A Few Edits to Your DNS Could Stop Hackers Cold

Home » Blog » A Few Edits to Your DNS Could Stop Hackers Cold
DMARC

A Few Edits to Your DNS Could Stop Hackers Cold

Leave a Comment / Apple & security / By

Contents

HELP! A hacker is pretending to be me!

It’s True: A Few Edits to Your DNS Could Stop Hackers Cold!
Picture it: Your very own brand-new business website. From your custom domain name to your personalized business email address. Everything looks perfect.

The Problem. DNS protection is crucial to prevent email vulnerabilities in businesses.

Protect your domain from hackers who send fraudulent emails pretending to be your company.

The Solution. DMARC

Like SPF and DKIM protocols, DMARC filters out any potential fraud. SPF and DKIM provide a broad sweep; DMARC retrieves and validates specific data on the message’s origin and sender. Make sure that SPF, DKIM, & DMARC are all set up for the ultimate combo!

Here are the valid DMARC records for FBI CYBER and CISA
(CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY):

nslookup -type=txt _dmarc.fbi.gov
answer:
_dmarc.fbi.gov	text = "v=DMARC1; p=reject; rua=mailto:dmarc-feedback@fbi.gov,mailto:reports@dmarc.cyber.dhs.gov; ruf=mailto:dmarc-feedback@fbi.gov; pct=100"

nslookup -type=txt fbi.gov
answer:
fbi.gov	text = "v=spf1 +mx ip4:153.31.0.0/16 -all"

nslookup -type=txt _dmarc.cisa.gov
answer:
_dmarc.cisa.gov	text = "v=DMARC1; p=reject; pct=100; rua=mailto:DMARC@hq.dhs.gov, mailto:reports@dmarc.cyber.dhs.gov"

nslookup -type=txt cisa.gov
answer:
cisa.gov	text = "v=spf1 include:spf.dhs.gov include:spf.protection.outlook.com include:spf-00376703.gpphosted.com -all"

Notice they are ALL set to reject 100 percent!

IT departments often get DNS wrong.

An Alternate Opinion from mailhardener.com https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail

To approach this scientifically, let’s consult the RFCs.

rfc7489#section-10.1
Some receiver architectures might implement SPF in advance of any DMARC operations. This means that a “-” prefix on a sender’s SPF mechanism, such as “-all”, could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Operators choosing to use “-all” should be aware of this.

Using ~all with DMARC, DKIM, and MTA-STS can ease email flow while staying compliant.

Using the -all instead of ~all in the SPF record. Advanced admins CAN successfully do this.
-all (Fail): Reject emails from servers/IP addresses not in the SPF record. (Hell Yeah!)
~all (SoftFail): Accept emails from servers/IPs not listed in the SPF record but marked as spam.
It is never acceptable to allow unauthorized individuals to send emails as you.
I wouldn’t want a hacker to “soft fail” at spoofing me. #HardFailPlease
Are you beginning to see how A Few Edits to Your DNS Could Stop Hackers Cold?

Here is what Chat GPT 4 said on the matter:

The Sender Policy Framework (SPF) is a method used to prevent email spoofing. By creating an SPF record for your domain, you specify which mail servers are allowed to send email on behalf of that domain. The inclusion of -all in the SPF record indicates that no other servers except the ones specified in the record are permitted to send email for the domain.

Using -all in your SPF record can help improve email security by:
Preventing Email Spoofing: If attackers try to send emails pretending to be from your domain (spoofing), receivers who check SPF will recognize the forgery and can reject the message.

Improving Deliverability: By explicitly defining which email servers are authorized to send emails on behalf of your domain, you can increase email trust and prevent them from being marked as spam.

However, there are considerations to be aware of:
Strictness: Using -all is the most strict qualifier. If you or your organization ever change the way you send emails (e.g., switch to a new email service provider or add another sending server), you must update your SPF record accordingly. To avoid rejecting legitimate emails, I will thoroughly check everything and only filter out spam messages.

Potential for False Positives: Improper configuration of the SPF record can flag legitimate emails as suspicious or reject them due to oversight in identifying all authorized email sources.

Not Universally Checked: Not all receiving mail servers check SPF records. Thus, while an SPF record with -all can help, it’s not a comprehensive solution on its own. Many people often use it in combination with other technologies like DKIM and DMARC to create a more comprehensive solution.

Multiple SPF Records: A domain should only have one SPF record. If there are multiple records due to misconfiguration, it can lead to unpredictable results.

