Email Anti-Spoof; SPF, DKIM, DMARC

21st June 2019

We all hate Email Spam which the listed technologies help with but they also prevent something much worse. Imagine you get an email from your boss telling you to transfer money or send him a password. Now what if that wasn’t really your boss? What if anyone could send email that was indistinguishable from your bosses email address? What if i told you that the default setup for email/DNS is to allow this? Its true, DNS and email are very old protocols, from a time when everyone was trusting.

I own the domain increasec.com I don’t want anyone sending spam and making it look like i’m the culprit. That would be a good way to make a lot of people mad at me. So i’m going to take some precautions so make sure only I can send email from anyone@increasec.com.

https://mxtoolbox.com/domain/
this gives you a list of items to fix
after each of the following steps it will show 1 less red item

An MX (Mail eXchange) record tells the internet where to send email for your domain. I use GoDaddy for my DNS and Zoho for my Email but other system will be very similar.
https://www.zoho.com/mail/help/adminconsole/godaddy.html#mx

Since I control the DNS records for increasec.com I can publish a DNS record saying which mail servers are allowed to send email on behalf of increasec.com. Keep this as specific as possible or someone on your wireless network can still send spam.
https://www.zoho.com/mail/help/adminconsole/spf-configuration.html
v=spf1 include:zoho.com -all

DKIM adds a digital signature to email so the receiver can verify it was not changed in transit. DKIM also does not require changing DNS whenever a new Mail server is added, only that the private key be on each mail server.
Starting from Zoho
Click your name in top right
click Control Panel
Zoho may take you through a wizard verifying your SPF record
click Email Authentication in the left column
click DKIM
follow the wizard to generate your DKIM key
then copy/paste it into a DNS TXT record
https://www.zoho.com/mail/help/adminconsole/dkim-configuration.html

Finally a DMARC record tells others what to do when they get unauthorized email from your domain. This is important when you are still in the process of setting up security, or changing DNS or Email servers etc. It also allows others to send stats and reports back to you.
“v=DMARC1; p=none; rua=mailto:me@increasec.com”

https://mxtoolbox.com/DMARCRecordGenerator.aspx?domain=increasec.com
fill in the fields, click generate
create a DNS TXT record with the name _DMARC
paste the string from Value

Test Here https://tools.redsift.com/sift/investigate

Here is a convenient website that can generate a Public/Private keypair and give you the correct text to add to Bind9 dns, or TinyDns etc https://dkimcore.org/tools/keys.html

more detailed description here https://campus.barracuda.com/product/sentinel/doc/78157593/configuring-spf-dkim-and-dmarc/

m$ specific info https://social.technet.microsoft.com/wiki/contents/articles/36796.office-365-enabling-dkim-for-custom-domains.aspx