Email protections you may not be using

Phishing addressed from any company owned domain name can easily be interpreted by users as authentic mail. When no mail protections are in place, it becomes easier to get malicious mail into mailboxes. Let’s fix that.

Here are some specific suggestions using DNS, SPF/DKIM, and DMARC to protect domains you own, but that will never send mail.

SPF

Create an SPF record at zone apex which does not contain any mechanisms. Set it to hard fail (-all).

Type: TXT

Name: @

Value: v=spf1 -all

DMARC

Set the domain policy (p) and subdomain policy (sp) to reject, so that emails that fail authentication checks are rejected.

Alignment (adkim) is set to strict so that the DKIM domain and the Header From domain must match exactly.

Type: TXT

Name: _dmarc

Value: “v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:dmarc-rua@example.com”

For details of the other values, please see https://tools.ietf.org/html/rfc7489.

DKIM

Create an empty DKIM record. The empty value of (p) will tell others there are no valid public keys for the domain, and any email claiming to be from this domain should be rejected.

Type: TXT

Name: *._domainkey

Value: v=DKIM1; p=

Null MX Record

Not all DNS providers support null MX records. If you provider supports it, or you run your own name servers, create an empty MX record.

Type: MX

Name: Leave this field empty

Priority: 0

Value: .

What next? While authentication checks certainly help, it doesn’t beat general awareness, something I hope to write about in the future.

Email continues to be a huge attack vector. According to some reports 91% of cyber attacks start with a phishing email. If you’ve identified these gaps in your own email protections, I hope these easy to implement changes are helpful.

Did I overlook something? Tips and tricks? Comment, or find me on Twitter.