You might know that anyone can set any address in the "from" field when sending an email. I thought there was nothing I could do about it, but upon looking deeper into it I realized that some of my email settings were wrong, which might allow attackers to send spoofed emails on my behalf.
I did have DMARC setup, but my SPF and DKIM records were invalid.
After looking into it, I realized that there's a lot more to learn about it than I thought, so here's a summary of what I learned.
There are some email security policies that can be set at the DNS level. You can specifically allow only some IP addresses (usually your email server) or domains to send emails on your domain's behalf.
I do think those policies are mostly just a suggestion that tells other email servers and email clients to mark an email as spam or not send it if the authentication checks are failing. That being said, most popular email clients should do a pretty good job of blocking emails that don't respect those policies.
The DMARC, SPF and DKIM policies.
Useful for receiving reports about who is sending emails using your domain name. This also enables you to specify what to do with the emails that are not originating from allowed sources (do nothing, flag them, or reject them).
Here is what DNS record I had added:
v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org;
- v = Version - should be DMARC1
- p = Policy - can be none, quarantine and reject. Reject is recommended once you know your other policies are setup correctly, so the spoofed email won't be delivered.
- rua = Reporting URI(s) for aggregate data - Where to send reports that mail services generate about who tried to send emails from your domain.
With SPF you can say who is allowed to send emails using your domain name. This is the value I used:
v=spf1 +mx +ip4:123.456.78.19 +include:websitewelcome.com +include:servers.mcsv.net -all
- v = Version - should be spf1
- +mx = Allow emails for all domains mentioned in the MX records of this domain
- +ip4:123.456.78.19 = Allow emails sent from this IP address (this was the address of my mail server, hosted on HostGator)
- +include:websitewelcome.com = Allow emails sent from this domain (it's the mail server domain of HostGator)
- +include:servers.mcsv.net = MailChimp, I use them to send newsletters from email@example.com
- -all = If none of the previous rules are met, deny all other emails.
All those rules are tested left to right, and "+" means allow, "-" means reject and there is also "~" which is like a soft reject (maybe mark as spam or something like that).
Using DKIM all emails sent will be digitally signed using a private key and the DNS record provides a public key to test if the emails are correctly signed. If there is a missmatch, the DKIM policy will fail, and the email won't be sent or marked as spam.
My DKIM record looks something like this:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...very long key...AB\;
- v = Version - should be DKIM1
- k = Key type - encryption algorithm used
- p = Public key
I got my DKIM TXT record value from Hostgator -> cPanel -> Email Authentication (my email server provider), but I had some issues making it valid as their TXT record had a limited number of characters and showed my public key (p=...) as two distinct strings that I had to manually remove the quotes around and merge (concatenate) them together.
To test if the policies are correct, the tools I found more useful are:
- MXToolBox - Email Deliverability - mxtoolbox.com/deliverability This allows you to test if your DMARC policies are correct
- MailTester - SPF and DKIM Checker - mail-tester.com/spf-dkim-check Quickly test if your SPF and DKIM records are valid strings.
I hope that by fixing my email authentication on my domains it will be a lot less likely for phishing emails to be sent using my domain names.
I hope you found this post useful. I tried to make this as concise as possible and provide examples, as I spent several hours trying to understand all those policies and how to set them up, having a hard time finding a TL:DR; on how to quickly setting up email authentication.