Prevent Email Spoofing on Your Domains

I recently stumbled across a link to GOV.UK's guidance to prevent email spoofing. I'm generally careful with security holes but never really considered this one. I assumed most email servers would validate any email addresses by checking DNS records for the correct assignments and discard ones that fail. A "safe than sorry" approach. But that might not always be the case. Why? Other than email being more complicated than it looks, I'm guessing it's similar to websites migrating to HTTPS: it's best practice now, but not everyone's moved over.

There's a bunch of DNS standards that are made to tell email servers how to validate an email address and what to do on failures. The main ones as of writing are: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Each standard plays a part to prevent spoofing at different points in an email's lifetime. I won't go into what each one does as Fastmail has a pretty good write-up.

Anyways, if you own any domains, especially ones that don't send email, it's best to setup these standard DNS entries to avoid spoofing. GOV.UK's write-up is very simple and thorough so go take a look.

Thanks for reading.