Link to home
Start Free TrialLog in
Avatar of Andy M
Andy MFlag for Croatia

asked on

Spf&Dkim&Dmarc

Hello,

someone is spoofing my mail domain.
I have SPF record and it is not enough to stop spoofing.

I didnt know how spoofing is easy :-)

"Find a website like deadfake, which describes itself as “a site that lets you send free fake emails to anyone you like.
Or anonymailer.net. Or spoofbox.com. There are dozens. Many of them are free, some cost a little money to send mail.

    Enter your recipient’s email address in the To: field.
    Put whatever email address you want in the From: field.
    Craft your message and press the Send Now! Button.

"

So,what are my options?I have ptr and spf record.
To configure dkim and dmarc?
Any advice?
Please,can anyone explain how to implement.I have 4 email domains on mail server.
Is there any dkim&dmarc tutorial for dummies :-)
Thank you
Avatar of bbao
bbao
Flag of Australia image

can you please first advise how "someone is spoofing my(your) mail domain"? is there any evidence or symptom that may support your speculation?
Avatar of noci
noci

SPF should be the first:
be sure that you build a correct SPF record, which describes all system that may send mail in your name.

2nd: DKIM, that requires signing of all mail by the mailer. and adding headers with what is signed, which key (selector) is used and the signature.
Your mailer needs to have a private key for this, also your DNS should hold the public key in the selector identified TXT record under _domainkeys.yourdomain.tld.

3) DMARC, if ALL of the above have been setup correctly you can try DMARC, first in reporting mode and after quite some time (think several months) with no errors, you can change to enforcing mode.

Here a link with a description: https://www.endpoint.com/blog/2014/04/15/spf-dkim-and-dmarc-brief-explanation
Tool to validate your settings: https://mxtoolbox.com/
Site to test spf & dkim: https://www.mail-tester.com/spf-dkim-check
an SPF isn't a guaranteed way to prevent spoofing but it usually does help a lot. I suspect it's worth checking you've got your SPF set up correctly.
To offer assistance we may need more info, some of which may be 'internal' to your organisation so it's best for you to consider if your happy providing enough info for us to check your SPF etc.

DKIM & DMARC are also worth considering but are also not guaranteed to stop spoofing, just reduce it.
This is because SPF, DKIM & DMARC are all public info, but it depends on the recipient to take action. You can't force them :-)
Avatar of Andy M

ASKER

can you please first advise how "someone is spoofing my(your) mail domain"? is there any evidence or symptom that may support your speculation?

Yes,someone from Africa sends mail and from field is :  @mydomain.com
My mail server is in EU not in Africa
I have SPF configured but its not helping
Please share your current SPF record ( Remove your IP address or domain and replace them with x.x.x.x )
Avatar of Andy M

ASKER

To offer assistance we may need more info, some of which may be 'internal' to your organisation so it's best for you to consider if your happy providing enough info for us to check your SPF etc.

OK
My primary email domain SPF is
v=spf1 mx -all
My secondaries domain SPFs are
v=spf1 include: primarydomain.com -all

Is it OK?

Reading this article it seems that SPF its not helpful

https://dylan.tweney.com/2017/10/25/how-to-fake-an-email-from-almost-anyone-in-under-5-minutes/ 

"The only thing truly stopping fake From addresses is email authentication using a standard called DMARC. But that only works if the domain you’re trying to fake has published a DMARC record and set it to an enforcement policy. Then, and only then, will almost all email servers that receive messages (Gmail, Yahoo Mail, etc.) block the faked emails."
Avatar of Andy M

ASKER

https://blog.tinned-software.net/spf-and-multiple-domain-mailserver/

The most common SPF record seems to be following:

"v=spf1 a mx -all"

he SPF record for the non-primary domains might look like this.

"v=spf1 include:primary-domain.com -all"

It should be OK?
Completely eliminating spam requires a different attitude to mail...  the best method is to require S/MIME Signed mail.
Then Sender Address  must be known locally to be able to handle the mail...
That said, reducing spam starts with SPF,  DKIM is also useful but more trboule to setup. DMARC closes that loop but absolutly requires a functioning SPF & DKIM.
THen you can Still receive spam from an outfit that has domain names looking like regular name c0cac0la.org f.e. (With a valid SPF & DKIM for that fake domain).
You will still need tools like spamassassin, amavis, rspamd etc. to filter mail using other techniques.
Techniques not mentioned before like greylisting is quite effective, and another automated method for handling mail.

