Domain spoofing is a significant issue that threatens email integrity and security. Domain spoofing occurs when attackers pretend to send emails from a domain they do not own, typically with malicious intentions such as phishing or spreading malware. To combat this, three security measures—DKIM, SPF, and DMARC—work in tandem on the open internet to authenticate emails and prevent spoofing.
DomainKeys Identified Mail (DKIM): This email authentication method allows the receiver to check whether the email was indeed sent and authorized by the owner of that domain. It achieves this by giving the email a digital signature.
Sender Policy Framework (SPF): SPF is an email authentication method designed to prevent spammers from sending emails on behalf of your domain. With SPF, an email's path gets verified against the authorized sending hosts published in the DNS record of the sender domain.
Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC builds on SPF and DKIM protocols, adding linkage to the sender's domain and providing clear actions for passing and failing messages. This protocol allows domain owners to specify how to handle emails that don’t pass SPF or DKIM checks.
These protective layers work well on the open internet. However, in a closed, multi-tenant email delivery service like MailChannels, where multiple domains send email through a shared IP space, securing your domain against spoofing using SPF alone is insufficient. Domain Lockdown™ lets you control which MailChannels accounts and sender-ids are authorized to send an email that is addressed from your domain by specifying your preferences in a simple DNS TXT record.
How to Use Domain Lockdown™
To prevent other MailChannels users and accounts from sending emails from your domain without your permission, Domain Lockdown lets you indicate via a DNS TXT record a list of senders and accounts permitted to send emails from your domain. Any other accounts that send from your domain will have their emails rejected with an error.
Three lockdown identifiers are presently supported:
auth- This identifies a MailChannels customer, such as a web hosting provider, by specifying the authentication username of the customer.
authcodes are a sequence of letters and numbers such as
senderid- This identifies a specific sender entity, such as a PHP script or authenticated webmail user account.
senderidstrings specify the provider, the type of identity, and the identity in a single string. An example of a
cfid- This identifies a Cloudflare Worker and is used to prevent spoofing from your domain if you wish to send email from Cloudflare Workers using the MailChannels
send()API. An example of a
Note that participation in Domain Lockdown is now mandatory for Cloudflare Workers users.
Follow the steps below to enable Domain Lockdown™ for your domain:
- Create a DNS TXT record following the pattern
yourdomain.comwith your domain name.
- In the DNS TXT record, specify one or more MailChannels account ids (
auth) or sender ids (
senderid) that are permitted to send emails for their domain, using the following syntax:
v=mc1 auth=myhostingcompany senderid=mysenderid …
You may specify any number or combination of
senderid fields, including leaving the list blank. Each
senderid field must specify only one value.
For instance, to specify that your domain sends email from the MailChannels account
myhostingcompany, you would set the TXT record as follows:
You might also lock down to two different providers:
v=mc1 auth=myhostingcompany auth=anotherprovider
To lock the domain to a specific Sender-ID string like
myhostingcompany|x-authuser|myusername, the TXT record would be:
To lock the domain to a specific Cloudflare Workers account, use this syntax:
To block MailChannels from sending any emails from your domain, set the TXT record to show only the version string and no
cfid fields, as follows:
To lock the domain when using both MailChannels and Cloudflare Workers accounts, use this syntax:
v=mc1 auth=myhostingcompany cfid=myapp.workers.dev
Where to find your
Every message sent through MailChannels carries two headers that can be used to identify the
senderidof the message:
X-MailChannels-Auth-Id- This header carries the
X-MailChannels-Sender-Id- This header carries the
Note that Cloudflare Workers users can find their
cfid at dash.cloudflare.com/ beneath "Your subdomain" at the right side of the Workers and Pages / Overview page.
Here are the headers from a message highlighting the
senderid fields that you can use in your
_mailchannels TXT record:
Content-Type: text/plain; charset="utf-8"
Date: Mon, 22 Aug 2022 14:15:57 -0500
Subject: Your pineapples have shipped