You might know that anyone can set any address in the "from" field when sending an email. I thought there was nothing I could do about it, but upon looking deeper into it I realized that some of my email settings were wrong, which might allow attackers to send spoofed emails on my behalf.
I did have DMARC setup, but my SPF and DKIM records were invalid.
After looking into it, I realized that there's a lot more to learn about it than I thought, so here's a summary of what I learned.
There are some email security policies that can be set at the DNS level. You can specifically allow only some IP addresses (usually your email server) or domains to send emails on your domain's behalf.
I do think those policies are mostly just a suggestion that tells other email servers and email clients to mark an email as spam or not send it if the authentication checks are failing. That being said, most popular email clients should do a pretty good job of blocking emails that don't respect those policies.
The DMARC, SPF and DKIM policies.
Useful for receiving reports about who is sending emails using your domain name. This also enables you to specify what to do with the emails that are not originating from allowed sources (do nothing, flag them, or reject them).
Here is what DNS record I had added:
v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org;
With SPF you can say who is allowed to send emails using your domain name. This is the value I used:
v=spf1 +mx +ip4:123.456.78.19 +include:websitewelcome.com +include:servers.mcsv.net -all
All those rules are tested left to right, and "+" means allow, "-" means reject and there is also "~" which is like a soft reject (maybe mark as spam or something like that).
Using DKIM all emails sent will be digitally signed using a private key and the DNS record provides a public key to test if the emails are correctly signed. If there is a missmatch, the DKIM policy will fail, and the email won't be sent or marked as spam.
My DKIM record looks something like this:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...very long key...AB\;
I got my DKIM TXT record value from Hostgator -> cPanel -> Email Authentication (my email server provider), but I had some issues making it valid as their TXT record had a limited number of characters and showed my public key (p=...) as two distinct strings that I had to manually remove the quotes around and merge (concatenate) them together.
To test if the policies are correct, the tools I found more useful are:
I hope that by fixing my email authentication on my domains it will be a lot less likely for phishing emails to be sent using my domain names.
I hope you found this post useful. I tried to make this as concise as possible and provide examples, as I spent several hours trying to understand all those policies and how to set them up, having a hard time finding a TL:DR; on how to quickly set up email authentication.