Authenticating emails to stop others spoofing your domain name

A problem you may have encountered before is when someone contacts you to say your email address is sending them lots of spam and can you stop it. This may be that your email client (Mail User Agent MUA) is indeed compromised and sending email, or more likely spammers are spoofing your email address to send spam out appearing to be from yourself.

I will cover briefly the outline of what needs to be done – this is not intended to be a 'How To' guide.

So how can you tell the receivers Mail Transfer Agent (MTA), commonly called the mail server, that emails are genuinely from me or not?

Firstly you need to correctly implement a SPF (Sender Policy Frameword) and a DKIM (DomainKeys Identified Mail) record. The SPF record will normally be available from your mail providers help pages and indicates which MTAs are allowed to send email on your domains behalf, the DKIM is usually provided by the mail company for your account, and contains a public key from a asymmetric RSA key pair to provide authentication. Both of these will be text strings to add to your TXT records in your DNS.

Once these have been setup you need to create a DMARC record in your DNS. This indicates to receiving MTAs what you want email that fails the DKIM or SPF check to do with them. There are three options, nothing, mark as spam, or reject. DMARC can only work if the SPF and DKIM records are correctly setup so it is advisable to check before setting up DMARC.

Your MTA should now sign out going email using DKIM, the receiving MTA checks the DKIM public key for authenticity on receiving it, and can also look up the SPF record to check the host name or IP is in your SPF list of acceptable MTAs.