What's this?

This entire site is about fixing problems with mail systems. There are many, and some of them have an impact on security. This site is concerned with the security issues.

This page is a work in progress, started on 17th March 2018. It will never be finished, because, as Douglas Adams knew very well, every time you make something foolproof, somebody comes up with a better fool. But even before it's finished, it will tell you how to find out more, and how to get your problem fixed.


Forged mail on the public Internet is a very serious problem.

The greater part of the electronic mail on the Internet is from criminals, who forge mail messages by the billion. People and organizations (even large ones who you'd think should know better) have been duped out of millions of pounds by very simple forged emails. Google Inc., for example, paid more than a hundred million dollars to some guy in India who forged a few invoices. They got quite a lot of it back, eventually.

Fortunately, there are some very simple ways to detect forged mail.

One of them is to read the mail carefully, and think about it. Most forged messages have very obvious indicators. Bad spelling and use of language is one. Is it plausible?

Some criminals, however, know what they're doing and their messages are very well crafted indeed.
It might not be at all obvious that the message is forged, even after a very careful reading by someone familiar with the alleged writer.


Another way to detect forgery is to look at the mail headers.

An electronic mail message is made up of two parts. They are the headers, of which there can be quite a few, and a body, of which there is just one.

Your mail client (the thing that you use to read your mail - it might be called Microsoft Mail, Outlook, Seamonkey, Thunderbird, whatever) won't ususally show you most of the mail headers. It probably can do if you ask it to, but
(a) they're difficult to understand because they're not really intended for the casual reader and
(b) when the mail client displays the headers to you, very often it makes a complete dog's breakfast of them.

Set up your mail system to allow automatic forgery tests

If the sending and receiving mail systems are set up properly, they can make the detection of forgery very straightforward and completely automatic. The tools to do that have been available since the late 2000s and they are readily available. They are not trivial to install and use, and it must be left to mail providers to do most of the work. But if you own a domain name you can help. All you need to do is set up an SPF record. It's one line of text in the Domain Name System.

Sender Policy Framework (SPF)

Why am I here?

You're probably here because you received an email Non-Delivery Report (NDR) which contains a link to this page.

In the meantime, if you wish, you can send an email to the address in the NDR, which is a one-time address (good for use once only) and mail to that address will not be rejected.

The reason for the mail rejection was most probably that one of the SPF records inspected by the server which received your mail was found to be faulty.

Sender Policy Framework (SPF) is a relatively recent (in 2018, not much more than a decade) addition to the Internet email specifications and is designed to detect forgeries.

Unfortunately there is a great deal of misunderstanding about SPF, and there's a lot of half-baked nonsense published about it by well-meaning people who think they're helping.

SPF is implemented by 'records' published in the Domain Name System. The records are published in just the same way that domain names like 'fixmymail.uk' are published.

One result of that is that in 2018 about one in three SPF records is broken. Some are so badly broken that they cause rejection of legitimate mail. That's why you're here.

Don't worry. It's easily fixed.