Defend Your Domain: Master DNS Security with DMARC, SPF, and DKIM

Looking to bolster your DNS Security with DMARC, SPF, and DKIM? This guide will show you how to set up dmarc to protect your business email system from spoofing and phishing attacks.

The Challenge: Ensuring DNS Security and Combating Email Vulnerabilities

Your Domain Name System (DNS) security protocols, such as DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF (Sender Policy Framework), and  DKIM (DomainKeys Identified Mail) are crucial for safeguarding your business against email vulnerabilities.

Why DNS Security Matters

Your business is susceptible to email spoofing and phishing attacks without proper DNS security. This could lead to unauthorized access to sensitive information, financial loss, and a tarnished domain reputation. Adequately configured DNS records not only secure email but also improve deliverability.
Emails from properly authenticated domains are less likely to be marked as spam, thus improving overall deliverability rates.

Implementing DMARC, SPF, and DKIM for Optimal DNS Security

DMARC and SPF offer a robust defense for your email system by authenticating the messages sent from your domain and providing a policy for handling messages that fail authentication.

Sample DMARC, SPF, and DKIM Records: Key Elements of DNS Security

┌──(carey㉿carey-kali)-[~]

└─$ ./dist/dnstool

Interactive Mode. Type a domain and press Enter to run checks immediately.

Type 'exit' or press Enter on a blank line to quit.

Domain: cisa.gov

==========================================

🔍 DNS / RDAP checks for: cisa.gov

==========================================

🔍 Registrar & RDAP Info:

⚠️ No RDAP data. Checking WHOIS...

✅ Registrar (WHOIS fallback): get.gov

🔍 NS Records:

✅ Found NS:

blue.foundationdns.com.

blue.foundationdns.net.

blue.foundationdns.org.

🔍 MX Records:

✅ Found MX:

10 mxa-00376703.gslb.gpphosted.com.

10 mxb-00376703.gslb.gpphosted.com.

🔍 DMARC:

✅ DMARC p=reject => Great anti-spoof!

"v=DMARC1; p=reject; pct=100; rua=mailto:DMARC@hq.dhs.gov, mailto:reports@dmarc.cyber.dhs.gov"

🔍 SPF (Sender Policy Framework):

✅ SPF found => "Good, there is only one!"

"v=spf1 include:spf.dhs.gov include:spf.protection.outlook.com include:spf-00376703.gpphosted.com -all"

🔍 DKIM (common selectors):

✅ DKIM at selector1._domainkey

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv32BRAJaAOsxAp31ZqQwd7RYfbYowvb3F7lq8WQEyasI6w7Gm0bxPW57TFM04fM5flf1PYyCDSa3ckQzSQLYmMx9HiXYJYF1Dpk9PnjTarbdR9mm9fc7iBXT2pTFNJw+SRMH3NRrbkefv8GqqLdJotgCl2vWoyRlfKCANCFq5Bbq4qaztXqU/cHRurG8ZVSF7" "ZrhY4EBKvpzAyIisrf2g2Gky+vO4LTMrgZeNnA/OyHmWmvlUC58e06jBLSysYyh19O4MiU5eUhuT7MYTLWz6fIOl4PaT9HkmM0rH/fgcGSYc8ajCsrvxYA8LgoWR9IzYq5vYzDWLxSo/J0c+6pVWQIDAQAB;"

Notice that their policy is set to reject 100% of unauthorized messages.

While CTO at Mac Help Nashville, Inc., Carey proudly participated in CISA's Cyber Hygiene program for critical cyber infrastructure.
We have learned so much from our assigned feds, and I loved experiencing the red team,
where hackers at CISA hack your company and show you what they could steal and how to prevent it.
One cool macOS security tool we installed that gave our fed, who was red-teaming us the most trouble, was LuLu by Objective See.
It kept ratting out and stopping the CISA rats! haha

Common SPF Misconceptions

Contrary to some misunderstandings, the -all tag in an SPF record does not prevent internal users from sending or receiving emails. Instead, it mandates that only explicitly allowed sources can send emails on behalf of the domain. Email newsletters sent with Mailchimp or Zendesk, for example, cannot successfully send emails that arrive from your domain without having an "include:" entry. So you allow them with an "include:" entry.

Alternate Viewpoints

Mail Hardener recommends using SPF Softfail over Fail for better compatibility and fewer delivery issues.

