Email Protections

Targeted phishing isn't always easy.

Protections

SPF (Sender Policy Framework)

SMTP does not have a way to verify the contents of the "MAIL FROM" command. SPF was designed to allow the owner of a domain to publish a list of authorized sending hosts in the DNS TXT records for their domain. If SPF is enabled and the sending IP is not included in the record the receiving mail server should reject the message.

dig +short TXT domain.com  ## Perform an SPF record lookup

DKIM (DomainKeys Identified Mail)

DKIM is used to verify message content. The sending mail server signs the message and it's contents, this allows for the receiver to confirm that the sender is who they say they are. This is done through a DKIM-Signature header. This solution is hard to manage as it requires multiple parties working in cooperation.

dig dkim._domainkey.domain.com TXT

DMARC (Domain-based Message Authentication, Reporting and Conformance)

This allows for the legitimate sending domain owner to declare they use DKIM and SPF. This only works if the receiving server checks DNS records. (Basically so long as they're not running their own poorly written mail server).

dig +short TXT _dmarc.domain.com

Accepted Domains

Accepted Domains are a Microsoft Exchange feature that can be used to prevent spoofing of local users.

Spam Traps

Spam Traps are a list of factors that the receiving email server uses to evaluate if something is likely spam. These factors include but are not limited to the Domain's age, IP addresses, suspicious attachments, etc.

End Considerations

Before choosing to spoof a domain, check if it has SPF, DKIM, or DMARC records. Send an email to a non-existent user and examine it for header and other critical information. When domain spoofing isn't an option consider registering a domain that suits your engagement and set it's SPF, DKIM, and DMARC records to add legitimacy.