Preventing email spoofing
Been getting a bunch of targeted phishing emails recently. They’re pretending to be my domain registrar, saying that payment is overdue and they’re going to delete my domain permanently. I’ve received similar things before, but this one of the more convincing and aggressive attempts I’ve seen.
This reminded me about a task on my backlog of TODOs, sorting out my domain’s SPF and DKIM. Both are email authentication methods designed to detect forged sender addresses in emails, a.k.a. email spoofing. SPF + DKIM won’t prevent inbound phishing emails, but they do help prevent my own domain from being spoofed in shady outbound emails.
I’d forgotten to add a SPF record so sorted that out. I made sure to add
include values for both my email provider and my web host since the web host is responsible for sending things such as password reset emails from the CMS. Unfortunately, my email host Gandi doesn’t support DKIM. 🙁 So that’s a non-starter.
I’ve been considering switching to Proton though, and happily they offer SPF, DKIM, and DMARC.
Maybe I’ll make the switch a bigger priority.
Eventually I’ll look in to a DMARC policy, but that’s going to come a little later.
A few links that may be useful:
- SPF Records, a decent explanation of SPF records from dnssimple. Important: do *not* use
?alllike they demonstrate, see below.
- The SPF Records tutorial from EasyEngine is a good point-by-point explanation of each part of an SPF record. TL;DR, you probably shouldn’t use
?allit’s kinda pointless.
- How to explain DKIM in plain English, from the Returnpath blog
- Choosing the right DMARC policy from postmastery
Edit 21.02.20 – Added link to EasyEngine tutorial b/c I previously was using
?all and received a spoofed email from my domain on another email address I have. *facepalm*