A Few Edits to Your DNS Could Stop Hackers Cold

Home » Blog » A Few Edits to Your DNS Could Stop Hackers Cold
DMARC

A Few Edits to Your DNS Could Stop Hackers Cold

Leave a Comment / Apple & security / By

Contents

HELP! A hacker is pretending to be me!

It’s True: A Few Edits to Your DNS Could Stop Hackers Cold!
Picture it: Your very own brand-new business website. From your custom domain name to your personalized business email address. Everything looks perfect.

But looks can be deceiving. Without sufficient DNS protection, your personalized business email may be prone to hacks, scams, and phishing.

The Problem. Let’s say you correspond with clients via your business email account. With unprotected DNS, hackers could start sending emails pretending to be your company. They could ask for money or information while posing as you, meanwhile your recipient has no way of knowing it is an imposter. The recipient would get an email from [email protected] We have seen this happen many times with our new clients, and we are happy to clean up the mess. The solution is simple yet often overlooked: domain protection.

The Solution. DMARC, or Domain-based Message Authentication Reporting & Conformance, is an email authentication protocol built on existing SPF and DKIM protocols. Like SPF and DKIM protocols, DMARC filters out any potential fraud. SPF and DKIM provide a broad sweep; DMARC retrieves and validates specific data on the message’s origin and sender. For the ultimate combo, make sure that SPF, DKIM, & DMARC are all set up!

Here are the valid DMARC records for FBI CYBER and CISA
(CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY):

nslookup -type=txt _dmarc.fbi.gov
answer:
_dmarc.fbi.gov	text = "v=DMARC1; p=reject; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected]; pct=100"

nslookup -type=txt fbi.gov
answer:
fbi.gov	text = "v=spf1 +mx ip4:153.31.0.0/16 -all"

nslookup -type=txt _dmarc.cisa.gov
answer:
_dmarc.cisa.gov	text = "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected], mailto:[email protected]"

nslookup -type=txt cisa.gov
answer:
cisa.gov	text = "v=spf1 include:spf.dhs.gov include:spf.protection.outlook.com include:spf-00376703.gpphosted.com -all"

Notice they are ALL set to reject 100 percent!

Many IT departments get this wrong.
They’re afraid users won’t get their mail; that’s silly because this only rejects FRAUDULENT attempts.
A reject 100 percent record says, “reject hackers and unapproved senders from sending email as my domain 100 percent of the time!”

New Information from mailhardener.com https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail

They both also use the -all instead of ~all in the SPF record.
-all (Fail): email from servers / IP addresses, not listed in the SPF record, should be rejected.
~all (SoftFail): emails from servers / IP addresses, not listed in the SPF record, should be accepted but marked.
SO the question is: when would you allow evil hackers that don’t have permission to send email as you? -all (NEVER!)
I wouldn’t want a hacker to “soft fail” at spoofing me. #HardFailPlease
Are you beginning to see how A Few Edits to Your DNS Could Stop Hackers Cold?

There’s More!

You can test any domain’s record at: https://dmarcguide.globalcyberalliance.org/#/

In addition to fraud detection and prevention, a BIMI record can also validate a company’s official logo in Apps like Gmail.
https://bimigroup.org/bimi-generator/

A Few Edits to Your DNS Could Stop Hackers Cold

Setup SPF, DKIM, & DMARC!

Your business could have the most beautiful website on the whole World Wide Web. However, if your domain is not adequately protected, the World Wide Web could be looking in on you.
Hackers are always looking for ways to siphon money from people and businesses, and unprotected emails are the easiest and most lucrative path to your money.

In 2019, businesses reported nearly 24,000 email scams, which resulted in $1.7 Billion in losses, according to the FBI’s 2019 Internet Crime Report.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Have you ever wondered why missing images that say “null” appear where your nice logo used be in Mac Mail and iOS email signatures?
check out our article: How to get rid of those missing image errors “null” in Mac Mail and iOS email signatures

We would be happy to help you get your email and DNS records safe; even if you don’t live in Nashville, we can help you do this remotely. Click here to message us directly from your iPhone, or give us a call 615-800-7288

How to Contact Mac Help using the Messages App

Leave a Comment

Your email address will not be published. Required fields are marked *

Your tech problems are about to disappear.

Stay Connected

© Mac Help Nashville, Inc.

© ALL RIGHTS RESERVED. Mac Help Nashville, Inc. is an independent service organization and has not been authorized, sponsored, or otherwise approved by Apple Inc.
The word “Mac” is a registered trademark of Apple Inc.

× Parent Corporation for Network Ninjas Nashville This website is owned and operated by Mac Help Nashville, Inc. All invoicing & scheduling are managed by (and customer reviews originate from) Mac Help Nashville, Inc. A registered corporation in the state of TN, DBA "Network Ninjas Nashville." Network Ninjas Nashville and www.networkninjasnashville.com is a wholly owned subsidiary of Mac Help Nashville, Inc.