Securing Your Business Email
This tutorial requires some prior knowledge about domain registration and your own DNS records. Everything is explained in this tutorial that you will need access to. If there are issues following this, please email me via my contact page.
Seeing how not having a valid #DMARC record on your website can result in even the largest organisations (the WHO) having emails spoofed and sent from official email addresses, it should be vital that anyone with a domain and an email address acts on adding a verified record. https://lnkd.in/gYNpBJE by Vox.com shows how these are happening. Check your website on https://www.valimail.com/ to see if you are open to these vulnerabilities. #emailsecurity #cybersecurity #vulnerabilities #phishing #security #cyberThis post is expanded upon from my post on LinkedIn
At the start of the Coronavirus pandemic, a number of large companies and organisations with extreme amounts of authority (namely, the WHO) had been subject to email spoofing, in essence, allowing anyone with access to a computer to send an email through your domain, pretending to be you and potentially ruining your reputation as a business and worst of all, ruining your relationship with your customers.
Media/news company Vox released a video titled “Why coronavirus scammers can send fake emails from the WHO”, showing how scammers are able to send emails from domains that they don’t own but also how to protect yourself and your business from falling victim to what is basically digital identity theft.
How to secure your email
To secure your business email, you need to have access to the domain registrar or your DNS manager. If you’re not sure what this is, it’s the place where you can make changes to your domain address – for my website, this is “bjgreen.co.uk“. If you’re hosting your website on something like Squarespace or Wix, it’s likely that you changed your nameserver to be hosted on their platform, meaning that they’ll be your DNS manager.
Firstly, check if your domain already has your email secure. Go to https://www.valimail.com/, scroll down and under “Check to see if you’re protected”, enter your domain. This doesn’t cost anything and will run some quick tests (this doesn’t require you enter any information about your business or server, just your domain name) on the DNS records of your domain.
The test that Valimail does on your domain is called a DMARC Enforcement Record check. DMARC stands for “Domain-based Message Authentication”. This is what checks the authenticity of the emails you send and is what protects against impersonation attacks.
If you’ve never changed your domain settings for email security, it’s extremely likely that once you’ve submitted your domain for checking, you’ll be taken to a page that has a red box at the top saying unprotected.
Writing a DMARC Record
Writing a DMARC record isn’t exactly the easiest thing in the world if you’re doing it from scratch, especially if you have no prior experience. But thankfully, DMARC records are one of those things that you can copy and paste – as long as you change certain parts to best suit your domain.
The base code we’ll use is as follows – which is what my domain uses, along with many others (Google, Vox, Valimail themself)
v=DMARC1; p=reject; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org;
Let’s break this down. the first part of this code just declares that this is a DMARC record. The next part is if the email fails the authenticity check, reject the email from being sent. RUA and RUF are the locations that emails will be sent to if an email server requests a DMARC record or if someone tries to send an email as you.
Say your domain is “example.com” and you’ve setup an email mailbox where your website administration goes to, the code will look like this.
v=DMARC1; p=reject; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org;
If you’re not comfortable writing this code yourself, you can use “generators” to make this code. Both MXToolbox and Dmarcian (Email Security Tools) provide tools to generate DMARC records.
To add this code to your website, navigate to the place where you manage your DNS settings (domain registrar or DNS manager).
- Create a new TXT record.
- Set the name of this to _dmarc (it should end in your domain name, so mine would be _dmarc.bjgreen.co.uk)
- Under the value section, enter the code you wrote for DMARC.
Writing SPF Records
We’ve already battled DMARC records, what on earth is an SPF record!? SPF stands for Sender Policy Framework. SPF and DMARC records work together to enforce email authenticity to make sure it’s coming from the right place. An SPF records purpose is to ensure that the email being sent comes from the right origin server. If you’re using an email service like G Suite, Microsoft Exchange or Zoho, it’s likely you’ve already set up and SPF record when you registered for that but if you’re using cloud hosting, like Krystal Hosting you may not have one set. Most major hosts, like Krystal, do create SPF records when you create your hosting plan, but some don’t.
To create an SPF record, all you need to get is your servers IP address.
If your hosting plan uses cPanel, it’s likely that your servers IP address is on the right side of your screen. If not, either look around your hosting panel or contact support. Once you’ve got your servers IP address, put it into this code, replacing the example IP of 184.108.40.206
v=spf1 +a +mx +ip4:220.127.116.11 ~all
“Mail servers processing this SPF record will perform a maximum of 2 domain lookups. SPF limits each record to a maximum of 10 domain lookups. Records with more lookups should expect reduced deliverability.”
Go back to Valimail and run the same test on your domain and it should turn green!