How To Protect Your Email Against Being Spoofed

Spoofed emails are emails where the sending address was forged by the real sender. You may have been contacted by someone claiming to have received an email from you that you know you did not send. You can learn more about spoofing on our “What is Spoofing?” page.

While there is no way to reliably stop spoofing in all circumstances, there are some technical tools you can use that allow email recipients to check if an email is genuinely from you. To do this, you publish a special kind of DNS record on your domain name associated with your email. This record tells the server receiving the mail what to look for to know if the email is genuine. The mail recipient can then choose what to do with an email that fails these checks.

These tools depend on the recipient’s email host checking your DNS records. This check is generally done automatically by the server before the mail arrives in the recipients mailbox. Not all email servers perform these kind of checks, so it is still possible for your email to be spoofed. However, more security-conscious recipients will still appreciate the chance to verify your emails as genuine.

DKIM

DKIM, or DomainKeys Identified Mail, allows you to attach a signature to your email showing the email is authorized. The recipient can then automatically check this signature against a public key you have shared through the DNS records of the domain name used in the email address. This signature also verifies that the email, including any attachments, has not been changed before being received by the recipient.

Email sent via Gandi’s mail servers support DKIM signatures. For email addresses where the domain and email are hosted by Gandi, you can activate DKIM in your account by following these steps:

  1. After logging in, click “Domain in the left navigation menu.
  2. Click on the domain name attached to the email you want to manage.
  3. Click on the “Email” tab.
  4. Next to “Settings & Security” click “Edit.”
  5. Switch the toggle next to “DKIM Signature.”
  6. Click “Update.”

You can also activate this option manually by adding the following records to your domain.

gm1._domainkey 10800 IN CNAME   gm1.gandimail.net.
gm2._domainkey 10800 IN CNAME   gm2.gandimail.net.
gm3._domainkey 10800 IN CNAME   gm3.gandimail.net.

All three CNAME records are needed in case of key rollover.

SPF Records

Sender Policy Framework, or SPF, is a special kind of TXT record you add to your domain name’s DNS records that publicly shares which IP addresses are authorized to send email from your domain name. This allows the recipient to automatically check if the IP address that sent an email claiming to be from your address is on the authorized list.

If you send mail from Gandi’s mail servers, or if you have a site hosted by Gandi Simple Hosting that sends email, you can use SPF records. If your email is hosted outside of Gandi, you should contact your provider for more information.

The Simple Hosting record is only used if you plan to send e-mails through your website (via a contact form, for example).

If you send mail from your domain using Gandi’s mail servers add the following record:

@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"

If you have a site hosted by Gandi that sends email add the following record:

@ 10800 IN TXT "v=spf1 include:_spf.gpaas.net ?all"

If you have a site that both uses Gandi’s email servers for email and sends email through a site hosted by Gandi Simple Hosting add the following record:

@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net include:_spf.gpaas.net ?all"

DMARC

Domain-based Message Authentication, Reporting and Conformance, also known as DMARC, allows you to publish in the DNS records of your domain name that you have implemented the above sending protocols and provides a recommendation about what should be done with an email that fails these checks. It also helps receiving parties to send you reports about emails received from your domain name, including whether these emails passed or failed the checks provided.

To use DMARC you can add the following record to your domain. Replace “user@domain.tld” with the email address where you would like to receive reports from receiving mail servers.

_dmarc 10800 IN TXT "v=DMARC1; p=reject; rua=mailto:user@domain.tld"

The “p” value in this example is “reject.” The three policy options are: none (no action should be taken, but you will still receive reports), quarantine (the email should be treated as suspicious, which means it may be placed in a spam folder or otherwise marked as not trustworthy), and reject (the email should be rejected and not delivered).

Warning

By using a “reject” policy you risk that forwarded mail may not be delivered, depending on the circumstances. For example, if an individual has set up a forward so all email received at a particular email address is forwarded on to a different email address, there is a risk the forwarded email may be rejected at its final destination.

You can learn more about DMARC on the official page.