I recently noticed that my domain was being spoofed. Spoofing is where an email being sent is manipulated to seem like it is sent from a different domain. Spoofing is typically used for malicious purposes as the sender is misrepresenting the sender of the message. Your domain reputation is extremely important and if your domain is being used as the sending domain then this can be negative for your domain quality (especially if the recipients of the emails mark the messages as spam/junk).
— Gary Eckstein (@ecksteing) October 8, 2017
Because of the way that email sending works, anyone can send a message showing the sender as any other domain. The sending email address doesn’t have to even be a working email address. This ease of misrepresenting the actual sender of email messages is why Mailchimp, Google G Suite and other high quality email sending services ask you to verify your ownership of your sending domain before you may send email messages using a particular domain.
The big issue is that it isn’t obvious if your domain is being used for spoofing; quite simply your domain may be used for phishing, distributing malware and other illegal activity and you would be very unlikely to even know that it is happening. Many readers of this article will have their domains being used by others in spoofing. It is a scary proposition!
How to know if your domain is used for spoofing
While there is no way of stopping malicious people from marking any email address as a sending address, it is possible to identify servers being used to send email messages marked as being from your domain. This is done through adding SPF and DKIM DNS records and then enabling DMARC on your domain. Because these abbreviations can get confusing, here are very short descriptions:
SPF: SPF allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain’s DNS zone, and when someone else’s mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain’s stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.
DKIM: DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier is independent of any other identifier in the message, such in the author’s From: field.
DMARC: DMARC is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Identify who is sending spam email from your domain
Here are the steps to take in order to know if your domain is being spoofed (and, if so, where the spam email messages are sent from). In addition the steps below will whitelist those servers that you use to send your legitimate email messages.
- Add SPF records to your DNS for those servers you use for sending email messages. I use Google G Suite for everyday messages, Mailchimp for email marketing and Mailgun for transactional sending. I therefore need to add SPF records for these three services.
- Add DKIM records for the services where you added SPF records.
- Sign up for, and activate, the free DMARC reports by Postmark. You’ll need to add a TXT record to your domain specifying the DMARC requirements. The TXT record will look something like the below (Postmark will give you the exact syntax to add):
v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org; sp=none; aspf=r;
Once you’ve completed the steps above then you’ll receive a report from Postmark once per week. The report will show the domains that have sent email messages purporting to be from your domain. You’ll also see which domain have failed SPF and/or DKIM authentication. The image below shows how I identified that my domain was being spoofed (the number of messages processed is way higher than it should be for my domain and the high proportion of messages that were ‘not aligned’ is telling).
You must look at the report that Postmark provides to you and if the services you use to send messages (i.e. those where you added SPF and DKIM records) fail SPF or DKIM alignment then correct your SPF and DKIM records.
Stop others sending email messages from your domain
The DMARC record that Postmark provides is very good for identifying which servers send emails purporting to be from your domain. The DMARC record however doesn’t instruct servers receiving messages that fail your SPF and DKIM alignment to do anything with the messages. We can amend the DMARC record to quarantine any messages that fail SPF and DKIM alignment (i.e. send those messages directly to the spam/junk folder of the recipient). To quarantine messages that fail alignment amend the TXT record for DMARC then change the TXT record to be like:
v=DMARC1; p=quarantine; pct=100; rua=mailto:email@example.com; sp=quarantine; aspf=r;
Before you instruct messages that fail SPF or DKIM alignment to be quarantined it is important to ensure that messages being legitimately sent from email sending services you use are aligning both SPF and DKIM.
Will this stop my domain being used by spammers?
As noted previously there is no means that we can stop others from maliciously using our domain as the sending domain. Using the instructions above we can instruct receiving email servers that we haven’t authorised any servers except those where we’ve added SPF and DKIM records, to send our email messages. This means that the majority of spoof email messages will be sent directly to the recipients spam/junk folder whilst not damaging your domain quality.
To think that your email address can very easily be used for sending spam is scary. It’s worth following the steps above to protect your domain. Contact me if you need assistance with enabling DMARC for your domain and I’ll provide an estimate cost.