The default limit for an SPF record is to allow up to 10 DNS lookups. The rejection of valid emails may occur if the record size exceeds the specified limit. To avoid any email delivery issues, it is important to keep your SPF record length in check.
In conclusion, while using -all in an SPF record can enhance email security, it should be done carefully, ensuring that all legitimate email sources are accounted for. To catch any potential issues, it is important to actively monitor email delivery after making changes.

If unsure, some organizations start with a more permissive qualifier like ~all (soft fail) to monitor for potential issues before moving to the stricter -all (hard fail).

Here is what Google Bard said on the matter:

Many organizations that prioritize security and have a good understanding of their email-sending infrastructure use the -all (hard fail) mechanism in their SPF records.

This is because -all provides the most stringent control, indicating that only the mail servers specified in the SPF record should be allowed to send emails on behalf of the domain, and all others should be rejected.

Here’s a breakdown of some reasons why higher-security domains might choose to use -all:

Prevent Email Spoofing: A strict SPF policy with -all can prevent attackers from easily spoofing emails from the domain, thus protecting the organization’s reputation and its users from phishing attacks.

Reputation: A correctly configured SPF record with -all can improve the domain’s email deliverability, as it signals to receiving mail servers that the domain’s administrators have taken steps to secure their email infrastructure.

Compliance & Regulations: Some industries or regulatory frameworks might require stringent email security practices, and using -all in the SPF record can be a part of meeting those requirements.

However, the decision to use -all is not made lightly:

Infrastructure Knowledge: Organizations need a comprehensive understanding of all their legitimate email-sending sources. This includes not just their primary email servers but also any third-party services, marketing platforms, CRM systems, etc., that send email on their behalf.

Maintenance: Keep SPF record up-to-date. Any change in the email-sending infrastructure (like adding a new third-party email sender) requires an update to the SPF record.

Monitoring: To ensure that SPF failures do not result in the rejection of legitimate emails, organizations should actively monitor email delivery reports.
In summary, while many high-security domains use -all in their SPF records because of the benefits it provides, it requires due diligence in configuration, maintenance, and monitoring. Without these, using -all could lead to legitimate emails being rejected.

We use dynamic hosted SPF at PowerDmarc.com to keep our record short, monitor delivery problems, and stay under the 10-lookup limit.

There’s More!

You can test any domain’s record at https://dmarcguide.globalcyberalliance.org/#/

We use securitytrails.com to track DNS changes and find the cause of issues like email delivery failure. Frequently, we come across a common issue where the email stops working after the web developer updates the website.

We use powerdmarc.com to have a dynamic SPF record.

Furthermore, we also utilize mailhardener.com with our clients.

In addition to fraud prevention, a BIMI record validates a company’s logo in Gmail.
https://bimigroup.org/bimi-generator/

A Few Edits to Your DNS Could Stop Hackers Cold

Setup SPF, DKIM, DMARC, & MTA-STS!

Your business could have the most beautiful website on the whole World Wide Web. If left Unprotected, emails are a prime target for hackers to steal money.

In 2019, 24,000 email scams cost businesses $1.7 billion, per FBI’s 2019 Internet Crime Report.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Wonder why “null” images replace your logo in Mac Mail and iOS email signatures? See our article: How to get rid of those missing image errors “null” in Mac Mail and iOS email signatures

We can help you secure your email and DNS records remotely. Contact us from your iPhone by clicking the link or call 615-800-7288.

How to Contact Mac Help using the Messages AppMoreover, it’s silly to fear that users won’t receive their email because this only blocks fraudulent messages.

Leave a Comment

Your email address will not be published. Required fields are marked *

Your tech problems are about to disappear.

Stay Connected

© Mac Help Nashville, Inc.

© ALL RIGHTS RESERVED. Mac Help Nashville, Inc. is an independent service organization and has not been authorized, sponsored, or otherwise approved by Apple Inc.
The word “Mac” is a registered trademark of Apple Inc.

× Parent Corporation for Network Ninjas Nashville This website is owned and operated by Mac Help Nashville, Inc. All invoicing & scheduling are managed by (and customer reviews originate from) Mac Help Nashville, Inc. A registered corporation in the state of TN, DBA "Network Ninjas Nashville." Network Ninjas Nashville and www.networkninjasnashville.com is a wholly owned subsidiary of Mac Help Nashville, Inc.