Domain spoofing is a significant issue that threatens email integrity and security. Domain spoofing occurs when attackers pretend to send emails from a domain they do not own, typically with malicious intentions such as phishing or spreading malware. To combat this, three security measures—DKIM, SPF, and DMARC—work in tandem on the open internet to authenticate emails and prevent spoofing.
-
DomainKeys Identified Mail (DKIM): This email authentication method allows the receiver to check whether the email was indeed sent and authorized by the owner of that domain. It achieves this by giving the email a digital signature.
-
Sender Policy Framework (SPF): SPF is an email authentication method designed to prevent spammers from sending emails on behalf of your domain. With SPF, an email's path gets verified against the authorized sending hosts published in the DNS record of the sender domain.
-
Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC builds on SPF and DKIM protocols, adding linkage to the sender's domain and providing clear actions for passing and failing messages. This protocol allows domain owners to specify how to handle emails that don’t pass SPF or DKIM checks.
These protective layers work well on the open internet. However, in a closed, multi-tenant email delivery service like MailChannels, where multiple domains send email through a shared IP space, securing your domain against spoofing using SPF alone is insufficient. Domain Lockdown™ lets you control which MailChannels accounts and sender-ids are authorized to send an email that is addressed from your domain by specifying your preferences in a simple DNS TXT record.
How to Use Domain Lockdown™
To prevent other MailChannels users and accounts from sending emails from your domain without your permission, Domain Lockdown lets you indicate via a DNS TXT record a list of senders and accounts permitted to send emails from your domain. Any other accounts that send from your domain will have their emails rejected with an error.
Three lockdown identifiers are presently supported:
-
auth
- This identifies a MailChannels customer, such as a web hosting provider, by specifying the authentication username of the customer.auth
codes are a sequence of letters and numbers such asmyhostingcompany
. -
senderid
- This identifies a specific sender entity, such as a PHP script or authenticated webmail user account.senderid
strings specify the provider, the type of identity, and the identity in a single string. An example of asenderid
ismyhostingcompany|x-authuser|myusername
. -
cfid
- This identifies a Cloudflare Worker and is used to prevent spoofing from your domain if you wish to send email from Cloudflare Workers using the MailChannelssend()
API. An example of acfid
ismyworker.workers.dev
. Cloudflare Worker support is deprecated, and will be discontinued on August 31, 2024.
Note that participation in Domain Lockdown is now mandatory for Cloudflare Workers users.
Follow the steps below to enable Domain Lockdown™ for your domain:
- Create a DNS TXT record following the pattern
_mailchannels.yourdomain.com
, replacingyourdomain.com
with your domain name. - In the DNS TXT record, specify one or more MailChannels account ids (
auth
) or sender ids (senderid
) that are permitted to send emails for their domain, using the following syntax:v=mc1 auth=myhostingcompany senderid=mysenderid …
You may specify any number or combination of auth
and senderid
fields, including leaving the list blank. Each auth
and senderid
field must specify only one value.
For instance, to specify that your domain sends email from the MailChannels account myhostingcompany
, you would set the TXT record as follows:
v=mc1 auth=myhostingcompany
You might also lock down to two different providers:
v=mc1 auth=myhostingcompany auth=anotherprovider
To lock the domain to a specific Sender-ID string like myhostingcompany|x-authuser|myusername
, the TXT record would be:v=mc1 senderid=myhostingcompany|x-authuser|myusername
To lock the domain to a specific Cloudflare Workers account, use this syntax:v=mc1 cfid=myapp.workers.dev
To block MailChannels from sending any emails from your domain, set the TXT record to show only the version string and no auth
, senderid
, or cfid
fields, as follows:
v=mc1
To lock the domain when using both MailChannels and Cloudflare Workers accounts, use this syntax:
v=mc1 auth=myhostingcompany cfid=myapp.workers.dev
Where to find your auth
or senderid
Every message sent through MailChannels carries two headers that can be used to identify the auth
and senderid
of the message:
-
X-MailChannels-Auth-Id
- This header carries theauth
; -
X-MailChannels-Sender-Id
- This header carries thesenderid
.
Note that Cloudflare Workers users can find their cfid
at dash.cloudflare.com/ beneath "Your subdomain" at the right side of the Workers and Pages / Overview page.
Example
Here are the headers from a message highlighting the auth
and senderid
fields that you can use in your _mailchannels
TXT record:
X-MailChannels-SenderId: goodhost|x-authuser|joe@example.com
X-MailChannels-Auth-Id: goodhost
Content-Type: text/plain; charset="utf-8"
Date: Mon, 22 Aug 2022 14:15:57 -0500
From: joe@example.com
To: shoshanna@example.net
Subject: Your pineapples have shipped
Testing Domain Lockdown Records
If you have Python installed and access to a terminal, you can download the following testing script, which will allow you to examine and interpret a domain lockdown record and to test whether MailChannels would permit delivery of emails from a given sender. The script is available as a GitHub Gist. Ensure that you run pip install dnspython==2.3.0
to ensure you have the Python DNS library on your system before running the Gist.
Example - Testing with a hypothetical lockdown record:
$ python domain-lockdown-explainer.py --text "v=mc1 auth=example" --test auth=example MailChannels Domain Lockdown Record Summary: Version: mc1 Authorized Authenticators: - example Interpretation: This record authorizes emails from: - Senders authenticated by the specified authentication mechanisms Simulation Result: Message would be accepted Reason: Accepted: Auth ID matched.
Example - Testing with a real lockdown record pulled from the DNS:
$ python domain-lockdown-explainer.py --domain example.com --test auth=example Fetching TXT record for _mailchannels.example.com MailChannels Domain Lockdown Record Summary: Version: mc1 Authorized Authenticators: - example Interpretation: This record authorizes emails from: - Senders authenticated by the specified authentication mechanisms Simulation Result: Message would be accepted Reason: Accepted: Auth ID matched.
In the example above, the domain example.com
is assumed to have a lockdown record v=mc1 auth=example
. In reality, of course, this domain does not have a lockdown record.
Comments
Article is closed for comments.