Email protections work, but are you using them on all your domains?

According to Wikipedia, Typosquatting, “is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser.” This same technique can be used to bypass email protections and get malicious mail into mailboxes with domains that are, or look like, they are authentic.

To thwart typosquatting you acquire look-alike domains before the bad guys, and you likely have domains that are used for things other than email. Here are some specific suggestions using SPF, DKIM, and DMARC to protect your domains that never send mail.

SPF

Create a record at zone apex, which does not contain any authorized machines. Set it to hard fail (-all).

Type: TXT

Name: @

Value: v=spf1 -all

DMARC

Set the domain policy (p) and subdomain policy (sp) to reject, so that emails that fail authentication checks are rejected. Alignment (adkim) is set to strict, so that the DKIM domain and the Header From domain must match exactly.

Type: TXT

Name: _dmarc

Value: “v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:dmarc-rua@example.com”

For details of the other values, please see https://tools.ietf.org/html/rfc7489.

DKIM

Create an empty DKIM record. The empty value of (p) will tell others there are no valid public keys for the domain and any email claiming to be from this domain should be rejected.

Type: TXT

Name: *._domainkey

Value: v=DKIM1; p=

Null MX Record

Not all DNS providers support null MX records. If you provider supports it, or you run your own name servers, create an empty MX record.

Type: MX

Name: Leave this field empty

Priority: 0

Value: .

What next? Your companies’ ancillary domains are very recognizable to your users and should be guarded with as much caution as your main domain. Phishing from typosquatted domains could be interpreted by users as authentic mail containing harmless typos sent by teammates. While authentication checks certainly help, it doesn’t beat awareness training, something I hope to write about in the future.

Email continues to be a huge attack vector, according to some reports 91% of cyber attacks start with a phishing email. In this article, I hope to present a couple ideas to use in identifying gaps in the deployment of email authentication protocols.

Did I overlook something? Tips and tricks? Comment, or find me on Twitter.

I work in tech. Occasionally write about tech.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store