Recently I’ve faced a problem of email delivery sent from the domain of company I work for. Some emails were rejected by servers or marked as bounced. It appeared that we had two independent issues:
- We used one popular SMTP service for email delivery and a pool of its IPs is shared between many users. Some of those users may use this service with bad intents like spam, so some of shared IPs were blacklisted which is bad for the domain’s rating. Changing subscription plan with dedicated IP solved issue very quickly. Another good alternative is switching to Amazon SES wich is cheaper than subscription plan with dedicated IP.
- Our domain was still vulnerable to phishing attacks via email spoofing even after problem with delivery had been fixed.
The problem is that SMTP protocol doesn’t have any authentication methods. Anyone can use it for sending emails on behalf of your domain by setting desired address in From field:
Hackers can send such emails with links to the sites with design identical to your’s and ask users to enter their password or other personal data.
Such emails can get delivered to Inbox folders. Users will belive them because sender in the From field will be a familiar address.
There are few methods that can help to prevent such attacks when used simultaneously:
Add SPF (Sender Policy Framework) to the TXT record in you DNS zone.
This record must explicitly declare the list of addresses allowed to send email on behalf of the domain.
Most email servers will check this record and if sender’s IP won’t be in the list, appropriate rules will be applied.
Typical record looks like:
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
and the most important parts here are include
and all
mechanisms.
In this exapmle we allow Google Apps and Mailchimp to send emails on our behalf.
All IPs and domains must get resolved in less than 12 DNS requests to keep this record valid.
all mechanism has 4 prefixes:
- ”+” Pass
- ”-” Fail
- “~” SoftFail
- ”?” Neutral
which sets filtration rules for emails that didn’t pass SPF check. The best and most secure option is -, it allows sending emails only from allowed sources. ~ is better for debug or the case when full list of IPs/domains is still unknown.
Add DKIM (DomainKeys Identified Mail) record in you DNS zone.
DKIM is also a separate record in DNS zone which returns public key for signing emails. Using this key clients can sign emails and header field called DKIM-Signature is added to the email. This feature allows mail servers to check whether incoming letters were signed properly.
Add DMARC (Domain-based Message Authentication, Reporting & Conformance) policy.
It tells email servers whether they should check SPF and DKIM records and gives them an address for delivery reports.
Possible options are:
- ignore rules and deliver email to inbox
- apply quarantine and send email to the spam
- reject email
Check and validate results
There are a lot of good exapmles of how to set up DMARC policy and a many free services for checking SPF/DKIM records.
Email vulnearability can be checked on https://emkei.cz/ by setting desired email like no-reply@yourdomain.com in From field
and checking whether email get delivered.
DMARC setup example by Google: https://support.google.com/a/answer/2466563?hl=en
Tools for checking SPF/DKIM/DMARC: http://mxtoolbox.com, https://dmarcian.com/spf-survey/.
More about email protection:
https://postmarkapp.com/guides/spf
https://blog.returnpath.com/how-to-explain-spf-in-plain-english/
https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability