Defend Your Domain: Master DNS Security with DMARC, SPF, and DKIM

Defend Your Domain: Master DNS Security with DMARC, SPF, and DKIM

Looking to bolster your DNS Security with DMARC, SPF, and DKIM? This guide will show you how to set up dmarc to protect your business email system from spoofing and phishing attacks.

Contents

The Challenge: Ensuring DNS Security and Combating Email Vulnerabilities

Your Domain Name System (DNS) security protocols, such as DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF (Sender Policy Framework), and  DKIM (DomainKeys Identified Mail) are crucial for safeguarding your business against email vulnerabilities.

Why DNS Security Matters

Your business is susceptible to email spoofing and phishing attacks without proper DNS security. This could lead to unauthorized access to sensitive information, financial loss, and a tarnished domain reputation. Adequately configured DNS records not only secure email but also improve deliverability.
Emails from properly authenticated domains are less likely to be marked as spam, thus improving overall deliverability rates.

Implementing DMARC, SPF, and DKIM for Optimal DNS Security

DMARC and SPF offer a robust defense for your email system by authenticating the messages sent from your domain and providing a policy for handling messages that fail authentication.

Sample DMARC, SPF, and DKIM Records: Key Elements of DNS Security


 Enter domain, IP (or 'exit' to quit): 
 ------------------------------------
 cisa.gov
 Reg   🟡: Unknown or Classified
 IPs   🟢: 23.5.154.88, 2600:1402:b800:d89::447a, 2600:1402:b800:d84::447a
 NS    🟢: a22-66.akam.net, a1-91.akam.net, a7-64.akam.net, a16-67.akam.net, a9-66.akam.net, a8-65.akam.net
 MX    ✅: mxb-00376703.gslb.gpphosted.com, mxa-00376703.gslb.gpphosted.com
 TXT   🟢: 
 google-site-verification=BNRBfY90BM54Mf_pgL4Eg07IkwbGvq5nsdZCOYadDlM
 MS=ms41452370
 google-site-verification=wsLVyeZYgv0NLikdmfm2m3XPP-986Ylo8XxUkrjIOvA
 MS=ms36056523
 MS=ms53160703
 v=spf1 include:spf.dhs.gov include:spf.protection.outlook.com include:spf-00376703.gpphosted.com -all
 SPF   ✅: v=spf1 include:spf.dhs.gov include:spf.protection.outlook.com include:spf-00376703.gpphosted.com -all
 DMARC ✅: v=DMARC1; p=reject; pct=100; rua=mailto:[email protected],
 mailto:[email protected]
 DKIM  ✅: selector1._domainkey.v=DKIM1; k=rsa;
 p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv32BRAJaAOsxAp31ZqQwd7RYfbYowvb3F7
 q8WQEyasI6w7Gm0bxPW57TFM04fM5flf1PYyCDSa3ckQzSQLYmMx9HiXYJYF1Dpk9PnjTarbdR9mm9fc
 iBXT2pTFNJw+SRMH3NRrbkefv8GqqLdJotgCl2vWoyRlfKCANCFq5Bbq4qaztXqU/cHRurG8ZVSF7Zrh
 4EBKvpzAyIisrf2g2Gky+vO4LTMrgZeNnA/OyHmWmvlUC58e06jBLSysYyh19O4MiU5eUhuT7MYTLWz6
 IOl4PaT9HkmM0rH/fgcGSYc8ajCsrvxYA8LgoWR9IzYq5vYzDWLxSo/J0c+6pVWQIDAQAB;
 PTR   ✅: a23-5-154-88.deploy.static.akamaitechnologies.com,
 g2600-1402-b800-0d84-0000-0000-0000-447a.deploy.static.akamaitechnologies.com,
 g2600-1402-b800-0d89-0000-0000-0000-447a.deploy.static.akamaitechnologies.com
 Enter domain, IP (or 'exit' to quit): 
 ------------------------------------

Notice that the policy is set to reject 100% of unauthorized messages.

Mac Help Nashville, Inc. proudly participates in CISA’s Cyber Hygiene program for critical cyber infrastructure.
We have learned so much from our assigned feds, and I love experiencing the yearly red team,
where top hackers at CISA hack your company and show you what they could steal and how to prevent it.
One cool macOS security tool we installed that gave our fed, who was red-teaming us the most trouble, was LuLu by Objective See.
It kept ratting out and stopping the CISA rats! haha

Common SPF Misconceptions

Contrary to some misunderstandings, the -all tag in an SPF record does not prevent internal users from sending or receiving emails. Instead, it mandates that only explicitly allowed sources can send emails on behalf of the domain. Email newsletters sent with Mailchimp or Zendesk, for example, cannot successfully send emails that arrive from your domain without having an “include:” entry. So you allow them with an “include:” entry.

Alternate Viewpoints

Mail Hardener recommends using SPF Softfail over Fail for better compatibility and fewer delivery issues.

Scientific Backing

According to RFC 7489, Section 10.1, the use of -all can cause messages to be rejected before DMARC processing, something operators should be aware of.

Practical Tools for DNS Security

We recommend using Red Sift’s Investigate, securitytrails.com, whatsmydns.net, or MXToolbox to track DNS changes and Red Sift’s OnDmarc to track dynamic DNS records. (when you may have a more advanced setup or need more than 10 lookups)

Step-by-Step Guide to Setting Up DMARC, SPF, and DKIM

If you’re new to DNS security, here’s a simple checklist to help you set up DMARC, SPF, and DKIM:

If you’d like to see the state of your DNS before we get started, visit Red Sift’s Investigate

SPF

  1. Verify domain ownership
    a. The Registrar is where the yearly bill is paid (and could also be the place to edit DNS records)
    b. The NS server records tell you where to edit the DNS records; they are the DNS hosts.
    (This could be Godaddy, Wix, or Another; the two NS servers will give you a hint if you Google them.)
    We use Cloudflare as our Registrant and DNS host. They are top-of-the-foodchain good at that job!
  2. Create an SPF record listing authorized email servers:
    The two most typical are:
    a. v=spf1 include:_spf.google.com ~all (click for Google guidance.)
    b. v=spf1 include:spf.protection.outlook.com -all (click for Microsoft guidance.)
    c. After you construct your policy, copy it into your DNS.
    d. Note that the two above records do not have entries for other things that may need to send-email-as your domain. (Email Marketing)
    e. DNS lookup limit is 10. This means if the SPF record causes more than 10 DNS lookups, it could lead to some emails failing SPF validation due to exceeding this limit.
    If you encounter this problem, you may need a Dynamic DNS service like Red Sift. We have a portal with them and can help you set it up.

DMARC

Set up a DMARC policy.
a. Start HERE
b. After you construct your policy, copy it into your DNS.
c. Remember, If your DMARC says p=none, your work’s not done! 😉 get to p=reject
p=none doesn’t provide any protection. It only reports potential issues without enforcing policies, leaving your domain vulnerable to email spoofing.

DKIM

Log in to Microsoft Exchange or Google Workplace (Your email service provider) to get your DKIM keys, which you’ll also publish in your DNS records.
DKIM selectors are part of the DKIM record that helps differentiate between multiple keys published under the same domain. This is useful for organizations that send emails through various systems or services. (Email Marketing)
a. After you find your DKIM keys, copy them into your DNS. When setting up DKIM, it’s recommended that you use a key length of at least 2048 bits. Shorter keys, such as 1024 bits, are no longer considered secure enough against brute-force attacks.
b. Make sure you hit Activate or Start Authentication in Google or Publish in exchange.

Test the setup using Red Sift’s Investigate or web-browser-based Cyber Alliance.

Monitor and adjust as needed

DNSSEC for extra security

Additional DNS security measures, such as DNSSEC (DNS Security Extensions), protect against DNS spoofing by ensuring the DNS responses are authenticated.

DNSSEC is a suite of extensions that provides DNS clients (resolvers) with origin authentication of DNS data, authenticated denial of existence, and data integrity.

Common Pitfalls to Avoid

When setting up DMARC and SPF, watch out for these common mistakes:

  • Incorrectly formatted DNS records, spaces left before or after, or incorrect format.
  • Not updating DNS records after changing email providers
  • Setting overly strict policies initially

FAQs: Your DNS Security Questions Answered

  1. Can I set up DMARC and SPF myself?
    Yes, but it’s advisable to consult a DNS security expert.
  2. What happens if I don’t set up DMARC or SPF?
    Your email system will be more susceptible to phishing and spoofing attacks.

Additional Security Measures

Beyond email security, a Brand Indicators for Message Identification (BIMI) record can validate your company’s logo on platforms like Gmail. Learn how to set it up at bimigroup.org.

Statistical Urgency

The FBI’s 2023 Internet Crime Report reveals a surge in cybercrime, with a record 880,418 complaints and over $12.5 billion in losses, highlighting California as the most affected state. Read the full report here. FBI’s 2024 Internet Crime Report

Conclusion

Securing your domain and email system is not just a technical requirement but a business imperative. Implementing DMARC, SPF, and DKIM can significantly reduce the risk of email spoofing and phishing attacks. Don’t be a statistic—take action today.

Wonder why “null” images replace your logo in Mac Mail and iOS email signatures? See our article: How to get rid of those missing image errors “null” in Mac Mail and iOS email signatures.

Leave a Comment

Your email address will not be published. Required fields are marked *