End-of-Life Warning: CentOS 6 and CentOS 7 have reached end-of-life and no longer receive security patches. If you are still running CentOS 6/7, we strongly recommend migrating to AlmaLinux 8/9 or Rocky Linux 8/9 immediately.

Short, practical guide to stop forged "From" headers, protect your IP reputation, and improve deliverability.

Overview

Email spoofing is when attackers forge the From address so messages look like they came from a trusted domain. On shared hosting, this quickly destroys IP reputation and inbox placement. The fix: combine Exim ACL checks with SPF/DKIM/DMARC and sane SMTP restrictions.

You'll achieve:

Block users/scripts from sending as domains they don't own
Align authenticated user From address
Improve inboxing and reduce abuse complaints

Quick-Fix Checklist

Enable SMTP Restrictions in WHM
Require TLS before AUTH (Exim)
Add Exim ACL rules (below)
Enable SPF & DKIM for all domains
Publish DMARC with p=quarantine or p=reject
Set per-domain outgoing rate limits

What Is Spoofing & Why It Hurts

Spoofing = forged From. Results:

Phishing & malware risk for recipients
Blacklists (Spamhaus, Microsoft SNDS, Gmail reputation)
Legit mail from all tenants gets filtered or rejected

Keep paragraphs tight and pages scannable to help users adopt controls fast.

StepbyStep: Block Authenticated Spoofing in Exim

Prereqs: WHM root access. Take a backup: WHM Exim Configuration Manager Backup.

1) Log in to Advanced Editor

WHM Exim Configuration Manager Advanced Editor

2) Define Allowed Domains

Use Add additional configuration setting:

# Recognize remote domains file along with local
domainlist remote_domains = lsearch;/etc/remotedomains

3) Block NonSMTP (e.g., PHP mail) with Mismatched From

In ACLs acl_not_smtp custom_begin_outgoing_notsmtp_checkall add:

deny
 condition = ${if ! match_domain{${domain:${address:$h_From:}}}{ +local_domains : +remote_domains}}
 message = Sorry, you don't have permission to send email from this server \
with a header 'From' that does not match a domain you own or host.

4) Enforce From Authenticated User for SMTP

Find acl_smtp_data custom_begin_outgoing_smtp_checkall and add:

deny
 authenticated = *
 condition = ${if or { \
 { !eqi{$authenticated_id} {$sender_address} } \
 { !eqi{$authenticated_id} {${address:$header_From:}} } \
 } }
 message = Your FROM address ( $sender_address , $header_From ) must \
match your authenticated email user ( $authenticated_id ). \
Treating this as a spoofed email.
accept

5) Save & Restart Exim

Use the Save button; WHM applies and restarts Exim.

Tip: If you use EasyApache/Exim updates, reverify custom sections remain; WHM preserves custom_begin_* blocks.

SMTP Security & Policy Settings (WHM)

SMTP Restrictions: WHM Security Center SMTP Restrictions Enable
Require TLS before AUTH: WHM Exim Configuration Manager Basic Editor Security
Hourly send limits: WHM Tweak Settings Mail (e.g., 100/hour/domain; 30% fail cap)
RBLs/SpamAssassin: Enable as appropriate for inbound hygiene (optional)

Authentication DNS (SPF/DKIM/DMARC)

Use cPanel Email Deliverability for SPF & DKIM. Publish DMARC in Zone Editor.

SPF (example):

v=spf1 +a +mx +ip4:YOUR.SERVER.IP include:SPF-PROVIDER -all

DKIM: enable per domain in Email Deliverability (cPanel autogenerates keys).

DMARC (start with quarantine):

Host: _dmarc
Type: TXT
Value: v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; pct=100

Comparison Table

Control	Purpose	Where to Set	Blocks Spoofing
Exim ACL (auth match)	Enforce From authenticated user	WHM Exim Advanced	Outbound
SPF	Authorize sending hosts	DNS (cPanel)	Receiverside
DKIM	Sign messages	DNS + cPanel	Receiverside
DMARC	Policy on failures	DNS	Receiverside
SMTP Restrictions	Force authenticated routing	WHM Security Center	Serverside

Verify & Monitor

Trace a single message (replace ID):

exigrep 1XYZ-ABCDEF-12345 /var/log/exim/mainlog
zgrep -H "1XYZ-ABCDEF-12345" /var/log/exim/mainlog*

List SMTPAUTH sends w/ user & client IP:

zgrep -iE " <= .* P=esmtpa .* A=dovecot_login" /var/log/exim/mainlog* \
| awk '{print $0}'

Top client IPs used by AUTHed senders:

zgrep -iE " <= .* P=esmtpa .* A=dovecot_login" /var/log/exim/mainlog* \
| grep -oE "\[[0-9.]+\]" | tr -d "[]" | sort | uniq -c | sort -nr

How to Test Outbound Email and Spoofing Protection in cPanel

After configuring your cPanel server for secure outbound email and spoofing protection, you can perform two separate tests:

fter configuring your cPanel server for secure outbound email and spoofing protection, you can perform two separate tests:

1. Normal Outbound Email Test

Use SWAKS to send a test email from your server to an external recipient:

swaks \
 --server 127.0.0.1 \
 --port 587 --tls \
 --auth LOGIN --auth-user [email protected] --auth-password 'PASSWORD' \
 --from [email protected] \
 --to [email protected] \
 --h-Subject "Delivery test: example.com example.net" \
 --body "Hello, this is a test from $(hostname) to confirm outbound mail to [email protected]."

