Published

Preventing email spoofing

Been getting a bunch of targeted phishing emails recently. They’re pretending to be my domain registrar, saying that payment is overdue and they’re going to delete my domain permanently. I’ve received similar things before, but this one of the more convincing and aggressive attempts I’ve seen.

This reminded me about a task on my backlog of TODOs, sorting out my domain’s SPF and DKIM. Both are email authentication methods designed to detect forged sender addresses in emails, a.k.a. email spoofing. SPF + DKIM won’t prevent inbound phishing emails, but they do help prevent my own domain from being spoofed in shady outbound emails.

I’d forgotten to add a SPF record so sorted that out. I made sure to add include values for both my email provider and my web host since the web host is responsible for sending things such as password reset emails from the CMS. Unfortunately, my email host Gandi doesn’t support DKIM. 🙁 So that’s a non-starter.

I’ve been considering switching to Proton though, and happily they offer SPF, DKIM, and DMARC. Maybe I’ll make the switch a bigger priority. Gandi has mentioned that they’re working on implementing DKIM though, so maybe I’ll just check back later this year

Eventually I’ll look in to a DMARC policy, but that’s going to come a little later.

A few links that may be useful:


Edit 21.02.20 – Added link to EasyEngine tutorial b/c I previously was using ?all and received a spoofed email from my domain on another email address I have. *facepalm*