Sometimes you may notice a bright red warning message at the top of an incoming email that says, “This email has failed its domain’s authentication requirements. It may be spoofed or improperly forwarded!” This article explains what this message means and what to do when you see it.
Why you may see this warning
ProtonMail alerts users of certain suspicious incoming emails to protect users from spam and phishing attacks. When you see this warning, it means the sender’s email address failed one of the domain validation checks (SPF, DKIM, or DMARC), which attempt to verify the sender.
A failed domain authentication could be an indication that the From field has been forged, a kind of abuse known as email spoofing. Spammers and hackers use spoofing to trick recipients into believing an email is legitimate.
However, domain authentication failure does not always indicate abuse. Sometimes a legitimate email can fail authentication due to improper email forwarding, DNS misconfiguration, or temporary network failures.
What you should do when you see the warning
Incoming emails marked as having failed domain authentication should be treated with extra caution, especially those containing links or attachments.
- Do not click any links or download attachments unless you are certain the email is legitimate.
- If the email is from a business, such as a bank or online service, contact the business to confirm they sent the email.
For further assistance, please contact the ProtonMail Support team.