Help Center

Secure your domain name against spoofing with Domain Lockdown™

Domain spoofing is a significant issue that threatens email integrity and security. Domain spoofing occurs when attackers pretend to send emails from a domain they do not own, typically with malicious intentions such as phishing or spreading malware. To combat this, three security measures—DKIM, SPF, and DMARC—work in tandem on the open internet to authenticate emails and prevent spoofing.

  • DomainKeys Identified Mail (DKIM): This email authentication method allows the receiver to check whether the email was indeed sent and authorized by the owner of that domain. It achieves this by giving the email a digital signature.

  • Sender Policy Framework (SPF): SPF is an email authentication method designed to prevent spammers from sending emails on behalf of your domain. With SPF, an email's path gets verified against the authorized sending hosts published in the DNS record of the sender domain.

  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC builds on SPF and DKIM protocols, adding linkage to the sender's domain and providing clear actions for passing and failing messages. This protocol allows domain owners to specify how to handle emails that don’t pass SPF or DKIM checks.

These protective layers work well on the open internet. However, in a closed, multi-tenant email delivery service like MailChannels, where multiple domains send email through a shared IP space, securing your domain against spoofing using SPF alone is insufficient. Domain Lockdown™ lets you control which MailChannels accounts and sender-ids are authorized to send an email that is addressed from your domain by specifying your preferences in a simple DNS TXT record.

How to Use Domain Lockdown™

To prevent other MailChannels users and accounts from sending emails from your domain without your permission, Domain Lockdown lets you indicate via a DNS TXT record a list of senders and accounts permitted to send emails from your domain. Any other accounts that send from your domain will have their emails rejected with an error.

Three lockdown identifiers are presently supported:

  1. auth - This identifies a MailChannels customer, such as a web hosting provider, by specifying the authentication username of the customer. auth codes are a sequence of letters and numbers such as myhostingcompany.
  2. senderid - This identifies a specific sender entity, such as a PHP script or authenticated webmail user account. senderid strings specify the provider, the type of identity, and the identity in a single string. An example of a senderid is myhostingcompany|x-authuser|myusername.
  3. cfid- This identifies a Cloudflare Worker and is used to prevent spoofing from your domain if you wish to send email from Cloudflare Workers using the MailChannels send() API. An example of a cfidis myworker.workers.devCloudflare Worker support is deprecated, and will be discontinued on August 31, 2024.

Note that participation in Domain Lockdown is now mandatory for Cloudflare Workers users.

Follow the steps below to enable Domain Lockdown™ for your domain:

  1. Create a DNS TXT record following the pattern _mailchannels.yourdomain.com, replacing yourdomain.com with your domain name.
  2. In the DNS TXT record, specify one or more MailChannels account ids (auth) or sender ids (senderid) that are permitted to send emails for their domain, using the following syntax:

    v=mc1 auth=myhostingcompany senderid=mysenderid …

You may specify any number or combination of auth and senderid fields, including leaving the list blank. Each auth and senderid field must specify only one value.

For instance, to specify that your domain sends email from the MailChannels account myhostingcompany, you would set the TXT record as follows:

v=mc1 auth=myhostingcompany

You might also lock down to two different providers:

v=mc1 auth=myhostingcompany auth=anotherprovider


To lock the domain to a specific Sender-ID string like myhostingcompany|x-authuser|myusername, the TXT record would be:

v=mc1 senderid=myhostingcompany|x-authuser|myusername

To lock the domain to a specific Cloudflare Workers account, use this syntax:

v=mc1 cfid=myapp.workers.dev

To block MailChannels from sending any emails from your domain, set the TXT record to show only the version string and no auth, senderid, or cfid fields, as follows:

v=mc1

To lock the domain when using both MailChannels and Cloudflare Workers accounts, use this syntax:

v=mc1 auth=myhostingcompany cfid=myapp.workers.dev

 

Where to find your auth or senderid

Every message sent through MailChannels carries two headers that can be used to identify the auth and senderidof the message:

  • X-MailChannels-Auth-Id - This header carries the auth;
  • X-MailChannels-Sender-Id - This header carries the senderid.

Note that Cloudflare Workers users can find their cfid at dash.cloudflare.com/ beneath "Your subdomain" at the right side of the Workers and Pages / Overview page.

Example

Here are the headers from a message highlighting the auth and senderid fields that you can use in your _mailchannels TXT record:

X-MailChannels-SenderId: goodhost|x-authuser|joe@example.com

X-MailChannels-Auth-Id: goodhost

Content-Type: text/plain; charset="utf-8"

Date: Mon, 22 Aug 2022 14:15:57 -0500

From: joe@example.com

To: shoshanna@example.net

Subject: Your pineapples have shipped

Testing Domain Lockdown Records

If you have Python installed and access to a terminal, you can download the following testing script, which will allow you to examine and interpret a domain lockdown record and to test whether MailChannels would permit delivery of emails from a given sender. The script is available as a GitHub Gist. Ensure that you run pip install dnspython==2.3.0 to ensure you have the Python DNS library on your system before running the Gist.

Example - Testing with a hypothetical lockdown record:

$ python domain-lockdown-explainer.py --text "v=mc1 auth=example" --test auth=example

MailChannels Domain Lockdown Record Summary:
Version: mc1

Authorized Authenticators:
  - example

Interpretation:
This record authorizes emails from:
  - Senders authenticated by the specified authentication mechanisms

Simulation Result:
Message would be accepted
Reason: Accepted: Auth ID matched.

Example - Testing with a real lockdown record pulled from the DNS:

$ python domain-lockdown-explainer.py --domain example.com --test auth=example
Fetching TXT record for _mailchannels.example.com

MailChannels Domain Lockdown Record Summary:
Version: mc1

Authorized Authenticators:
  - example

Interpretation:
This record authorizes emails from:
  - Senders authenticated by the specified authentication mechanisms

Simulation Result:
Message would be accepted
Reason: Accepted: Auth ID matched.

In the example above, the domain example.com is assumed to have a lockdown record v=mc1 auth=example. In reality, of course, this domain does not have a lockdown record.

Was this article helpful?
0 out of 6 found this helpful
Have more questions? Submit a request

Comments

Article is closed for comments.