Scientific Backing

According to RFC 7489, Section 10.1, the use of -all can cause messages to be rejected before DMARC processing, something operators should be aware of.

Practical Tools for DNS Security

We recommend using Red Sift's Investigate, securitytrails.com, (I coded my own script dns-tool) to track DNS changes and Red Sift's OnDmarc to track dynamic DNS records. (when you may have a more advanced setup or need more than 10 lookups)

Step-by-Step Guide to Setting Up DMARC, SPF, and DKIM

If you're new to DNS security, here's a simple checklist to help you set up DMARC, SPF, and DKIM:

If you'd like to see the state of your DNS before we get started, visit Red Sift's Investigate

SPF

1. Verify domain ownership
   a. The Registrar is where the yearly bill is paid (and could also be the place to edit DNS records)
   b. The NS server records tell you where to edit the DNS records; they are the DNS hosts.
   (This could be Godaddy, Wix, or another; the two NS servers will give you a hint if you Google them.)
   We use Cloudflare as our Registrant and DNS host. They are top-of-the-foodchain good at that job!
   

2. Create an SPF record listing authorized email servers:
   The two most typical are:
   a. v=spf1 include:_spf.google.com ~all (click for Google guidance.)
   b. v=spf1 include:spf.protection.outlook.com -all (click for Microsoft guidance.)
   c. After you construct your policy, copy it into your DNS.
   d. Note that the two above records do not have entries for other things that may need to send-email-as your domain. (Email Marketing)
   e. DNS lookup limit is 10. This means if the SPF record causes more than 10 DNS lookups, it could lead to some emails failing SPF validation due to exceeding this limit.
   If you encounter this problem, you may need a Dynamic DNS service like Red Sift. We have a portal with them and can help you set it up.

DMARC

Set up a DMARC policy.
a. Start HERE
b. After you construct your policy, copy it into your DNS.
c. Remember, if your DMARC says p=none, your work's not done! ;-) get to p=reject
p=none doesn't provide any protection. It only reports potential issues without enforcing policies, leaving your domain vulnerable to email spoofing.

DKIM

Log in to Microsoft Exchange or Google Workplace (Your email service provider) to get your DKIM keys, which you'll also publish in your DNS records.
DKIM selectors are part of the DKIM record that helps differentiate between multiple keys published under the same domain. This is useful for organizations that send emails through various systems or services. (Email Marketing)
a. After you find your DKIM keys, copy them into your DNS. When setting up DKIM, it's recommended that you use a key length of at least 2048 bits. Shorter keys, such as 1024 bits, are no longer considered secure enough against brute-force attacks.
b. Make sure you hit Activate or Start Authentication in Google or Publish in exchange.

Test the setup using Red Sift's Investigate or web-browser-based Cyber Alliance.

Monitor and adjust as needed

DNSSEC for extra security

Additional DNS security measures, such as DNSSEC (DNS Security Extensions), protect against DNS spoofing by ensuring the DNS responses are authenticated.

DNSSEC is a suite of extensions that provides DNS clients (resolvers) with origin authentication of DNS data, authenticated denial of existence, and data integrity.

Common Pitfalls to Avoid

When setting up DMARC and SPF, watch out for these common mistakes:

• Incorrectly formatted DNS records, spaces left before or after, or incorrect format.

• Not updating DNS records after changing email providers

• Setting overly strict policies initially

FAQs: Your DNS Security Questions Answered

1. Can I set up DMARC and SPF myself?
   Yes, but it's advisable to consult a DNS security expert.

2. What happens if I don't set up DMARC or SPF?
   Your email system will be more susceptible to phishing and spoofing attacks.

Additional Security Measures

Beyond email security, a Brand Indicators for Message Identification (BIMI) record can validate your company's logo on platforms like Gmail. Learn how to set it up at bimigroup.org.

Statistical Urgency

The FBI's 2023 Internet Crime Report reveals a surge in cybercrime, with a record 880,418 complaints and over $12.5 billion in losses, highlighting California as the most affected state. Read the full report here. FBI's 2024 Internet Crime Report

Conclusion

Securing your domain and email system is not just a technical requirement but a business imperative. Implementing DMARC, SPF, and DKIM can significantly reduce the risk of email spoofing and phishing attacks. Don't be a statistic—take action today.

Wonder why "null" images replace your logo in Mac Mail and iOS email signatures? See our article: How to get rid of those missing image errors “null” in Mac Mail and iOS email signatures.

We can help you secure your email and DNS records remotely.