Bolstering Your Email Security: Introducing Domain Lockdown™

Domain spoofing, a fraudulent practice where attackers impersonate a domain they don’t own to send misleading emails, often with nefarious intentions like phishing or spreading malware, is a significant problem for domain owners. Domain authentication measures like DMARC, DKIM, and SPF work well in tandem to protect domains from spoofing on the open internet. Unfortunately, a weakness in DMARC leaves domain owners vulnerable to spoofing attacks if their SPF record authorizes a large shared IP address space to send emails from the domain, such as the Microsoft 365 service, the Google Workspace service, or a transactional email-sending service like MailChannels.

This problem is so acute that the working group preparing the next version of DMARC is debating whether to remove SPF from the next iteration of the DMARC standard. As an example of the severity of the problem, UPS recently fell victim to an impersonation attack in which a phishing gang could get Gmail to render the official UPS logo next to messages sent by the attacker, even though DMARC would normally prevent this. The Gmail team had to scramble a priority 1 response, changing how it interprets SPF record lookups when authorizing the display of logos for major brands within Gmail. “It passed DMARC because UPS use Microsoft for email (and it’s in their SPF record), so you just need to send it from any Microsoft account.”

A Closer Look at Email Security Measures

1. DomainKeys Identified Mail (DKIM): DKIM lets the recipient verify if the email was indeed sent and authorized by the domain owner. It accomplishes this by providing the email a unique digital signature.
2. Sender Policy Framework (SPF): SPF is an email authentication system designed to prevent spammers from sending emails on your behalf. It verifies an email’s path against the authorized sending hosts published in the DNS record of the sender domain.
3. Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC complements SPF and DKIM protocols, linking to the sender’s domain and outlining clear actions for passing and failing messages. This protocol lets domain owners decide how to deal with emails failing SPF or DKIM checks.

While these protective measures do an excellent job on the open internet, challenges arise within a closed, multi-tenant email delivery service where multiple domains share an IP space. Because the DMARC standard allows domains to be authenticated via either a successful DKIM signature check or a successful SPF validation, if your domain publishes an SPF record, anyone sending email from IPs specified in the SPF record will be able to send from your domain. The phishing gang referenced above sent their attack out of Microsoft’s IP address space, which UPS authorizes in its SPF record. In combination with a bug in Gmail’s BIMI logo code, this weakness of the SPF standard resulted in the phishing gang’s ability to bypass the normally strict security that protects logos from impersonation.

To fight this problem, MailChannels is today announcing Domain Lockdown™, a DNS-based authorization feature which protects domains against spoofing on the MailChannels platform by allowing domain owners to tie their domain to specific MailChannels accounts and sender-ids, prohibiting anyone else who sends email through MailChannels from impersonating their domain.

The Power of Domain Lockdown™

Domain Lockdown empowers you to prevent unauthorized MailChannels users and accounts from sending emails from your domain. By allowing you to list, via a DNS TXT record, the senders and accounts authorized to send emails from your domain, any accounts attempting to send from your domain without your approval will be met with an error.

Similar to DMARC, Domain Lockdown uses an expressive, yet simple TXT record format. Within a standard subdomain identified by prefixing the domain name with the string “_mailchannels,” the domain owner simply identifies the MailChannels accounts and sender-ids they authorize to send email from their domain. For example, the owner of the domain “example.com” would use the following Domain Lockdown record to ensure that only senders using the “examplecom” account can send email from “example.com”:

_mailchannels.example.com TXT “v=mc1 auth=examplecom”

Full documentation for Domain Lockdown is available in the Domain Lockdown article in our Knowledge Base. If you have any questions about Domain Lockdown or need assistance setting up your Domain Lockdown record, please contact our support team.