Expected result: The email should be delivered successfully to the remote inbox.

2. Spoofing Attempt Test

Send a test email using SWAKS where the From address does not match the authenticated account:

swaks \
 --server 127.0.0.1 \
 --port 587 --tls \
 --auth LOGIN --auth-user [email protected] --auth-password 'PASSWORD' \
 --from [email protected] \
 --to [email protected] \
 --h-Subject "Spoofing test: anotherdomain.com via example.com" \
 --body "This is a spoofing test. The server should reject this email if protections are enabled."

Expected result: The server should reject the message with an error indicating that the sender is not authorized.

Tip: Run both tests after making configuration changes to confirm that normal mail flow is working and spoofing attempts are blocked.

3. Manual SMTP "Spoof" Check with Telnet (OpenRelay / Header Forgery)

Use this to verify the server won't accept messages with a forged From: over a raw SMTP session and that it isn't an open relay.

From any external host (preferably not the mail server itself):

$ telnet your-server-ip 25
EHLO test
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
DATA
Subject: Spoof Test

Test spoof prevention.
.
QUIT

Expected results:

If relaying unauthenticated mail is blocked (correct): you should see a 550/553 relay/auth required style error before or after RCPT TO.
If your Exim ACLs require AUTH + FromAuth, this raw telnet test will be blocked earlier (no AUTH), which is good. To specifically verify authenticatedspoof blocking, use the SWAKS spoof test in Section 2.

Tip: You can also use TLS for manual testing:

openssl s_client -connect your-server-hostname:25 -starttls smtp -crlf
EHLO test
... (proceed as above)

Using the hostname that matches your TLS certificate avoids hostverification warnings.

Install SWAKS if Not Available

Choose your OS family and run one of the following:

RHEL / AlmaLinux / Rocky 8-9

dnf install -y swaks
# Not found Enable EPEL then retry:
dnf install -y epel-release && dnf install -y swaks

CentOS 7

yum install -y epel-release && yum install -y swaks

Debian / Ubuntu

apt update && apt install -y swaks

Fallback (CPAN)

cpan -i App::swaks

Verify install

swaks --version

Reminder: The telnet test checks openrelay/basic acceptance. The SWAKS spoof test proves your authenticated FromAuth ACL is working (the goldstandard antispoof check).

1. SWAKS Outbound Email Test

Use SWAKS to send a test email from your server to an external recipient:

swaks \
 --server 127.0.0.1 \
 --port 587 --tls \
 --auth LOGIN --auth-user [email protected] --auth-password 'PASSWORD' \
 --from [email protected] \
 --to [email protected] \
 --h-Subject "Delivery test: example.com example.net" \
 --body "Hello, this is a test from $(hostname) to confirm outbound mail to [email protected]."

Expected result: The email should be delivered successfully to the remote inbox.

2. SWAKSSpoofing Attempt Test

Send a test email using SWAKS where the From address does not match the authenticated account:

swaks \
 --server 127.0.0.1 \
 --port 587 --tls \
 --auth LOGIN --auth-user [email protected] --auth-password 'PASSWORD' \
 --from [email protected] \
 --to [email protected] \
 --h-Subject "Spoofing test: anotherdomain.com via example.com" \
 --body "This is a spoofing test. The server should reject this email if protections are enabled."

Expected result: The server should reject the message with an error indicating that the sender is not authorized.

Tip: Run both tests after making configuration changes to confirm that normal mail flow is working and spoofing attempts are blocked.

Troubleshooting

Symptom: Users see "Your FROM address must match your authenticated user"
Fix: Their mail client's From must be the same mailbox they authenticated with.

Symptom: Legit forwarders break
Fix: Keep forwarding but rely on SRS or encourage sender uses the right domain; DMARCaligned forwarding requires ARC/SRS on receiving systems.

Symptom: PHP apps fail to send
Fix: Use SMTP with authentication in app config (PHPMailer/SwiftMailer), not bare mail().

Rollback (temp): Comment deny blocks in custom_begin_* and Save. Reenable after the audit.

CTA -- Harden Your cPanel Email

Get Fast SSD Hosting https://www.domainindia.com
Migrate Free Today https://www.domainindia.com
Need Help Submit a Ticket https://www.domainindia.com/support
Learn More: https://www.domainindia.com/knowledgebase

Outcome: Optimized, consistent, and transparent email security posture that keeps your brand trusted and your inboxes clean.

Disable Email Spoofing in cPanel/WHM (Shared Hosting)

In this article