Secure an inactive domain from email spoofing attacks
#Azure #DNS #security #Exchange
Your organization may have a primary domain that's used for sending and receiving email (e.g. bill@company.com), but you may also have other domains that aren't used for email routing (company.net, companywebsite.com). You or another administrator may have setup SPF, DMARC, and DKIM records for these externally facing domains that handle email, but there is still a risk of email spoofing attacks on your non-sending domains.
Without SPF, DMARC, and DKIM records in your DNS, there's a potential for anyone to send email as if it comes from your domain. This can cause you a huge headache as an administrator to clean up and organizations can lose brand trust from customers if they receive these emails.
To prevent this spoofing attack, all you need to do is add 3 records to your DNS config for each domain. These records are used by the recipient's email server to verify whether the sender is authenticated to use the domain. If the record check fails, the message is rejected and the recipient doesn't receive the email.
Here are the records that are needed for each domain:
| Record Type | Name | Value |
|---|---|---|
| TXT | @ | v=spf1 -all |
| TXT | _dmarc | v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s |
| TXT | *._domainkey | v=DKIM1; p= |
You may also want to add an MX record to your DNS so that incoming email will also be rejected. This is not needed, but it could prevent your domain from receiving attempted incoming messages:
| Record Type | Name | Priority | Value |
|---|---|---|---|
| MX | @ | 0 | null |
In my environment, I have a domain that I'm only using for web traffic and shouldn't be sending out or receiving emails at flnowarchive.org. I'm going to add these records to my DNS config to prevent spoofing attacks.
Before updating my DNS records, here is a screenshot from MXToolbox showing that I don't have any SPF, DMARC, or DKIM records configured for my domain:
Inside Azure DNS, I'm going to add all four records to my domain:
After a few minutes to wait for DNS servers to refresh, MXToolbox says that all of my DNS records are configured to block SPF attacks and reject incoming email:
By adding these 3 records, you can secure your organization's brand from the headaches that come from spoofed emails. If you're using Azure DNS, it's easy make these changes in the Portal.
Resources
