Protecting your Identity and your Domain with Email Security
Don't send email from your domain? Stop anyone from impersonating you with these rules that reject all email sent from your domain:
SPF: TXT @ "v=spf1 -all"
DMARC: TXT _dmarc.example.com "v=DMARC1; p=reject"
Why are we doing this?
It is incredibly easy to impersonate someone online. One of the easiest methods is called spoofing, where an attacker sends an email that looks like it comes from you and your domain, but doesn't require any hacking or authentication.
In short, email is not a secure protocol; it doesn't require any kind of authentication or authorization before you can send or receive an email. This means that without anything else, I could send an email as bezos@amazon.com and the email protocol has nothing to verify that I'm not Jeff Bezos.
However, there are new tools and protocols that have been introduced and tacked onto email to make it more secure. Specifically, tools like SPF, DKIM, and DMARC identify authorized email servers, authenticate emails, and set a policy for what to do when recipients get unauthorized email.
- SPF identifies which servers are allowed to send email.
- DKIM signs messages sent from preconfigured servers.
- DMARC tells receiving servers what to do with inauthentic mail.
If you send and receive emails from your own email server, have a newsletter, or just want to learn more, I recommend checking out my guide at MaxwellCTI on Securing Email. This gets into the nitty-gritty and has a whole roll-out plan for small organizations implementing email security.
But I don't send email from my domain.
For most people with a Digital Garden, you may not have email configured and just want to stop anyone else from sending email pretending to be you.
To do this, you only need two records added to your DNS host; SPF and DMARC. We do not need DKIM, because can only be configured if you have a corresponding email server.
Go to your name server (this is either where you registered your domain, like Namecheap or Porkbun, or where your site is hosted, like Vercel or Cloudflare), find where the DNS records are managed, and create two new records.
- SPF Record
- Name:
@- This means it affects the root domain, like
wisdump.work
- This means it affects the root domain, like
- Type:
TXT- This is a Text record
- Value:
v=spf1 -all- This says it's SPF version 1 (there is only one version), and to Fail
allmessages - SPF is processed sequentially; if you want to add authorized email servers in the future, those servers would go in front, like
v=spf1 +include:mail.wisdump.work -all
- This says it's SPF version 1 (there is only one version), and to Fail
- Name:
- DMARC Record
- Name:
_dmarc- This signifies that it is a DMARC record
- Type:
TXT- This is a Text record
- Value:
v=DMARC1; p=reject- This says it's DMARC version 1 (there is only one version) and sets the policy to
rejectany emails which fail authorization - Since SPF fails all emails, this policy will instruct receiving servers to Reject any emails it receives from your domain.
- This says it's DMARC version 1 (there is only one version) and sets the policy to
- Name:
Once done, you can use the MxToolbox Supertool or dmarcian to verify that you've configured it correctly.
This effectively stops attackers in their tracks; they can't send emails impersonating you, and now have to take a few more steps to target you and people you know. Well done!