SpamTitan Cloud Anti-Spoofing

Email spoofing is the creation of an email with a forged sender address to intentionally mislead a recipient about its origin. This technique is often used in phishing campaigns and generally attempts to get a user to click a link and share their credentials or reply with sensitive information.

There are two types of From addresses in an email, both of which can be spoofed:

  • Envelope From: This is transmitted during the MAIL FROM command.

  • Mime-Encoded From: This is transmitted after the DATA command during an SMTP transmission. It is not protected by any SMTP mechanism and as such is open to spoofing.

SpamTitan has two tests to help protect against email spoofing:

  • ANTISPOOF: this test checks if the from or envelope from domain matches the recipient's domain. If triggered, the test adds 25 to an email's spam score. Go to Filter Rules > Anti-Spoofing Settings to enable. See Anti-Spoof Settings.

  • ANTISPOOF_NAME: this test provides impersonation protection. Impersonation is when spam is sent using the From name of a high profile person in a company, e.g. the CEO. This test is automatically enabled when a full name is entered for a user on their user policy. A full name is at least two words (usually first name and last name), e.g. John Smith. Go to Anti-Spam Engine > User Policies to add or edit a user policy.

    Once enabled, ANTISPOOF_NAME carries out a number of checks to compare a user's name as entered on their user policy with the email From name:


    Example, From: "John Smith" <>

    Firstname Lastname

    John Smith

    Lastname, Firstname

    Smith, John

    F. Lastname or F Lastname

    J. Smith or J Smith

    Firstname L. or Firsname L

    John S. or John S

    Lastname only


    Firstname only


    Fuzzy comparison

    J0hn Smith


    If a match is made using fuzzy matching, a spam score of 1 (the default fuzzy score) is used instead of the antispoof_name test default score of 5.

SpamTitan's anti-spoofing functionality is not enabled by default.