this post was submitted on 15 Dec 2024
149 points (100.0% liked)

Cybersecurity

10 readers
1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
shellsharks@fedia.io
tweedge@fedia.io
149
Important reminder, if you own a domain name and don't use it for sending email. (hear-me.social)
submitted 2 months ago by Jerry@hear-me.social to c/cybersecurity@fedia.io
63 comments fedilink hide all child comments
 

Important reminder, if you own a domain name and don't use it for sending email.

There is nothing to stop scammers from sending email claiming to be coming from your domain. And the older it gets, the more valuable it is for spoofing. It could eventually damage your domain's reputation and maybe get it blacklisted, unless you take the steps to notify email servers that any email received claiming to come from your domain should be trashed.

Just add these two TXT records to the DNS for your domain:
TXT v=spf1 -all
TXT v=DMARC1; p=reject;

The first says there is not a single SMTP server on earth authorized to send email on behalf of your domain. The second says that any email that says otherwise should be trashed.

If you do use your domain for sending email, be sure to add 3 records:
SPF record to indicate which SMTP server(s) are allowed to send your email.
DKIM records to add a digital signature to emails, allowing the receiving server to verify the sender and ensure message integrity.
DMARC record that tells the receiving email server how to handle email that fails either check.

You cannot stop scammers from sending email claiming to be from your domain, any more than you can prevent people from using your home address as a return address on a mailed letter. But, you can protect both your domain and intended scam victims by adding appropriate DNS records.

UPDATE: The spf and the dmarc records need to be appropriately named. The spf record should be named "@", and the dmarc record name should be "_dmarc".

Here's what I have for one domain.

One difference that I have is that I'm requesting that email providers email me a weekly aggregated report when they encounter a spoof. gmail and Microsoft send them, but most providers won't, but since most email goes to Gmail, it's enlightening when they come.

#cybersecurity #email #DomainSpoofing #EmailSecurity #phishing

top 50 comments
sorted by: hot top controversial new old
[–] purelinux@social.tchncs.de 5 points 2 months ago

@Jerry@hear-me.social Personally, i also add this as a wildcard for the domain. Not sure if its really required, but better safe than sorry. Due to a standardized function i built for myself in my #dnscontrol files, its no additional work.

[–] Ruaphoc@mstdn.games 3 points 2 months ago (1 children)

@Jerry@hear-me.social

While you are securing your domain, 3 more good ideas:

  1. Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.

  2. Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.

  3. Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).

[–] Jerry@hear-me.social 1 points 2 months ago

@Ruaphoc@mstdn.games
Thanks for this! This is on my list to look at this weekend. Thank you!

[–] timjclevenger@infosec.exchange 2 points 2 months ago

@Jerry@hear-me.social This is especially true if you defensively registered a bunch of lookalike domains.

[–] adingbatponder@fosstodon.org 2 points 2 months ago (1 children)

@Jerry@hear-me.social How in practice can I do this for my site if dynu.com does the dns, and not a dns server I control?

[–] Jerry@hear-me.social 2 points 2 months ago

@adingbatponder@fosstodon.org
Can you open a support ticket for help? Or, maybe, they've already done it for you. You can check at and pick dns summary from the dropdown.

If you see the spf, dkim, and dmarc records, then you're all set.

[–] pmevzek@framapiaf.org 2 points 2 months ago

@Jerry@hear-me.social Nitpick: SPF record is not named "@", it just needs to be at apex of zone. @ is often a shorthand to say apex in zonefiles, but doesn't exist as such really in DNS queries and answers. Also, if you want to fully protect your domain, you can have a null MX record (RFC 7505) and for other matters than email, but also still important, a null CAA record to prevent any rogue certificates issued for it.

[–] dotslashme@infosec.pub 2 points 2 months ago

Very good tip! Thank you.

[–] b3lt3r@mastodon.b3lt3r.com 2 points 2 months ago (1 children)

@Jerry@hear-me.social would adding those txt records cause any issue to a wildcard redirect I use for myself?

I have xxxxx.com and an auto redirect by my dns provider so that anything sent to name@xxxxx.com is forwarded to name@gmail.com so when I give out the address I can see if it's been shared.

I like the idea of protecting against unauthorized use but wouldn't want to lose my throwaway capability.

I find email servers to be akin to dark arts so am at a loss here tbh.

[–] Jerry@hear-me.social 1 points 2 months ago (1 children)

@b3lt3r@mastodon.b3lt3r.com I'm far from an expert, but if your redirect is at the server, and your server adds a ".forward" to the email, and does not alter anything, you should be fine because your SPF and DKIM should pass.

