Prevent others sending emails using your domain name

Yesterday a user contacted me on Twitter saying that she has received a scam email sent from an email address originating from my domain, usertrack.net.

You might know that anyone can set any address in the "from" field when sending an email. I thought there was nothing I could do about it, but upon looking deeper into it I realized that some of my email settings were wrong, which might allow attackers to send spoofed emails on my behalf.

I did have DMARC setup, but my SPF and DKIM records were invalid.

After looking into it, I realized that there's a lot more to learn about it than I thought, so here's a summary of what I learned.

What should you do? Correctly setup DMARC!

There are some email security policies that can be set at the DNS level. You can specifically allow only some IP addresses (usually your email server) or domains to send emails on your domain's behalf.

I do think those policies are mostly just a suggestion that tells other email servers and email clients to mark an email as spam or not send it if the authentication checks are failing. That being said, most popular email clients should do a pretty good job of blocking emails that don't respect those policies.

Add those email policies to your DNS TXT records

The DMARC, SPF and DKIM policies.

DMARC

Domain-based Message Authentication, Reporting and Conformance

Useful for receiving reports about who is sending emails using your domain name. This also enables you to specify what to do with the emails that are not originating from allowed sources (do nothing, flag them, or reject them).

Here is what DNS record I had added:

TXT record

Name: _dmarc

Value:

v=DMARC1; p=reject; rua=mailto:reports@usertrack.net;

• v = Version - should be DMARC1
• p = Policy - can be none, quarantine and reject. Reject is recommended once you know your other policies are setup correctly, so the spoofed email won't be delivered.
• rua = Reporting URI(s) for aggregate data - Where to send reports that mail services generate about who tried to send emails from your domain.

SPF

Sender Policy Framework

With SPF you can say who is allowed to send emails using your domain name. This is the value I used:

TXT record

Name: @

Value:

v=spf1 +mx +ip4:123.456.78.19 +include:websitewelcome.com +include:servers.mcsv.net -all

• v = Version - should be spf1
• +mx = Allow emails for all domains mentioned in the MX records of this domain
• +ip4:123.456.78.19 = Allow emails sent from this IP address (this was the address of my mail server, hosted on HostGator)
• +include:websitewelcome.com = Allow emails sent from this domain (it's the mail server domain of HostGator)
• +include:servers.mcsv.net = MailChimp, I use them to send newsletters from someemail@usertrack.net
• -all = If none of the previous rules are met, deny all other emails.

All those rules are tested left to right, and "+" means allow, "-" means reject and there is also "~" which is like a soft reject (maybe mark as spam or something like that).

DKIM

DomainKeys Identified Mail

Using DKIM all emails sent will be digitally signed using a private key and the DNS record provides a public key to test if the emails are correctly signed. If there is a missmatch, the DKIM policy will fail, and the email won't be sent or marked as spam.

My DKIM record looks something like this:

TXT record

Name: default._domainkey

Value:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...very long key...AB\;

• v = Version - should be DKIM1
• k = Key type - encryption algorithm used
• p = Public key

I got my DKIM TXT record value from Hostgator -> cPanel -> Email Authentication (my email server provider), but I had some issues making it valid as their TXT record had a limited number of characters and showed my public key (p=...) as two distinct strings that I had to manually remove the quotes around and merge (concatenate) them together.

Some tools that I used

To test if the policies are correct, the tools I found more useful are:

• MXToolBox - Email Deliverability - mxtoolbox.com/deliverability This allows you to test if your DMARC policies are correct
• MailTester - SPF and DKIM Checker - mail-tester.com/spf-dkim-check Quickly test if your SPF and DKIM records are valid strings.

I hope that by fixing my email authentication on my domains it will be a lot less likely for phishing emails to be sent using my domain names.

I hope you found this post useful. I tried to make this as concise as possible and provide examples, as I spent several hours trying to understand all those policies and how to set them up, having a hard time finding a TL:DR; on how to quickly setting up email authentication.