DEV Community

Cristian
Cristian

Posted on • Edited on • Originally published at uxwizz.com

Prevent others sending emails using your domain name

Prevent others sending emails using your domain name

Yesterday a user contacted me on Twitter saying that she has received a scam email sent from an email address originating from my domain, usertrack.net.

You might know that anyone can set any address in the "from" field when sending an email. I thought there was nothing I could do about it, but upon looking deeper into it I realized that some of my email settings were wrong, which might allow attackers to send spoofed emails on my behalf.

I did have DMARC setup, but my SPF and DKIM records were invalid.

After looking into it, I realized that there's a lot more to learn about it than I thought, so here's a summary of what I learned.

What should you do? Correctly setup DMARC!

There are some email security policies that can be set at the DNS level. You can specifically allow only some IP addresses (usually your email server) or domains to send emails on your domain's behalf.

I do think those policies are mostly just a suggestion that tells other email servers and email clients to mark an email as spam or not send it if the authentication checks are failing. That being said, most popular email clients should do a pretty good job of blocking emails that don't respect those policies.

Add those email policies to your DNS TXT records

The DMARC, SPF and DKIM policies.

DMARC

Domain-based Message Authentication, Reporting and Conformance

Useful for receiving reports about who is sending emails using your domain name. This also enables you to specify what to do with the emails that are not originating from allowed sources (do nothing, flag them, or reject them).

Here is what DNS record I had added:

TXT record

Name: _dmarc

Value:

v=DMARC1; p=reject; rua=mailto:reports@usertrack.net;
Enter fullscreen mode Exit fullscreen mode
  • v = Version - should be DMARC1
  • p = Policy - can be none, quarantine and reject. Reject is recommended once you know your other policies are setup correctly, so the spoofed email won't be delivered.
  • rua = Reporting URI(s) for aggregate data - Where to send reports that mail services generate about who tried to send emails from your domain.

SPF

Sender Policy Framework

With SPF you can say who is allowed to send emails using your domain name. This is the value I used:

TXT record

Name: @

Value:

v=spf1 +mx +ip4:123.456.78.19 +include:websitewelcome.com +include:servers.mcsv.net -all
Enter fullscreen mode Exit fullscreen mode
  • v = Version - should be spf1
  • +mx = Allow emails for all domains mentioned in the MX records of this domain
  • +ip4:123.456.78.19 = Allow emails sent from this IP address (this was the address of my mail server, hosted on HostGator)
  • +include:websitewelcome.com = Allow emails sent from this domain (it's the mail server domain of HostGator)
  • +include:servers.mcsv.net = MailChimp, I use them to send newsletters from someemail@usertrack.net
  • -all = If none of the previous rules are met, deny all other emails.

All those rules are tested left to right, and "+" means allow, "-" means reject and there is also "~" which is like a soft reject (maybe mark as spam or something like that).

DKIM

DomainKeys Identified Mail

Using DKIM all emails sent will be digitally signed using a private key and the DNS record provides a public key to test if the emails are correctly signed. If there is a missmatch, the DKIM policy will fail, and the email won't be sent or marked as spam.

My DKIM record looks something like this:

TXT record

Name: default._domainkey

Value:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...very long key...AB\;
Enter fullscreen mode Exit fullscreen mode
  • v = Version - should be DKIM1
  • k = Key type - encryption algorithm used
  • p = Public key

I got my DKIM TXT record value from Hostgator -> cPanel -> Email Authentication (my email server provider), but I had some issues making it valid as their TXT record had a limited number of characters and showed my public key (p=...) as two distinct strings that I had to manually remove the quotes around and merge (concatenate) them together.

Some tools that I used

To test if the policies are correct, the tools I found more useful are:

dmarc dkim spf policies

I hope that by fixing my email authentication on my domains it will be a lot less likely for phishing emails to be sent using my domain names.

I hope you found this post useful. I tried to make this as concise as possible and provide examples, as I spent several hours trying to understand all those policies and how to set them up, having a hard time finding a TL:DR; on how to quickly setting up email authentication.

Top comments (4)

Collapse
 
jankapunkt profile image
Jan Küster

Please more of this on DEV.TO!

Collapse
 
jwanoo profile image
jwanOo • Edited

Great. Where do these configurations get changed?

Collapse
 
xcs profile image
Cristian

Sorry for the (very late) reply, but you change those in your domain's DNS settings, at your domain name registrar. Because all this email security is set for a specific domain name.

Collapse
 
nftcrowdfund profile image
nftcrowdfund

This is awesome, I'd also suggest running a free Email Deliverability Test at mailgenius.com/. It's completely free and no sign-up required.

Here's what we check for each test:

  • SPF: We check to make sure your SPF record is following best practices and setup correctly.

  • DKIM: We check to make sure your email is signed properly with DKIM.

  • DMARC: We check to make sure your DMARC is setup properly and aligned with both SPF and DKIM.

  • Reverse DNS: We check to make sure the sending IP resolves to the HELO FQDN.
    Domain Suffix: We check to make sure you're using a common domain suffix instead of .xyz which would be flagged.

  • Domain/IP/Body Blacklists: We check to make sure your IP, domain or links within your email body aren't on any major blacklists.

  • Domain Age: We check to see how new your domain is. If it's less than 31 days old then you're more likely to be flagged or run into deliverability issues.

  • Broken Links: We check to see if any of the links within your email are broken.

  • Short URLs: We check your email to see if you have any short links. Short links can lead to your email being flagged as spam.

  • Subject Line: We provide feedback on the length/structure of your subject line based on aggregate data.

  • List Unsubscribe Header: We check to see if your email contains a list-unsubscribe header which allows users to easily unsubscribe in one click.

  • HTML Body Best Practices: We scan the HTML of your email to see if anything resembles spam. This can be related to a text-to-image ratio or other factors.