If your redirect is via an email client, or the server doesn't add a .forward, it may alter the email slightly, but in a way sufficient for DKIM to fail because the hash won't match any longer. But, I think in this case, if SPF passes, your email client would still accept it since the original DKIM passed before the forwarding.

It gets really complicated. Suggest you try it.

And this is based on my understanding, which, who knows?

[–] b3lt3r@mastodon.b3lt3r.com 1 points 2 months ago

@Jerry@hear-me.social ok - I'll try it on a less critical domain first, thank you.

I run most of my own services from here to avoid any cloud usage but the one thing I do not dare to host is email - I can't see any refinement in configuration/management has happened since the '70s :-)

[–] pteryx@dice.camp 2 points 2 months ago (2 children)

@Jerry@hear-me.social Last I knew, my roommate who ran a homebrew server was frustrated that they can't run an email server because outgoing email was assumed to be spam anyway. It would be nice if there were an actual way out of this!

[–] Jerry@hear-me.social 2 points 2 months ago (2 children)

@pteryx@dice.camp I set up my own email server on DigitalOcean and instantly got blacklisted by Spamhaus because it was a new domain, and then by another company because the IP address belonged to DigitalOcean.

Most mail servers also flagged it as spam because the domain was less than 60 days old and because it was a .online TLD. For a long time, some of my emails were immediately bounced back or went to spam folders because of all these reasons.

I also believe that every home IP address is automatically blacklisted, which makes it worse for your roommate.

You can eventually overcome it by letting the domain reputation slowly develop and then doing a direct appeal to the blacklist companies. But, it takes a long time.

It's amazing any spam gets delivered.

[–] Dero_10@mastodon.sdf.org 1 points 2 months ago (1 children)

@Jerry@hear-me.social @pteryx@dice.camp Facebook bans my Selfhosted Server, frustrating.

[–] Jerry@hear-me.social 1 points 2 months ago

@Dero_10@mastodon.sdf.org @pteryx@dice.camp
I had that issue a lot when I was running a Linux server in the cloud. It's why I stopped using my own Wireguard VPN server I hosted on Digital Ocean. So many sites would block it.

[–] lautreg@pouet.chapril.org 1 points 2 months ago

@Jerry@hear-me.social @pteryx@dice.camp
Some IP from DigitalOcean, or OVH make sometimes that the whole AS is considered suspicious.
I remember when I had a dedicated server at OVH, I needed many time to gain reputation. Also, may be the previous user for the IP trashed the reputation.
I also remember later, with a server at other place that I needed to ban the AS for several weeks to prevent flooding in log by trivial attacks.
Create good reputation need time. And, sometimes you need fill form (for Microsoft) with IP.

[–] amberage@eldritch.cafe 1 points 2 months ago (2 children)

@pteryx@dice.camp @Jerry@hear-me.social there isn't

load more comments (2 replies)
[–] scottwilson@infosec.exchange 1 points 2 months ago

@Jerry@hear-me.social Thanks for sharing! I didn’t even think about this and it’s on my To Do list now. 🫡

[–] troy@opencoaster.net 1 points 2 months ago

@Jerry@hear-me.social also good idea while you’re in there to make sure you don’t have any old records pointing to servers you don’t own anymore.

[–] sgsax@mastodon.social 1 points 2 months ago

@Jerry@hear-me.social Saving this for later. I do run email from my personal domain, but adding spf for a little extra insurance is a good idea.

[–] esplovago@mastodon.uno 1 points 2 months ago (1 children)

@Jerry@hear-me.social great advice. One question: does this config protect also subdomains?

[–] Jerry@hear-me.social 1 points 2 months ago

@esplovago@mastodon.uno
Yep.

If you want to have different rules for subdomains, then the records get much more complicated. but "v=spf1 -all" pertains to the domain and subdomains.

[–] RobynNuthall@mastodon.nz 1 points 2 months ago

@Jerry@hear-me.social

Thank you!!!

[–] antondollmaier@mastodon.social 1 points 2 months ago

@Jerry@hear-me.social thanks for the advice!
Shouldn't the dmarc record be added, differently to SPF, to the subdomain of "_dmarc"?

[–] bogdanbiv@mastodon.social 1 points 2 months ago

@Jerry@hear-me.social I needed to hear this

[–] biggestsonicfan@digipres.club 1 points 2 months ago

@Jerry@hear-me.social Interesting. I own two domains (one I plan to use, one I use to connect to things remotely) and maybe I should set this up.

[–] idoubtit@mstdn.social 1 points 2 months ago (1 children)

@Jerry@hear-me.social I have this problem! But I also use my domain for sending post notifications via MailPoet. What are my options?

