The private testing has started!

Library Anti-spoofing for custom domains

Please, mind this article is being drafted or rewritten and may contain imperfections. It has not been yet reviewed for final publication.

Email spoofing is a network attack where someone tries to forge the original sender. That is why we must be equipped with anti-spoofing systems to protect ourselves. Learn how to set up SPF, DKIM and DMARC for your custom domains.

What is spoofing

Spoofing is a specific type of network attack that someone tries to deceive other computer networks by pretending to be a legal entity to use a computer, equipment or network. It is one of many tools used by hackers to access computers to mine sensitive data, turn them into zombies (computers used maliciously) or launch denial of service (DoS) attacks. Among several types of spoofing, IP spoofing is the most common. For example, any unknown server connected to the Internet can send emails to your friends pretending to be you. This is why we must be equipped with anti-spoofing systems to protect data. We will talk about how to set up SPF, DKIM and DMARC below.

How to set up Sender Policy Framework(SPF)

Sender Policy Framework (SPF) records tell everyone which hosts or IPs can send your domain emails. When email servers receive emails claiming to be from your domain, they can look up your SPF record and whether it contains the sending server.

Although it is not required, we strongly recommend setting up an SPF record that includes Liverado. It makes your emails look more legitimate therefore less likely to be sent to spam folders. It also helps protect your domain from attackers who send emails with forged headers pretending to be you.

"vsp1 include:_spf.Liverado.com"

"Include:_spf.Liverado.com" means that you allow Liverado's server to send on behalf of your domain. If you want to keep the existing SPF record, add "include:_spf.Liverado.com" after "v = spf1". "Mx" also includes MX records for your domain. "~all" means that any other servers not included should be treated as soft failures, which means that emails can be accepted but marked as SPF failures. It is better than "-all", which will reject emails that have failed SPF and cause delivery problems for certain legitimate emails. For example, SPF often fails during email forwarding. You send it to address A, and then A is automatically forwarded to address B.

As long as we detect that the SPF record of your domain includes Liverado, the SPF button in "Settings" -> "Domain" will turn green.

Domain key-identified Mail (DKIM)

Domain key-identified Mail (DKIM) is a method of email authentication. It uses a password to verify whether the email is sent by a trusted server and was not tampered with.

When the server sends an email to your domain, it will use a private key (only trusted servers know) to calculate the email content's cryptographic hash. And add it to the email header as a DKIM signature.

The receiving server will verify the email content by looking up the corresponding public key in the DNS record of your domain. It will decrypt the encrypted hash and calculating a new hash based on the received email content to see if the decrypted hash matches. If the new hash matches, the email is not tampered with, so DKIM passes. Otherwise, DKIM will fail, and the email will be suspicious.

Liverado uses CNAME records to manage the automatic rotation of DKIM keys, which is a recognized security best practice. You need to add and keep three CNAME records. One of them is always used for the active key, while the other two allow our system to rotate to the new key when necessary.

This doesn't sound very easy, but implementing DKIM for your domain in Liverado is simple. DNS will take several hours to verify your custom domain at a time. Once the custom domain is verified, Liverado will generate the hostname and value required by DNS to create the CNAME record required for automatic DKIM key rotation. We will notify you that the custom domain, hostname, and value are ready.

Follow the steps to set up DKIM

  1. Log in to your account.
  2. Go to Settings.
  3. And click Custom Domains in the left toolbar.
  4. Once the Custom Domain window opens, click on the DKIM tab.

Here, you will see three hostnames and values ​​that need to be added to the DNS settings. After adding these records, Liverado will handle the remaining records for you. Under current security best practices, we will generate a new 2048-bit key every six months and use it to sign your email.

The CNAME record you add to DNS must exactly match the record displayed in the setup wizard. We will notify you and start using DKIM to sign outgoing emails from your custom domain. As long as we detect these records in the DNS, the DKIM button in Settings -> Custom Domain will turn green.

Note: Some registrars do not accept CNAME values that end with a period, while others require it. Just delete the period if your registrar does not accept your CNAME record.

DMARC

When studying SPF and DKIM, you may want to know what to do when the receiving server receives an email that fails the check. This is where domain-based mail authentication, reporting and conformance (DMARC) comes in, and domain owners can specify how failed emails should be handled and get feedback. If both SPF and DKIM checks fail, the receiving server takes three actions: none, quarantine, and reject.

Basic DMARC TXT record:

"P=" specifies the action to be taken for emails that fail DMARC. Here, "none" basically means do nothing. Please accept the emails as usual. "P=quarantine," will tell the receiving server to send failed emails to the spam folder. Liverado recommends you set this value.

Once you are sure that your legitimate email has passed DMARC, you may need to set it to"p = reject" more aggressively. This tells the receiving server not to accept failed emails. If you feel you are likely to be the target of fraud, we recommend using "p = reject". For example, Palpal and Yahoo use " rejects" to prevent spammers from impersonating them.

"Rua=" is an optional parameter. It is used to specify the email address to which other email services can send summary reports so that you can see how many emails failed DMARC.

Note: There are risks in choosing these operations. For example, sending a mailing list via email and then forward it to individual recipients will break SPF. The annoying thing is that some mailing lists also change the content of emails. It can break DKIM and cause DMARC to fail. So if you quarantine or reject emails, it can cause delivery problems.

Ready to join Liverado? Start your free 14-day trial today.