Contents
HELP! A hacker is pretending to be me!
It’s True: A Few Edits to Your DNS Could Stop Hackers Cold!
Picture it: Your very own brand-new business website. From your custom domain name to your personalized business email address. Everything looks perfect.
The Problem. DNS protection is crucial to prevent email vulnerabilities in businesses.
Protect your domain from hackers who send fraudulent emails pretending to be your company.
The Solution. DMARC
Like SPF and DKIM protocols, DMARC filters out any potential fraud. SPF and DKIM provide a broad sweep; DMARC retrieves and validates specific data on the message’s origin and sender. Make sure that SPF, DKIM, & DMARC are all set up for the ultimate combo!
Here are the valid DMARC records for FBI CYBER and CISA
(CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY):
nslookup -type=txt _dmarc.fbi.gov
answer:
_dmarc.fbi.gov text = "v=DMARC1; p=reject; rua=mailto:dmarc-feedback@fbi.gov,mailto:reports@dmarc.cyber.dhs.gov; ruf=mailto:dmarc-feedback@fbi.gov; pct=100"
nslookup -type=txt fbi.gov
answer:
fbi.gov text = "v=spf1 +mx ip4:153.31.0.0/16 -all"
nslookup -type=txt _dmarc.cisa.gov
answer:
_dmarc.cisa.gov text = "v=DMARC1; p=reject; pct=100; rua=mailto:DMARC@hq.dhs.gov, mailto:reports@dmarc.cyber.dhs.gov"
nslookup -type=txt cisa.gov
answer:
cisa.gov text = "v=spf1 include:spf.dhs.gov include:spf.protection.outlook.com include:spf-00376703.gpphosted.com -all"
Notice they are ALL set to reject 100 percent!
IT departments often get DNS wrong.
An Alternate Opinion from mailhardener.com https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail
To approach this scientifically, let’s consult the RFCs.
rfc7489#section-10.1
Some receiver architectures might implement SPF in advance of any DMARC operations. This means that a “-” prefix on a sender’s SPF mechanism, such as “-all”, could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Operators choosing to use “-all” should be aware of this.
Using ~all with DMARC, DKIM, and MTA-STS can ease email flow while staying compliant.
Using the -all instead of ~all in the SPF record. Advanced admins CAN successfully do this.
-all (Fail): Reject emails from servers/IP addresses not in the SPF record. (Hell Yeah!)
~all (SoftFail): Accept emails from servers/IPs not listed in the SPF record but marked as spam.
It is never acceptable to allow unauthorized individuals to send emails as you.
I wouldn’t want a hacker to “soft fail” at spoofing me. #HardFailPlease
Are you beginning to see how A Few Edits to Your DNS Could Stop Hackers Cold?
Here is what Chat GPT 4 said on the matter:
If unsure, some organizations start with a more permissive qualifier like ~all
(soft fail) to monitor for potential issues before moving to the stricter -all
(hard fail).
Here is what Google Bard said on the matter:
Many organizations that prioritize security and have a good understanding of their email-sending infrastructure use the -all
(hard fail) mechanism in their SPF records.
This is because -all
provides the most stringent control, indicating that only the mail servers specified in the SPF record should be allowed to send emails on behalf of the domain, and all others should be rejected.
Here’s a breakdown of some reasons why higher-security domains might choose to use -all
:
Prevent Email Spoofing: A strict SPF policy with -all
can prevent attackers from easily spoofing emails from the domain, thus protecting the organization’s reputation and its users from phishing attacks.
Reputation: A correctly configured SPF record with -all
can improve the domain’s email deliverability, as it signals to receiving mail servers that the domain’s administrators have taken steps to secure their email infrastructure.
Compliance & Regulations: Some industries or regulatory frameworks might require stringent email security practices, and using -all
in the SPF record can be a part of meeting those requirements.
However, the decision to use -all
is not made lightly:
Infrastructure Knowledge: Organizations need a comprehensive understanding of all their legitimate email-sending sources. This includes not just their primary email servers but also any third-party services, marketing platforms, CRM systems, etc., that send email on their behalf.
Maintenance: Keep SPF record up-to-date. Any change in the email-sending infrastructure (like adding a new third-party email sender) requires an update to the SPF record.
Monitoring: To ensure that SPF failures do not result in the rejection of legitimate emails, organizations should actively monitor email delivery reports.
In summary, while many high-security domains use -all
in their SPF records because of the benefits it provides, it requires due diligence in configuration, maintenance, and monitoring. Without these, using -all
could lead to legitimate emails being rejected.
We use dynamic hosted SPF at PowerDmarc.com to keep our record short, monitor delivery problems, and stay under the 10-lookup limit.
There’s More!
You can test any domain’s record at https://dmarcguide.globalcyberalliance.org/#/
We use securitytrails.com to track DNS changes and find the cause of issues like email delivery failure. Frequently, we come across a common issue where the email stops working after the web developer updates the website.
We use powerdmarc.com to have a dynamic SPF record.
Furthermore, we also utilize mailhardener.com with our clients.
In addition to fraud prevention, a BIMI record validates a company’s logo in Gmail.
https://bimigroup.org/bimi-generator/

Setup SPF, DKIM, DMARC, & MTA-STS!
Your business could have the most beautiful website on the whole World Wide Web. If left Unprotected, emails are a prime target for hackers to steal money.
In 2019, 24,000 email scams cost businesses $1.7 billion, per FBI’s 2019 Internet Crime Report.
Subscribe to Blog via Email
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Wonder why “null” images replace your logo in Mac Mail and iOS email signatures? See our article: How to get rid of those missing image errors “null” in Mac Mail and iOS email signatures
We can help you secure your email and DNS records remotely. Contact us from your iPhone by clicking the link or call 615-800-7288.
How to Contact Mac Help using the Messages AppMoreover, it’s silly to fear that users won’t receive their email because this only blocks fraudulent messages.