DMARC

A Few Edits to Your DNS Could Stop Hackers Cold

HELP! A hacker is pretending to be me!

It’s True: A Few Edits to Your DNS Could Stop Hackers Cold!
Picture it: Your very own brand-new business website. From your custom domain name to your personalized business email address. Everything looks perfect.

But looks can be deceiving. Without sufficient DNS protection, your personalized business email may be prone to hacks, scams, and phishing.

The Problem. Let’s say you correspond with clients via your business email account. With unprotected DNS, hackers could start sending emails pretending to be your company. They could ask for money or information while posing as you, meanwhile your recipient has no way of knowing it is an imposter. The recipient would get an email from [email protected] We have seen this happen many times with our new clients, and we are happy to clean up the mess. The solution is simple yet often overlooked: domain protection.

The Solution. DMARC, or Domain-based Message Authentication Reporting & Conformance, is an email authentication protocol built on existing SPF and DKIM protocols. Like SPF and DKIM protocols, DMARC filters out any potential fraud. SPF and DKIM provide a broad sweep; DMARC retrieves and validates specific data on the message’s origin and sender. For the ultimate combo, make sure that SPF, DKIM, & DMARC are all set up!

Here are the valid DMARC records for FBI CYBER and CISA
(CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY):

nslookup -type=txt _dmarc.fbi.gov
answer:
_dmarc.fbi.gov	text = "v=DMARC1; p=reject; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected]; pct=100"

nslookup -type=txt fbi.gov
answer:
fbi.gov	text = "v=spf1 +mx ip4:153.31.0.0/16 -all"

nslookup -type=txt _dmarc.cisa.gov
answer:
_dmarc.cisa.gov	text = "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected], mailto:[email protected]"

nslookup -type=txt cisa.gov
answer:
cisa.gov	text = "v=spf1 include:spf.dhs.gov include:spf.protection.outlook.com include:spf-00376703.gpphosted.com -all"

Notice they are ALL set to reject 100 percent!

Many IT departments get this wrong.
They’re afraid users won’t get their mail; that’s silly because this only rejects FRAUDULENT attempts.
A reject 100 percent record is saying, “reject hackers and unapproved senders from sending email as my domain 100 percent of the time!”

They both also use the -all instead of ~all in the SPF record.
-all (Fail): email from servers / IP addresses, not listed in the SPF record, should be rejected.
~all (SoftFail): emails from servers / IP addresses, not listed in the SPF record, should be
accepted but marked.
SO the question is: when would you allow evil hackers that don’t have permission to send email as you? -all (NEVER!)
I wouldn’t want a hacker to “soft fail” at spoofing me. #HardFailPlease
Are you beginning to see how A Few Edits to Your DNS Could Stop Hackers Cold?

There’s More!

You can test any domain’s record at: https://dmarcguide.globalcyberalliance.org/#/

In addition to fraud detection and prevention, a BIMI record can also validate a company’s official logo in Apps like Gmail.
https://bimigroup.org/bimi-generator/

A Few Edits to Your DNS Could Stop Hackers Cold

Setup SPF, DKIM, & DMARC!

Your business could have the most beautiful website on the whole World Wide Web. However, if your domain is not adequately protected, the World Wide Web could be looking in on you.
Hackers are always looking for ways to siphon money from people and businesses, and unprotected emails are the easiest and most lucrative path to your money.

In 2019, businesses reported nearly 24,000 email scams, which resulted in $1.7 Billion in losses, according to the FBI’s 2019 Internet Crime Report.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Have you ever wondered why missing images that say “null” appear where your nice logo used be in Mac Mail and iOS email signatures?
check out our article: How to get rid of those missing image errors “null” in Mac Mail and iOS email signatures

We would be happy to help you get your email and DNS records safe; even if you don’t live in Nashville, we can help you do this remotely. Click here to message us directly from your iPhone, or give us a call 615-800-7288

How to Contact Mac Help using the Messages App

Leave a Comment

Your email address will not be published. Required fields are marked *

Yes, I would like to receive emails from Mac Help Nashville, Inc.. Sign me up!



WE DO NOT SPAM - WE DO NOT SELL ANYTHING! By submitting this form, you are consenting to receive new blog article emails from Mac Help Nashville, Inc., https://www.machelpnashville.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact. Constant Contact Legal Compliance Notice