Important reminder, if you own a domain name and don’t use it for sending email.

There is nothing to stop scammers from sending email claiming to be coming from your domain. And the older it gets, the more valuable it is for spoofing. It could eventually damage your domain’s reputation and maybe get it blacklisted, unless you take the steps to notify email servers that any email received claiming to come from your domain should be trashed.

Just add these two TXT records to the DNS for your domain:
TXT v=spf1 -all
TXT v=DMARC1; p=reject;

The first says there is not a single SMTP server on earth authorized to send email on behalf of your domain. The second says that any email that says otherwise should be trashed.

If you do use your domain for sending email, be sure to add 3 records:
SPF record to indicate which SMTP server(s) are allowed to send your email.
DKIM records to add a digital signature to emails, allowing the receiving server to verify the sender and ensure message integrity.
DMARC record that tells the receiving email server how to handle email that fails either check.

You cannot stop scammers from sending email claiming to be from your domain, any more than you can prevent people from using your home address as a return address on a mailed letter. But, you can protect both your domain and intended scam victims by adding appropriate DNS records.

UPDATE: The spf and the dmarc records need to be appropriately named. The spf record should be named “@”, and the dmarc record name should be “_dmarc”.

Here’s what I have for one domain.

One difference that I have is that I’m requesting that email providers email me a weekly aggregated report when they encounter a spoof. gmail and Microsoft send them, but most providers won’t, but since most email goes to Gmail, it’s enlightening when they come.

#cybersecurity #email #DomainSpoofing #EmailSecurity #phishing

  • Pteryx the Puzzle Secretary@dice.camp
    link
    fedilink
    arrow-up
    3
    ·
    10 months ago

    @Jerry@hear-me.social Last I knew, my roommate who ran a homebrew server was frustrated that they can’t run an email server because outgoing email was assumed to be spam anyway. It would be nice if there were an actual way out of this!

    • kitnaht@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      10 months ago

      Anything from a residential IP is going to be marked as spam.

      There is an actual way out of this, and it’s through a reverse tunnel.

    • Jerry on Mastodon@hear-me.socialOP
      link
      fedilink
      arrow-up
      2
      ·
      10 months ago

      @pteryx@dice.camp I set up my own email server on DigitalOcean and instantly got blacklisted by Spamhaus because it was a new domain, and then by another company because the IP address belonged to DigitalOcean.

      Most mail servers also flagged it as spam because the domain was less than 60 days old and because it was a .online TLD. For a long time, some of my emails were immediately bounced back or went to spam folders because of all these reasons.

      I also believe that every home IP address is automatically blacklisted, which makes it worse for your roommate.

      You can eventually overcome it by letting the domain reputation slowly develop and then doing a direct appeal to the blacklist companies. But, it takes a long time.

      It’s amazing any spam gets delivered.

        • Jerry on Mastodon@hear-me.socialOP
          link
          fedilink
          arrow-up
          1
          ·
          10 months ago

          @Dero_10@mastodon.sdf.org @pteryx@dice.camp
          I had that issue a lot when I was running a Linux server in the cloud. It’s why I stopped using my own Wireguard VPN server I hosted on Digital Ocean. So many sites would block it.

      • LautreG@pouet.chapril.org
        link
        fedilink
        arrow-up
        1
        ·
        10 months ago

        @Jerry@hear-me.social @pteryx@dice.camp
        Some IP from DigitalOcean, or OVH make sometimes that the whole AS is considered suspicious.
        I remember when I had a dedicated server at OVH, I needed many time to gain reputation. Also, may be the previous user for the IP trashed the reputation.
        I also remember later, with a server at other place that I needed to ban the AS for several weeks to prevent flooding in log by trivial attacks.
        Create good reputation need time. And, sometimes you need fill form (for Microsoft) with IP.

      • ikidd@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        10 months ago

        Some of that isn’t quite the case. I run an email server quite successfully on a residential IP, with no valid PTR. And I’ve added recent domains without getting them blocked.

        I’m not sure if the age of my primary domain (20ish?) might translate to google etc trusting any other domains from the same IP and DKIM key perhaps. But I’ve literally never had to dispute a block, ever. From all the horror stories I read, apparently I’m a unicorn.