this post was submitted on 15 Dec 2024
356 points (100.0% liked)

Cybersecurity

12 readers
65 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
shellsharks@fedia.io
tweedge@fedia.io
356
Important reminder, if you own a domain name and don't use it for sending email. (hear-me.social)
submitted 4 months ago by Jerry@hear-me.social to c/cybersecurity@fedia.io
74 comments fedilink hide all child comments
 

Important reminder, if you own a domain name and don't use it for sending email.

There is nothing to stop scammers from sending email claiming to be coming from your domain. And the older it gets, the more valuable it is for spoofing. It could eventually damage your domain's reputation and maybe get it blacklisted, unless you take the steps to notify email servers that any email received claiming to come from your domain should be trashed.

Just add these two TXT records to the DNS for your domain:
TXT v=spf1 -all
TXT v=DMARC1; p=reject;

The first says there is not a single SMTP server on earth authorized to send email on behalf of your domain. The second says that any email that says otherwise should be trashed.

If you do use your domain for sending email, be sure to add 3 records:
SPF record to indicate which SMTP server(s) are allowed to send your email.
DKIM records to add a digital signature to emails, allowing the receiving server to verify the sender and ensure message integrity.
DMARC record that tells the receiving email server how to handle email that fails either check.

You cannot stop scammers from sending email claiming to be from your domain, any more than you can prevent people from using your home address as a return address on a mailed letter. But, you can protect both your domain and intended scam victims by adding appropriate DNS records.

UPDATE: The spf and the dmarc records need to be appropriately named. The spf record should be named "@", and the dmarc record name should be "_dmarc".

Here's what I have for one domain.

One difference that I have is that I'm requesting that email providers email me a weekly aggregated report when they encounter a spoof. gmail and Microsoft send them, but most providers won't, but since most email goes to Gmail, it's enlightening when they come.

#cybersecurity #email #DomainSpoofing #EmailSecurity #phishing

(page 2) 24 comments
sorted by: hot top controversial new old
[–] zhhz@mastodon.social 1 points 3 months ago

@Jerry@hear-me.social People using iCloud Custom Email, please add the _dmarc record (consider "v=DMARC1; p=reject; adkim=s; aspf=s;"), because Apple doesn’t add it for you automatically or include this in its guide, and I just realized my email address has been used for spam.

[–] scottwilson@infosec.exchange 1 points 4 months ago

@Jerry@hear-me.social Thanks for sharing! I didn’t even think about this and it’s on my To Do list now. 🫡

[–] MacBalance@mstdn.games 1 points 4 months ago

@Jerry@hear-me.social @pluralistic@mamot.fr

[–] RobynNuthall@mastodon.nz 1 points 4 months ago

@Jerry@hear-me.social

Thank you!!!

[–] pasmac@atmasto.com 1 points 4 months ago

@Jerry@hear-me.social arghh forgot to up date the IP address …. 🤬
Good tip

[–] cybeardjm@masto.ai 1 points 4 months ago

@Jerry@hear-me.social If needed, here's a DMARC domain checker https://dmarcian.com/domain-checker/

[–] antondollmaier@mastodon.social 1 points 4 months ago

@Jerry@hear-me.social thanks for the advice!
Shouldn't the dmarc record be added, differently to SPF, to the subdomain of "_dmarc"?

[–] jack@social.jacklinke.com 1 points 3 months ago

@Jerry@hear-me.social Thank you for sharing this. I've had it bookmarked for weeks, but finally sat down and updated all of my domains today. Feels good to have that little task done!

[–] biggestsonicfan@digipres.club 1 points 4 months ago

@Jerry@hear-me.social Interesting. I own two domains (one I plan to use, one I use to connect to things remotely) and maybe I should set this up.

[–] beepcheck@fosstodon.org 1 points 4 months ago

@Jerry@hear-me.social thank you for this post!

I've set up email servers using iRedMail and mailcow successfully with dmarc, etc., but this post really tied it all together for me.

now i have some dns to ... improve

[–] bogdanbiv@mastodon.social 1 points 4 months ago

@Jerry@hear-me.social I needed to hear this

[–] simrob@social.wub.site 1 points 4 months ago

@Jerry@hear-me.social thanks for sharing this. It was boosted into my neck of the woods and I don’t actually know who you are - is there a semi-authoritative place this advice is documented that I can 1) double check, because that seems like a good idea at least in principle with security related stuff like this and 2) pass on to others?

[–] troy@opencoaster.net 1 points 4 months ago

@Jerry@hear-me.social also good idea while you’re in there to make sure you don’t have any old records pointing to servers you don’t own anymore.

[–] Xitnelat@wue.social 1 points 4 months ago

There's an article at gov.uk also covering DKIM and null-records:
https://www.gov.uk/guidance/protect-domains-that-dont-send-email
@Jerry@hear-me.social

[–] shauvikkumar@mastodon.social 1 points 4 months ago

@Jerry@hear-me.social helpful

[–] Char@noc.social 1 points 4 months ago

@Jerry@hear-me.social
#email
If it helps anyone as an example of a domain w/o email, I have a domain 'hack-char.dev' that has those records configured. Never knew about the null mx, and will put one in today.

As a side note, I've seen someone try to spoof a different domain of mine and for some reason gmail sends a bounce to my domain, without rua set. I was wondering if it was an attempt to get a phish through in a bounce, but I don't see how that would be successful.

[–] sgsax@mastodon.social 1 points 4 months ago

@Jerry@hear-me.social Saving this for later. I do run email from my personal domain, but adding spf for a little extra insurance is a good idea.

load more comments