[–] Jerry@hear-me.social 1 points 2 months ago (1 children)

@idoubtit@mstdn.social
Mailpoet is a Wordpress plugin? You should still have appropriate SPF, DKIM, and DMARC records.

If you gave Mailpoet the right to use your email's SMTP server (is this how it works?) then you're fine because it's using your credentials and SPF will pass as the SMTP server is authorized to send email for your credentials.

[–] idoubtit@mstdn.social 1 points 2 months ago

@Jerry@hear-me.social Yes. It appears that's how it works. Also, I see my host now has a section in Control panel for DMARC stuff.

[–] cybeardjm@masto.ai 1 points 2 months ago

@Jerry@hear-me.social If needed, here's a DMARC domain checker

[–] SkyLuke@mastodon.social 1 points 2 months ago

@Jerry@hear-me.social I think this is unnecessary for my domain of only numbers that I use with cloudflare tunnels. But will keep it in mind.

[–] girlbandgeek@mastodon.social 1 points 2 months ago

@Jerry@hear-me.social Thanks for posting this. I never think about this, but I do have several domains and I need to make sure I have the proper DNS records for the new email security stuff. (I date from the days when all you had to worry about were MX records, but I realize we've moved on from that.)

[–] freddieleeman@infosec.exchange 1 points 2 months ago

@Jerry@hear-me.social The M3AAWG provides best practices for parked domains, including the recommendation to implement a wildcard DKIM signature.

*._domainkey.example.com TXT “v=DKIM1; p=”

https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf

[–] whophd@ioc.exchange 1 points 2 months ago

@Jerry@hear-me.social @nopatience@swecyb.com This is a gold nugget of a tip. Partly because it’s timeless. One of us should build a directory page full of #infosectips

[–] beepcheck@fosstodon.org 1 points 2 months ago

@Jerry@hear-me.social thank you for this post!

I've set up email servers using iRedMail and mailcow successfully with dmarc, etc., but this post really tied it all together for me.

now i have some dns to ... improve

[–] falcennial@mastodon.social 1 points 2 months ago

@Jerry@hear-me.social cool, thanks bro. I will give it a go.

[–] MystikIncarnate@lemmy.ca 1 points 2 months ago

Right. I should do this.

[–] jirirbr@mastodonczech.cz 1 points 2 months ago

@Jerry@hear-me.social @_elena@mastodon.social Thank you for sharing this.

[–] frikkelgard@troet.cafe 1 points 2 months ago

@Jerry@hear-me.social That's how it's done. Short and clear writeup. Thank you!

[–] jack@social.jacklinke.com 1 points 2 months ago

@Jerry@hear-me.social Thank you for sharing this. I've had it bookmarked for weeks, but finally sat down and updated all of my domains today. Feels good to have that little task done!

[–] pasmac@atmasto.com 1 points 2 months ago

@Jerry@hear-me.social arghh forgot to up date the IP address …. 🤬
Good tip

[–] Xitnelat@wue.social 1 points 2 months ago

There's an article at gov.uk also covering DKIM and null-records:

@Jerry@hear-me.social

[–] Char@noc.social 1 points 2 months ago

@Jerry@hear-me.social
#email
If it helps anyone as an example of a domain w/o email, I have a domain 'hack-char.dev' that has those records configured. Never knew about the null mx, and will put one in today.

As a side note, I've seen someone try to spoof a different domain of mine and for some reason gmail sends a bounce to my domain, without rua set. I was wondering if it was an attempt to get a phish through in a bounce, but I don't see how that would be successful.

[–] jzakotnik@mastodon.social 1 points 2 months ago

@Jerry@hear-me.social wow thanks, this is useful

[–] tychotithonus@infosec.exchange 1 points 2 months ago

@Jerry@hear-me.social No-email domains can also set a null MX:

MX 10 "."

[–] cosmicspittle@ecoevo.social 1 points 2 months ago

@Jerry@hear-me.social Thank you for this

[–] simrob@social.wub.site 1 points 2 months ago

@Jerry@hear-me.social thanks for sharing this. It was boosted into my neck of the woods and I don’t actually know who you are - is there a semi-authoritative place this advice is documented that I can 1) double check, because that seems like a good idea at least in principle with security related stuff like this and 2) pass on to others?

[–] MacBalance@mstdn.games 1 points 2 months ago

@Jerry@hear-me.social @pluralistic@mamot.fr

[–] shauvikkumar@mastodon.social 1 points 2 months ago

@Jerry@hear-me.social helpful

load more comments
view more: next ›