this post was submitted on 15 Dec 2024
344 points (100.0% liked)

Cybersecurity

75 readers
69 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
 

Important reminder, if you own a domain name and don't use it for sending email.

There is nothing to stop scammers from sending email claiming to be coming from your domain. And the older it gets, the more valuable it is for spoofing. It could eventually damage your domain's reputation and maybe get it blacklisted, unless you take the steps to notify email servers that any email received claiming to come from your domain should be trashed.

Just add these two TXT records to the DNS for your domain:
TXT v=spf1 -all
TXT v=DMARC1; p=reject;

The first says there is not a single SMTP server on earth authorized to send email on behalf of your domain. The second says that any email that says otherwise should be trashed.

If you do use your domain for sending email, be sure to add 3 records:
SPF record to indicate which SMTP server(s) are allowed to send your email.
DKIM records to add a digital signature to emails, allowing the receiving server to verify the sender and ensure message integrity.
DMARC record that tells the receiving email server how to handle email that fails either check.

You cannot stop scammers from sending email claiming to be from your domain, any more than you can prevent people from using your home address as a return address on a mailed letter. But, you can protect both your domain and intended scam victims by adding appropriate DNS records.

UPDATE: The spf and the dmarc records need to be appropriately named. The spf record should be named "@", and the dmarc record name should be "_dmarc".

Here's what I have for one domain.

One difference that I have is that I'm requesting that email providers email me a weekly aggregated report when they encounter a spoof. gmail and Microsoft send them, but most providers won't, but since most email goes to Gmail, it's enlightening when they come.

#cybersecurity #email #DomainSpoofing #EmailSecurity #phishing

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 15 hours ago
[–] SkunkWorkz 2 points 21 hours ago

Yeah I regularly get DMARC reports for domains I’m not using. For ease I just added them as an alias to an Google workspace account I already have and use the DKIM, DMARC etc that Google provides. In case I ever need to send an email with that domain

[–] [email protected] 1 points 1 day ago
[–] [email protected] 5 points 1 day ago (1 children)

@[email protected]

While you are securing your domain, 3 more good ideas:

  1. Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.

  2. Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.

  3. Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).

[–] [email protected] 1 points 1 day ago

@[email protected]
Thanks for this! This is on my list to look at this weekend. Thank you!

[–] [email protected] 41 points 2 days ago

This is overall best practices and overall correct (as in: you should probably do this, and it will never hurt), but realistically any domain that doesn't at least have an SPF record will be already treated as unable to send mail at all by any properly configured receiving server, especially ones that would report you to a blocklist.

This isn't bad advice regardless, just a bit redundant.

[–] [email protected] 2 points 1 day ago (1 children)

@[email protected] If I change my mind and I want to send e-mails from the domain: Can I expect that this will work, if I change the DNS records file again and wait for TTL seconds? Or will this take considerably longer?

[–] [email protected] 1 points 1 day ago

@[email protected]
Hi,

Depending on the ISP, after making the changes, it usually takes up to 15 minutes for the changes to get distributed to all the DNS servers worldwide. It's pretty quick.

[–] Aganim 18 points 2 days ago* (last edited 2 days ago) (2 children)

DMARC record that tells the receiving email server how to handle email that fails either check.

Could be that I misunderstood you, but: It tells what to do if no mechanism (DKIM or SPF) results in a pass. DMARC actually only requires one mechanism to pass. So an email with a DKIM fail, but an SPF pass is considered OK. And vice-versa.

Edit: good advice by the way regarding protecting your domain reputation, I'll check our non-email domains at work first thing tomorrow.

[–] [email protected] 2 points 2 days ago

@Aganim @Jerry Correct. DMARC alignment only requires a single thing to pass. A forwarded email or newsletter might fail SPF but pass DKIM, and that’s acceptable.

#DMARC

[–] [email protected] 1 points 2 days ago (1 children)

@[email protected]
I'm not an expert on this (it's a career), but I know it's not that simple.

If I get an unforwarded email, I definitely want both DKIM and SPF to pass. I want only email from an authorized server, and I want an email that is not modified and is properly signed. No exceptions. Both must pass.

If I get email from a mailing list that is sending email to me on behalf of a different domain, I want SPF to pass in that I want to know that the mailing list provider's server is authorized to send email on behalf of the original domain. But, in this case, the original DKIM will fail because the mailing list provider will have changed the email. But, I expect the new DKIM to be correct, or I won't accept it. So, here, a failure on the original DKIM can be acceptable.

If someone forwards an email to me, the original DKIM will fail. I will accept it. But, I want the SPF of the forwarding server to pass, and the new DKIM for the changed email to pass.

There's also email redirection and forwards that happen at the server vs. the client and there can be separate rules for this.

The records can get complicated if you truly want to control different scenarios.

But, you don't always want to accept an email if only 1 check passes.

At least, this is my understading of it all.

[–] Aganim 2 points 2 days ago* (last edited 2 days ago)

You are of course free to do with email what you want if you run your own email server. It's simply that the DMARC RFC states that only one mechanism has to pass, so if you rely on your server's DMARC implementation you won't get what you want.

Edit: reworded a bit, I made it sound as if only one pass is allowed by DMARC.

[–] [email protected] 4 points 2 days ago

@[email protected] Nitpick: SPF record is not named "@", it just needs to be at apex of zone. @ is often a shorthand to say apex in zonefiles, but doesn't exist as such really in DNS queries and answers. Also, if you want to fully protect your domain, you can have a null MX record (RFC 7505) and for other matters than email, but also still important, a null CAA record to prevent any rogue certificates issued for it.

[–] [email protected] 1 points 1 day ago (1 children)

@[email protected] Can you undo this later without consequence?

[–] [email protected] 1 points 1 day ago (1 children)
[–] [email protected] 1 points 20 hours ago (1 children)

@[email protected] (Just thinking from a cache perspective)

[–] [email protected] 1 points 20 hours ago

@[email protected]
I've never had issues making changes, so I think it wouldn't be an issue. The caches should recognize they need updating.

[–] krelvar 9 points 2 days ago (1 children)

There is nothing admin-wise I hate more than dealing with email security. Fucking google is horrible. At least when Microsoft randomly decides the half dozen family members on my personal domain are bulk email spammers, there's a form to reach out. Google is a piece of shit in this way just like in so many other ways.

[–] [email protected] 3 points 2 days ago* (last edited 2 days ago) (1 children)

Google is much better. They send much less legitimate email to spam than Outlook & Hotmail. They also do have a bulk sender form. https://support.google.com/mail/contact/gmail_bulk_sender_escalation

As well as a "send feedback" option on most pages.

[–] krelvar 2 points 2 days ago

I'll try that link next time they cut off my email for no reason, thanks.

[–] [email protected] 3 points 2 days ago

@[email protected] @[email protected] This is a gold nugget of a tip. Partly because it’s timeless. One of us should build a directory page full of #infosectips

[–] ellypony 2 points 2 days ago

This is such thoughtfully written advice even though I’m not in CSI I’m still going to save it for later. Who knows. Thank you.

[–] [email protected] 1 points 1 day ago

@[email protected] That's how it's done. Short and clear writeup. Thank you!

[–] [email protected] 2 points 2 days ago
[–] [email protected] 2 points 2 days ago

@[email protected] This is especially true if you defensively registered a bunch of lookalike domains.

[–] [email protected] 1 points 2 days ago

Right. I should do this.

[–] [email protected] 3 points 2 days ago

@[email protected] Personally, i also add this as a wildcard for the domain. Not sure if its really required, but better safe than sorry. Due to a standardized function i built for myself in my #dnscontrol files, its no additional work.

[–] [email protected] 2 points 2 days ago (1 children)

@[email protected] would adding those txt records cause any issue to a wildcard redirect I use for myself?

I have xxxxx.com and an auto redirect by my dns provider so that anything sent to [email protected] is forwarded to [email protected] so when I give out the address I can see if it's been shared.

I like the idea of protecting against unauthorized use but wouldn't want to lose my throwaway capability.

I find email servers to be akin to dark arts so am at a loss here tbh.

[–] [email protected] 1 points 2 days ago (1 children)

@[email protected] I'm far from an expert, but if your redirect is at the server, and your server adds a ".forward" to the email, and does not alter anything, you should be fine because your SPF and DKIM should pass.

If your redirect is via an email client, or the server doesn't add a .forward, it may alter the email slightly, but in a way sufficient for DKIM to fail because the hash won't match any longer. But, I think in this case, if SPF passes, your email client would still accept it since the original DKIM passed before the forwarding.

It gets really complicated. Suggest you try it.

And this is based on my understanding, which, who knows?

[–] [email protected] 1 points 2 days ago

@[email protected] ok - I'll try it on a less critical domain first, thank you.

I run most of my own services from here to avoid any cloud usage but the one thing I do not dare to host is email - I can't see any refinement in configuration/management has happened since the '70s :-)

[–] [email protected] 3 points 2 days ago
[–] [email protected] 3 points 2 days ago

@[email protected] No-email domains can also set a null MX:

https://www.rfc-editor.org/rfc/rfc7505.html

MX 10 "."

[–] [email protected] 2 points 2 days ago (1 children)

@[email protected] I have this problem! But I also use my domain for sending post notifications via MailPoet. What are my options?

[–] [email protected] 1 points 2 days ago (1 children)

@[email protected]
Mailpoet is a Wordpress plugin? You should still have appropriate SPF, DKIM, and DMARC records.

If you gave Mailpoet the right to use your email's SMTP server (is this how it works?) then you're fine because it's using your credentials and SPF will pass as the SMTP server is authorized to send email for your credentials.

[–] [email protected] 1 points 1 day ago

@[email protected] Yes. It appears that's how it works. Also, I see my host now has a section in Control panel for DMARC stuff.

[–] [email protected] 2 points 2 days ago

@[email protected] The M3AAWG provides best practices for parked domains, including the recommendation to implement a wildcard DKIM signature.

*._domainkey.example.com TXT “v=DKIM1; p=”

https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf

[–] [email protected] 1 points 2 days ago

@[email protected] Interesting. I own two domains (one I plan to use, one I use to connect to things remotely) and maybe I should set this up.

[–] [email protected] 2 points 2 days ago (7 children)

@[email protected] Last I knew, my roommate who ran a homebrew server was frustrated that they can't run an email server because outgoing email was assumed to be spam anyway. It would be nice if there were an actual way out of this!

[–] kitnaht 3 points 2 days ago* (last edited 2 days ago)

Anything from a residential IP is going to be marked as spam.

There is an actual way out of this, and it's through a reverse tunnel.

[–] [email protected] 1 points 2 days ago (1 children)
[–] [email protected] 1 points 2 days ago (1 children)

@amberage @pteryx
Your points, I think, are very valid. And I live with the fear that I will end up with the same fate.

[–] [email protected] 1 points 2 days ago

@[email protected] @[email protected] not my points, just someone else's article that I found quite informative the first and last time I thought "how hard can it be to host my own email?"

load more comments (5 replies)
[–] [email protected] 1 points 2 days ago (1 children)

@[email protected] great advice. One question: does this config protect also subdomains?

[–] [email protected] 1 points 2 days ago

@[email protected]
Yep.

If you want to have different rules for subdomains, then the records get much more complicated. but "v=spf1 -all" pertains to the domain and subdomains.

[–] [email protected] 1 points 2 days ago
[–] [email protected] 1 points 2 days ago
load more comments
view more: next ›