I just received spam from myself...

November 5, 2019


You open your inbox to find a message from your own email address to you. Opening the email you find that it is most definitely SPAM. How could this be possible? What can I do about this? And will my email provider actually help me?

How is this possible?
Surprisingly, it is extremely easy to do. Spammers are taking full advantage of this flaw. You can change your password over and over again but most likely that isn’t the problem. They get your email address and then just exploit it in other ways. Password isn’t needed for this type of spam.  This issue seems so basic that you would think email providers and email hosting companies would come up with a better way to block this abuse. Many email programs allow you to input “from addresses” that aren’t even verified as their own account. It can be compared to caller-id spoofing.
There are ways you can attempt to filter some of this incoming to you. But, unless you are a techie or understand terms like SPF and / or DKIM you may wind up making your email unusable.

What can I do about this?
I mentioned above how you can utilize technologies that can either allow your recipients to verify the messages or block all email incoming that isn’t sent from your email servers. SPAM filters, let’s face it, can be very complicated and almost worthless. The spammers are always two steps ahead. Remember when they beat the filter just by adding a subject that sounded like a personal conversation?
The spammers bank on the fact that if you put your filter high enough you will need to add your own email address to the “allow list.” This is the main reason they send from you to you. I think most of us have sent an email to our self to remind us of something. This would be a good time to stop that. The solution becomes a conundrum of sorts. If you don’t allow yourself then you block yourself. Try removing your email address from the allow list and see if you get less of the “you to you” spam mail.
The sad reality here is that there are actually services, apps, and companies that specialize in this sort of fraudulent email sending.

Will my email provider actually help me?
If you absolutely need to have your own email address listed on the allow list you may need to try the various SPF, DKIM, DMARC, ARC, PGP, S/MIME digital signature approach. If you have no clue what any of that means there are companies out there that offer services that can filter, secure, and encrypt your email. Service prices vary.  Your email provider may offer to put your actual IP addresses in the allow list of the servers you use to send email. Not every email provider will offer this as many free email providers use many IP addresses to send email.  DKIM or SPF can be used to block all emails not sent from your providers email servers. May be easier to just pay for a filtering service.

Bottom line...
1) Remove your own email address from the allow list
2) If you own your own domain, you may want to disable the “catch-all” email option
3) Email filtering, if affordable to you, may help but it is not 100%
4) You can report the “server” or mark the source as SPAM but you may be reporting yourself or a spoofed email address.

 If you know how to view the source send the headers to your email provider or you can report it to: