Spoofing defense for Custom domains: SPF, DKIM, DMARC
Due to the open and decentralized nature of SMTP, email spoofing is a common issue. Every mail server connected to the internet can attempt to send an email using your email address and can potentially spoof your identity. When using custom domain with Mailfence, we recommend you to deploy following email spoofing defenses.
Sender Policy Framework (SPF)
The Sender Policy Framework (SPF) record tells the recipient what hosts or IP addresses can send an email for your domain. You’ll need to add DNS records of type ‘TXT’ with the name ‘@’ (if the field is present) via your hosting provider, domain registrar, or DNS provider. We recommend referring to your provider’s help documentation for specific information on adding TXT records.
Please check this KB article for exact steps to validate SPF entry for your domain in your Mailfence account.
Domain Keys Identified Mail (DKIM)
Domain Keys Identified Mail (DKIM) is a method of email authentication that cryptographically verifies if an email is sent by authorized servers and has not been modified during transit.
Please check this KB article for exact steps to validate DKIM entry for your domain in your Mailfence account.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Now after going through SPF and DKIM, the question is what should a receiving server do if it gets an email which failed these checks. This is where Domain-based Message Authentication, Reporting and Conformance (DMARC) comes in by allowing the domain owner to specify what should happen with failed checks as well as get feedback/reports.
Through your hosting provider, domain registrar, or DNS provider, you’ll need to add DNS record of type ‘TXT’ with the name ‘_dmarc’ (which will form a TXT record such as _dmarc.yourdomain.com; depending on your hosting/domain/DNS provider acceptance). We recommend referring to your provider’s help documentation for specific information on adding TXT records.
Please check this KB article for exact steps to validate DMARC entry for your domain in your Mailfence account.
Side note regarding SPF, DKIM, and DMARC:
- When you modify existing DNS records, the changes may not propagate completely before some time (from a few hours to a few days, depending on the TTL value for preceding records).
- There are several external tools that you can use to further test the SPF (e.g., http://www.kitterman.com/spf/validate.html), DKIM (e.g., http://dkimvalidator.com) or both (e.g., https://www.mail-tester.com).
The ultimate defense against spoofing: Digital signatures
Aside from all of the spoofing and tampering defenses via SPF, DKIM, DMARC, Mailfence provides you the ability to digitally sign your emails with OpenPGP signatures. In our opinion, this is the ultimate defense against spoofing and tampering. You can choose an OpenPGP keypair of your choice and have full control on the keypair. You can also decide at all times what emails you want to sign or not – or can sign all your outgoing emails by default.
In case you would like to get a deeper look, here is an excellent guide on SPF
Do you have any questions? Feel free to contact our support.
Follow us on twitter/reddit and keep yourself posted at all times.
– Mailfence Team
Salman works as an Information security analyst for Mailfence. His areas of interests include cryptography, security architecture and design, access control and operations security. You can follow him on LinkedIn @mohammadsalmannadeem