That might reduce your spam; In my case from 80K+ attempts to deliver mail, to 1 or 2 spam / month effectively going through for about 7 domains with few thousands of legitimate mail / week.

wrt. your spf, yes that might be OK if the MX (mail receivers) also send you mail. a is only valid if your domain example.com directly points to your mailserver.
Also keep in mind that if you run a web server on another address that might send mails (notifications, password verification), that webserver must also be mentioned..
Any mailer that does NOT verify SPF and optionaly DKIM still support spamming, so it part of the solution.  While more and more people are implementing it it's effectiveness will help.
So start setting it up and verify its working using before mentioned tools.
Avatar of Andy M

ASKER

THen you can Still receive spam from an outfit that has domain names looking like regular name c0cac0la.org f.e. (With a valid SPF & DKIM for that fake domain).
You will still need tools like spamassassin, amavis, rspamd etc. to filter mail using other techniques.

OK My english is not so good but I will try to explain.
I dont want to reduce spam in my organization.
I want to stop someone from Africa to send mail from my spoofed domain name all around the world.
If I have SPF record configured in public DNS and if recepeints mail server has SPF authentication than this kind of spoofed mails shoud be blocked?Am I right?
But if SPF is not working than I should enable DMARC?
Am I going in right direction or Im something missing?
Plese advice
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Andy M

ASKER

Thank you noci !!!!
I will try to implement dkim&dmarc
If someone have any aditional advice,tutorial or maybe experience configuring dkim&dmarc please share,
or maybe any other advice how to stop email spoofing.
Thank you
I want to stop someone from Africa to send mail from my spoofed domain name all around the world.

You cannot stop someone to send spam or spoofed mail on your behalf. It will be the job of receiving server to check for proper SPF/DKIM/DMARC/PTR. If you part is configured properly. 99% receiving server will mark those mail as spam or block.
Configure SPF and DMARC pointing to your accepted domains along with rDNS entry to avoid your domain spoofing

For DMARC the requirement is that either SPF OR DKIM should resolve / authenticate to your accepted sender domains

Configure DMARC policy in strict mode, you already have rDNS and SPF

DKIM need extra configuration on your email server right from private key / public key pair, selector and so forth, you can avoid that for now.

DMARC record generator:
https://mxtoolbox.com/DMARCRecordGenerator.aspx

U should skip dkim syntax "adkim=r" from DMARC record
Try the below in your SPF record

v=spf1 ptr:( Mail server address - FQDN ) ip4:( Public IP address of your mail server ) ~all

Note - Enter the contents without bracket from the above record.

And a simple DMARC record would solve as below,

v=DMARC1; p=quarantine; rua=mailto:xxx@yyy.com

Note - Enter your mail address in mail to from above DMARC record for you to know the mails which are quarantined

Hope this helps !!!
1) SPF records only flag mail as being spoofed. It's up to Mailbox Providers how they treat this mail.

Note: Most won't even accept mail which violates SPF settings, even in SPF mode is loose (~all).

For example, Gmail won't even accept email which appears forged, per SPF records.

So, if you're receiving a great deal of forged/spoofed email, then contact your Mailbox Provider to discuss tightening their SPF handling.

2) Always start with a DMARC record like this...

_dmarc.$domain.	600	IN	TXT	"v=DMARC1; p=none; sp=none; fo=1; adkim=s; aspf=s; pct=100; rf=afrf; ri=86400; ruf=mailto:dmarc@$domain; rua=mailto:dmarc@$domain;"

Open in new window


With p=none + sp=none. Setting policy + subhost policy to none means send a DMARC report + take no action.

You must be very careful about DMARC settings.

For example if you use SPF with -all + DMARC of p=quarantine + sp=quarantine any slight problem with your sending mail tends to land 100% of all mail sent by your domain (by various mail services) to land in SPAM folders, independent of how many times an end user flags message as being HAM (not SPAM).

Only tighten your DMARC settings after you get no DMARC reports for valid mail sends.

3) Fixing deliverability problems can be complex + time consuming.

If you get stumped, hire someone to assist you.
@Andy:
So what solution you did?
Avatar of Andy M

ASKER

@Andy:
So what solution you did?

As I initially planed I will implement DKIM&DMARC after consulting tutorials about dkim&dmarc configuration.
So,I didnt implement any solution yet.