According to Wikipedia, Typosquatting, “is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser.” This same technique can be used to bypass email protections and get malicious mail into mailboxes with domains that are, or look like, they are authentic.
To thwart typosquatting you acquire look-alike domains before the bad guys, and you likely have domains that are used for things other than email. Here are some specific suggestions using SPF, DKIM, and DMARC to protect your domains that never send mail.
Create a record at zone apex, which does not contain any authorized machines. Set it to hard fail (-all).
Value: v=spf1 -all
Set the domain policy (p) and subdomain policy (sp) to reject, so that emails that fail authentication checks are rejected. Alignment (adkim) is set to strict, so that the DKIM domain and the Header From domain must match exactly.
For details of the other values, please see https://tools.ietf.org/html/rfc7489.
Create an empty DKIM record. The empty value of (p) will tell others there are no valid public keys for the domain and any email claiming to be from this domain should be rejected.
Value: v=DKIM1; p=
Null MX Record
Not all DNS providers support null MX records. If you provider supports it, or you run your own name servers, create an empty MX record.
Name: Leave this field empty
What next? Your companies’ ancillary domains are very recognizable to your users and should be guarded with as much caution as your main domain. Phishing from typosquatted domains could be interpreted by users as authentic mail containing harmless typos sent by teammates. While authentication checks certainly help, it doesn’t beat awareness training, something I hope to write about in the future.
Email continues to be a huge attack vector, according to some reports 91% of cyber attacks start with a phishing email. In this article, I hope to present a couple ideas to use in identifying gaps in the deployment of email authentication protocols.
Did I overlook something? Tips and tricks? Comment, or find me on Twitter.