auth-user user@example.com --auth-password 'PASSWORD' \
--from fakeuser@anotherdomain.com \
--to recipient@example.net \
--h-Subject "Spoofing test: anotherdomain.com via example.com" \
--body "This is a spoofing test. The server should reject this email if protections are enabled."Expected result: The server should reject the message with an error indicating that the sender is not authorized.
✅ Tip: Run both tests after making configuration changes to confirm that normal mail flow is working and spoofing attempts are blocked.
🧩 Troubleshooting
Symptom: Users see “Your FROM address must match your authenticated user”
Fix: Their mail client’s From must be the same mailbox they authenticated with.
Symptom: Legit forwarders break
Fix: Keep forwarding but rely on SRS or encourage sender uses the right domain; DMARC‑aligned forwarding requires ARC/SRS on receiving systems.
Symptom: PHP apps fail to send
Fix: Use SMTP with authentication in app config (PHPMailer/SwiftMailer), not bare mail().
Rollback (temp): Comment deny blocks in custom_begin_* and Save. Re‑enable after the audit.
🚀 CTA — Harden Your cPanel Email
-
Get Fast SSD Hosting → https://www.domainindia.com
-
Migrate Free Today → https://www.domainindia.com
-
Need Help? Submit a Ticket → https://www.domainindia.com/support
-
Learn More: https://www.domainindia.com/knowledgebase
Outcome: Optimized, consistent, and transparent email security posture that keeps your brand trusted and your inboxes clean. ✅
