Version 7.0.2 Released (December 2024) — View Changelog!

Prevent others sending emails using your domain name

Yesterday a user contacted me on Twitter saying that she has received a scam email sent from an email address originating from my domain, uxwizz.com.

You might know that anyone can set any address in the "from" field when sending an email. I thought there was nothing I could do about it, but upon looking deeper into it I realized that some of my email settings were wrong, which might allow attackers to send spoofed emails on my behalf.

I did have DMARC setup, but my SPF and DKIM records were invalid.

After looking into it, I realized that there's a lot more to learn about it than I thought, so here's a summary of what I learned.

What should you do? Correctly setup DMARC!

There are some email security policies that can be set at the DNS level. You can specifically allow only some IP addresses (usually your email server) or domains to send emails on your domain's behalf.

I do think those policies are mostly just a suggestion that tells other email servers and email clients to mark an email as spam or not send it if the authentication checks are failing. That being said, most popular email clients should do a pretty good job of blocking emails that don't respect those policies.

Add those email policies to your DNS TXT records

The DMARC, SPF and DKIM policies.


DMARC

Domain-based Message Authentication, Reporting and Conformance

Useful for receiving reports about who is sending emails using your domain name. This also enables you to specify what to do with the emails that are not originating from allowed sources (do nothing, flag them, or reject them).

Here is what DNS record I had added:

TXT record
Name: _dmarc
Value:

v=DMARC1; p=reject; rua=mailto:reports@uxwizz.com;

SPF

Sender Policy Framework

With SPF you can say who is allowed to send emails using your domain name. This is the value I used:

TXT record
Name: @
Value:

v=spf1 +mx +ip4:123.456.78.19 +include:websitewelcome.com +include:servers.mcsv.net -all

All those rules are tested left to right, and "+" means allow, "-" means reject and there is also "~" which is like a soft reject (maybe mark as spam or something like that).


DKIM

DomainKeys Identified Mail

Using DKIM all emails sent will be digitally signed using a private key and the DNS record provides a public key to test if the emails are correctly signed. If there is a missmatch, the DKIM policy will fail, and the email won't be sent or marked as spam.

My DKIM record looks something like this:

TXT record
Name: default._domainkey
Value:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...very long key...AB\;

I got my DKIM TXT record value from Hostgator -> cPanel -> Email Authentication (my email server provider), but I had some issues making it valid as their TXT record had a limited number of characters and showed my public key (p=...) as two distinct strings that I had to manually remove the quotes around and merge (concatenate) them together.

Some tools that I used

To test if the policies are correct, the tools I found more useful are:

dmarc dkim spf policies

I hope that by fixing my email authentication on my domains it will be a lot less likely for phishing emails to be sent using my domain names.

I hope you found this post useful. I tried to make this as concise as possible and provide examples, as I spent several hours trying to understand all those policies and how to set them up, having a hard time finding a TL:DR; on how to quickly set up email authentication.



Do you want to improve your website?

I am building UXWizz, a self-hosted analytics platform that enables business owners to understand their visitors and improve their websites in a private and affordable way.
Improve your website

You can also send an email at support@uxwizz.com
Your email address will only be used for this inquiry and will not be saved or used for any other marketing purposes.
@