Have you ever received an email from your own email address …and been shocked at the content?
“I didn’t send that? …did I?”
“Surely not! I wonder how many of my friends and colleagues received this SPAM and will think that I sent this?”
This is called “spoofing” …when an unauthorised person sends email from an email address belonging to someone else. Yes, it’s possible – even fairly easy to do. And it’s a major problem for anyone in business.
How to prevent email spoofing
It has to be said right at the start that there isn’t a quick and easy “plug n play” method to prevent, or recover from, email spoofing.
It’s a problem that can only be solved at domain level, so you’ll need to be comfortable with accessing and editing DNS records. You’ll also need access to a service able to monitor dmarc forensic records. I use and recommend a service called DMARC Analyzer.
I realise that you are probably “switching off” about now, but I encourage you to read on, because it is important to prevent this activity that could destroy your domain’s reputation.
If you’d like to avoid the tech stuff and simply ask me to audit your domain, contact me here.
3 DNS records required
To prevent, or recover from, email spoofing a domain must have three specific TXT-type DNS records:
- SPF – Sending Profile Framework
- DKIM – Domain Key Identified Mail, and
- DMARC – Domain-based Message Authentication, Reporting, and Conformance
In simple terms, the SPF record lists the IP addresses that are authorised to be sending email from your domain. The DKIM record contains a key which can be compared to a key embedded in legitimate email from your domain. The DMARC record works together with a monitoring service to monitor and adjust how ISPs should treat email supposedly from your domain which has not lined up with the SPF and DKIM requirements.
Should I be bothered?
Setting up these records requires that every authorised source of email from your domain MUST be accounted for. This will include your email provider (Gmail, Microsoft 365, etc), your website or possibly the SMTP gateway (Mailgun, Sendgrid, etc), a newsletter delivery service (MailChimp, CreateSend, etc), and probably your phone’s ISP to cover email sent from your smartphone.
It adds up, doesn’t it?
Then there’s the step of monitoring the reports from the ISPs to see how they are responding to mail they are receiving from your domain. This is where you confirm that you’ve listed all of the sources. You can then begin the process of tightening the requested response to unauthorised email being received at the major ISPs.
It usually takes 3-6 months of monitoring to progressively increase the response from “pass” to “quarantine” to “reject”. Only then will you know that the vast majority of spoofed email will be rejected when received by the major internet service providers.
Before deciding if it’s all worth the effort, there’s one more thing to consider.
We rely so much on email that we assume when we hit SEND, our message will be delivered where it was intended.
It is precisely because of spoofing and spamming that mailboxes are now being guarded more than ever before. To give our email (including newsletters and other forms of bulk emailing) the best chance of being delivered we need to have the same three DNS records in place. This will at least demonstrate to the ISPs that the mail has legitimately come from our domain.
It’s not a guarantee of deliverability, because there are so many other factors in play – including the setup of the target mailbox whitelist and blacklist. But it’s a very good start.
It really is worth the effort!!
Please help me
If you’d like some help in improving your email deliverability and reducing the risk of spoofing, simply contact me using this form.
I’ll get back to you as soon as possible and we’ll get started.