I recently started receiving some Delivery Status Notification or automatic response emails from messages I have never sent. Expanding the details I noticed that they were all replies to emails sent by addresses like this: E7F35AED@mydomain.com (were mydomain.com is actually a domain of mine I use under Google Apps). I was receiving them because I set my own email email@example.com as a catch-all address so that all emails sent to not existing addresses @mydomain.com would be forwarded to my main email address.
So actually I was just a victim of Spoofing and I could realize that only thanks to the catch-all address.
Googling a bit around I found out that there are mainly 3 methods to prevent this phenomenon and add an authentication step to your sent emails:
- SPF records
- Authenticate email with DKIM
- DMARC I personally suggest everybody having a Google apps domain turning on the Catch-all address and activating the first two methods, the third is quite sophisticated and might be needed only in some situations.
Good luck, hope it works!