How to protect your parked domains from spoofing

Most organizations today have more than one Domain registered. They may have a yourcompany.com domain, but then have similar domains registered such as a .net or .org domain name as well. Today, these other domains need to be protected from Spoofing as well. Domains that do not send emails can still be used in email spoofing or phishing attacks. You can protect your domain by adding SPF, DKIM and DMARC records that specifically tell other mail servers to reject mail from the domain trying to be spoofed. This will significantly make it more difficult for attackers to exploit these parked domains your organization may have.

A DNS TXT record allows domain administrators to enter text into the Domain Name System (DNS). DNS TXT records are used for processes like email authentication because they can store important information that servers can use to confirm whether or not a domain has authorized an email sender to send messages on its behalf.

Examples of domains that do not send emails include domains purchased to protect a brand name or for a current of future business. Legacy domains also have no reason to send emails and would benefit from these types of records. See example ....

example.com Sends and Receives orgnizations E-Mail
example.net Does not Send Mail (protect this domain against spoofing)

SPF

SPF records can be formatted to protect domains against attempted phishing attacks by rejecting any emails sent from the domain. To do so, an SPF record must use the following format.

NAME TYPE CONTENT
@ TXT v=spf1 -all

*Note, SPF records are set directly on the domain itself, meaning they do not require a special subdomain.

Here is what the individual components of this record mean:

  • v=spf1 lets the server know that the record contains an SPF policy. All SPF records must begin with this component.
  • The indicator -all tells the server what to do with non-compliant emails or any senders that are not explicitly listed in the SPF record.

With this type of SPF record, no IP addresses or domains are allowed, so -all states that all non-compliant emails will be rejected. For this type of record, all emails are considered non-compliant because there are no accepted IP addresses or domains.


DKIM

DKIM records protect domains by ensuring emails were actually authorized by the sender using a public key and a private key. DKIM records store the public key that the email server then uses to authenticate that the email signature was authorized by the sender. For domains that do not send email, the DKIM record should be configured without an associated public key. Below is an example:

NAME TYPE CONTENT
*._domainkey.yourdomain.com TXT v=DKIM1; p=
  • *._domainkey.example.com is the specialized name for the DKIM record (where “example.com” should be replaced with your domain). In this example, the asterisk (referred to as the wildcard) is being used as the selector, which is a specialized value that the email service provider generates and uses for the domain. The selector is part of the DKIM header and the email server uses it to perform the DKIM lookup in the DNS. The wildcard covers all possible values for the selector.
  • TXT indicates the DNS record type.
  • v=DKIM1 sets the version number and tells the server that this record references a DKIM policy.
  • The p value helps authenticate emails by tying a signature to its public key. In this DKIM record, the p value should be empty because there is no signature/public key to link to.

DMARC

DMARC policies can also help protect domains that do not send emails by rejecting all emails that fail SPF and DKIM. In this case, all emails sent from a domain not configured to send emails would fail SPF and DKIM checks. Below is an example of how to format a policy this way:

NAME TYPE CONTENT
_dmarc.yourdomain.com TXT v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s
  • The name field ensures that the record is set on the subdomain called _dmarc.example.com, which is required for DMARC policies.

  • TXT indicates the DNS record type.

  • v=DMARC1 tells the server that this DNS record contains a DMARC policy.

  • p=reject indicates that email servers should reject emails that fail DKIM and SPF checks.

  • adkim=s represents something called the alignment mode. In this case, the alignment mode is set to “s” for strict. Strict alignment mode means that the server of the email domain that contains the DMARC record must exactly match the domain in the From header of the email. If it does not, the DKIM check fails.

  • aspf=s serves the same purpose as adkim=s, but for SPF alignment.

Clustered Networks

Located in Edmonton, AB Canada, Clustered Networks was Incorporated in 2001 and has offered Network / Internet and IT Consulting services for over 30 years. We offer personalized service! Call Us Today! - Click Here for our Contact Info

#domainspoof #emailsecurity #domainprotection

Posted in Linux Network Admin Tips, Network Security Tips, Tech How To on Mar 29, 2022