Domain spoofing – also known as email spoofing or impersonation, is a fraudulent activity that involves the use of fake or forged email addresses to deceive recipients into thinking that a message comes from a legitimate source. It is a common tactic used by cybercriminals to trick users into sharing sensitive information or clicking on malicious links.
To prevent domain spoofing, here are some best practices to follow:
- Implement email authentication protocols: Two email authentication protocols that are commonly used to prevent domain spoofing are Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC). SPF allows the receiving mail server to verify that the IP address sending the email is authorized to send on behalf of the domain. DMARC adds an extra layer of protection by allowing the domain owner to specify what actions to take on messages that fail SPF or DKIM checks.
- Monitor your domain: Regularly monitor your domain for unauthorized changes, such as changes to DNS settings or MX records. Any unauthorized changes could be a sign of a domain hijacking attempt.
Google Workspace MX records
If your mailbox that you use to receive email replies is managed by Google Workspace (formerly Gsuite) you need to add five MX records for redundancy and to ensure reliable email delivery. MX records are used by email servers to determine where to deliver email messages for a particular domain.
Google Workspace distributes its MX records across five different priority levels (from 1 to 5) and points them to different servers. This provides redundancy and helps ensure that email is always delivered to a Google server, even if one or more of the servers are temporarily unavailable.
By using multiple MX records with different priority levels, Google Workspace can handle high volumes of email traffic and provide reliable email service to its users. This approach also helps prevent email downtime or delays, which is critical for businesses that rely heavily on email communication.
Example:
| Type | Name | Content | Priority | TTL |
| MX | aspmx.l.google.com | 1 | 3600 |
This MX record tells us that email for the subdomain “mail” of the domain should be handled by the Google mail server at “aspmx.l.google.com”, with a priority of 1. This means that if there are multiple mail servers listed for the domain, the Google mail server will be tried first. The TTL value of 3600 seconds means that DNS resolvers can cache the MX record for up to 1 hour before needing to refresh it from the authoritative DNS server.
Google Workspace SPF records
A Sender Policy Framework (SPF) record is a DNS record that identifies which mail servers are authorized to send email on behalf of a particular domain. In Google Workspace, an SPF record is used to verify that emails sent from a domain are legitimate and not forged or spoofed.
To set up an SPF record for Google Workspace, you need to add a TXT record to your domain’s DNS settings. The SPF record for Google Workspace should include the following information:
| Type | Name | Content | TTL |
| TXT | @ | v=spf1 include:_spf.google.com ~all | 1 hour or 3600 seconds |
It is important to note that the SPF record for Google Workspace should be added to your domain’s DNS settings, not your email client’s settings. This will ensure that all emails sent from your domain are properly authenticated and delivered to the recipient’s inbox.
To learn more about preventing email spoofing and spam using SPF, you can read the following resource: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F10684623%3Fhl%3Den&assistant_id=generic-unu&product_context=10684623&product_name=UnuFlow&trigger_context=a
Google Workspace DKIM records
Google Workspace DKIM records are a set of DNS records used to authenticate email messages sent from your domain through Google Workspace (formerly known as G Suite). DKIM (DomainKeys Identified Mail) is an email authentication method that uses a cryptographic signature to help ensure that an email message was not forged or tampered with during transmission.
To set up DKIM for Google Workspace, you need to add a set of DKIM records to your domain’s DNS settings. These records include a public key that is used to verify the cryptographic signature on outgoing email messages.
Here are the steps to add DKIM records for Google Workspace:
- Sign in to your domain’s DNS management console.
- Locate the DKIM records provided by Google Workspace. You can find these records in the Google Workspace Admin console under Apps > Google Workspace > Gmail > Authenticate email.
- Add the DKIM records to your domain’s DNS settings. You will need to create a new DNS TXT record for each DKIM record provided by Google Workspace.
- Wait for the changes to propagate. It may take up to 48 hours for the new DNS records to be available globally.
