https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Spoofed-Email-Phishing-reports-Investigation-tool/m-p/1068#M716 <P>have you first made sure your SPF record is correct?&nbsp; SPF is the first step and will prevent someone elsewhere in the world sending as your domain, rather not really prevent...but it will communicate to all receiving email systems where valid email for your domain can originate from.&nbsp; So it is up to you to allow via SPF config the servers that are authorized to send on behalf of your domain.</P><P>Matt</P> Thu, 21 Sep 2023 18:34:50 GMT MattFeider 2023-09-21T18:34:50Z https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Spoofed-Email-Phishing-reports-Investigation-tool/m-p/1067#M715 <P>Hello</P><P>&nbsp;</P><P>I know I need to get my DMARC setup finished, but in the meantime I have something that has been bothering me.</P><P>&nbsp;</P><P>We had someone spoof on our principals email address.&nbsp; It came through with a warning from Google to be wary of this email, but if you dig deeper it did not appear to be a hack of her account, but just someone sending email as her\us.&nbsp; It had a different reply to address and said up the top user@domain.com via another party.</P><P>&nbsp;</P><P>Interestingly I had the user click the report phishing and I received an email to my admin account that the phish report had been made, but since the email was spoofed the phish report said that it was against(actor) my user@domain.com.&nbsp; Am I missing something?&nbsp; Should I be digging deeper into this users account?&nbsp; or is this just a matter of needing to get my DMARC record straight and that is the only answer.</P><P>&nbsp;</P><P>Also, if I do a search in the investigative tool the email there as coming from user@domain.com - this isn't right though it is pretty clearly a spoofed email sent from a server in Europe.&nbsp; How is the investigation tool populated?&nbsp;&nbsp;</P><P>&nbsp;</P><P>We do have 2 factor on all accounts, but this just appears to be a spoof.</P><P>&nbsp;</P><P>Just wanted to make sure I am crossing my ts.</P><P>&nbsp;</P><P>Thanks</P> Thu, 21 Sep 2023 18:16:45 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Spoofed-Email-Phishing-reports-Investigation-tool/m-p/1067#M715 E8419 2023-09-21T18:16:45Z https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Spoofed-Email-Phishing-reports-Investigation-tool/m-p/1068#M716 <P>have you first made sure your SPF record is correct?&nbsp; SPF is the first step and will prevent someone elsewhere in the world sending as your domain, rather not really prevent...but it will communicate to all receiving email systems where valid email for your domain can originate from.&nbsp; So it is up to you to allow via SPF config the servers that are authorized to send on behalf of your domain.</P><P>Matt</P> Thu, 21 Sep 2023 18:34:50 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Spoofed-Email-Phishing-reports-Investigation-tool/m-p/1068#M716 MattFeider 2023-09-21T18:34:50Z https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Spoofed-Email-Phishing-reports-Investigation-tool/m-p/1074#M717 <P>Yeah, everyone really needs to read&nbsp; through and adjust their DNS according to <A title="Support article on SPF, DKIM and DMARC" href="https://support.google.com/a/topic/9061731?hl=en&amp;fl=1&amp;sjid=4514271506941951759-NA" target="_blank" rel="noopener">this support article</A>.</P><P>SPF, DKIM and DMARC should be one of the first things to set up on a new Workspace account.</P><P>DMARC reject is also the only real option to use, and should be set as soon as possible after SPF and DKIM are working.</P> Fri, 22 Sep 2023 07:43:20 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Spoofed-Email-Phishing-reports-Investigation-tool/m-p/1074#M717 Kim_Nilsson 2023-09-22T07:43:20Z