Once you have added the DKIM records to your domain’s DNS settings, email messages sent from your domain through Google Workspace will be signed with a DKIM signature. Receiving mail servers can then verify the signature to help ensure that the messages are authentic and have not been tampered with during transmission. This can help improve email deliverability and reduce the likelihood of your messages being flagged as spam or phishing attempts.
To learn more about preventing email spoofing and spam using DKIM, you can read the following resource: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Ftopic%2F2752442%3Fhl%3Den&assistant_id=generic-unu&product_context=2752442&product_name=UnuFlow&trigger_context=a
Google Workspace DMARC records
Important: Configure DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) before configuring DMARC. DKIM and SPF should be authenticating messages for at least 48 hours before turning on DMARC.
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol that helps prevent email spoofing and phishing attacks. DMARC works by verifying that an email message is sent from an authorized sender and has not been tampered with during transmission.
To set up DMARC for Google Workspace, you need to add a DMARC record to your domain’s DNS settings. The DMARC record for Google Workspace should include the following information:
v=DMARC1; p=none; sp=none; rua=mailto:your@email.address
This DMARC record tells email servers that your domain has implemented DMARC, and the “p=none” means that you are only monitoring your email traffic and not enforcing any policy yet. The “sp=none” indicates that you are not applying a policy to subdomains, but only to the main domain.
The “rua” parameter specifies the email address to which DMARC reports should be sent. DMARC reports provide feedback on the number of messages that passed or failed DMARC checks and other relevant information. This information can help you identify any issues with your email authentication setup and improve email deliverability.
Once you have added the DMARC record to your domain’s DNS settings, you can gradually move towards a stricter DMARC policy (such as “p=quarantine” or “p=reject”) to enforce email authentication policies and prevent unauthorized senders from using your domain name for phishing or spoofing.
If you need help with publishing DMARC, you can find support at http://dmarc.org.
Learn how to enhance security against forged spam using DMARC, you can refer to the following resource: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Ftopic%2F2752442%3Fhl%3Den&assistant_id=generic-unu&product_context=2752442&product_name=UnuFlow&trigger_context=a
Setting up DNS Records on Earnware
Navigate to the “Domains” page where you can check if all the necessary DNS records are present for your domain. Click on the domain name that you want to verify and ensure that all the required DNS records are present. Please note that DMARC may not be included in the detailed records, but it will be added later in the setup process.
To set up the DNS records, you can use the information provided on the Earnware and add them to your DNS hosting provider. Ensure that you have entered the records accurately to avoid any errors in the setup process.
After adding the DNS records, you can proceed to send a test email and confirm that DKIM is passing correctly. This step is essential as it ensures that the DNS records have been set up correctly and that your domain is signing its own DKIM. If DKIM is not passing, then the records need to be rechecked and corrected.
Once you have confirmed that DKIM is passing, you can proceed to add DMARC to your DNS records. DMARC is essential in ensuring that your email campaigns are delivered to your subscribers’ inbox and not marked as spam. Therefore, it is important to add DMARC to complete the setup process.
In conclusion, following these steps will ensure that your domain is set up correctly on Earnware, and your email campaigns are delivered to your subscribers’ inbox without any issues.
Setting up DNS records on Campaigner
For guidance on configuring Campaigner’s DNS records, you can obtain assistance at https://knowledge.campaigner.com/article/1784-dkim-spf-and-dmarc.
Impact of Misconfiguration
Misconfigured email authentication can have significant impacts on your email deliverability. If your emails fail authentication checks, they may be marked as spam, or even blocked entirely by receiving email servers. This can negatively impact your email marketing campaigns, customer support, and general communication.
Conclusion
Proper email authentication is crucial for ensuring successful email delivery and preventing emails from being marked as spam. Configuring DKIM and DMARC records for your domain is a necessary step in email authentication. Always double-check your DNS settings before making changes, and monitor your email delivery to ensure that your emails are being delivered successfully. By following best practices for email authentication, you can ensure that your email communication remains reliable and effective.