Email is a critical piece of our technical stack as business owners. This is especially true if you’re using your domain for emails (e.g., tony@noc.org vs tony@gmail.com). Ensuring the security of this piece of our tech stack is imperative.
Emails have proven an easy vector to abuse, contributing to successful Phishing campaigns, Account Takeovers, Spoofing and slew of other nefarious actions by bad actors. This article aims to combat this by providing you with security best practices that can be easily implemented to reduce the risks introduces by these threats.
Domain Records To Improve Email Security
If you own your domain and run email off it, you want to be aware of a few records that will help improve your domain emails security. These records get added to your Authoritative DNS via the domains zone files.
A | Implement SPF (Sender Policy Framework) | Configure SPF records in your domain’s DNS settings. SPF helps prevent email spoofing by specifying which IP addresses are authorized to send emails on behalf of your domain. This ensures that only legitimate servers are recognized as valid senders. |
B | Deploy DKIM (DomainKeysIdentified Mail) | Enable DKIM to add a digital signature to your outgoing emails. This cryptographic signature verifies that the message was sent by an authorized sender and hasn’t been tampered with in transit. This significantly enhances the authenticity of your emails. |
C | DMARC (Domain-based Message Authentication, Reporting, and Conformance) | Implement DMARC policies to further strengthen email authentication. DMARC builds on SPF and DKIM, providing a policy framework to help domain owners protect their domains from unauthorized use. |
Administrative Tasks To Improve Email Security
In addition to the domain records discussed above, there are a few administrative actions you should take:
1 | Regularly Monitor and Update DNS Records | Stay vigilant about the DNS records associated with your domain. Regularly review and update SPF, DKIM, and DMARC records to adapt to changes and ensure ongoing security. |
2 | Use Dedicated Email Security Solutions | Invest in dedicated email security solutions that offer advanced threat detection, filtering, and protection. These solutions can help identify and block malicious emails before they reach your recipients. Please don’t run your own email service, these days look at a platform like Gmail. |
3 | Educate Your Team | Train your team to recognize and report suspicious emails. Conduct regular awareness programs to keep everyone informed about the latest email security threats and best practices. |
4 | Enforce Strong Password Policies | Ensure that all accounts associated with your domain have strong, unique passwords. Enforce password policies to mitigate the risk of unauthorized access. |
5 | Enforce 2FA / MFA | Enforce 2FA or MFA for all email accounts associated with your domain. This adds an extra layer of protection by requiring users to provide a second form of verification, such as a code from a mobile app, in addition to their password. |
Email Security is For all Domain Owners
Whether you’re a small business or large conglomerate, email security is imperative if you’re using your own domain. The recommendations above are both practical (i.e., records you can leverage) and programmatic (i.e., configurations and maintenance steps to take). Doing both will be instrumental in helping to improve your email security.
For those that leverage their domains for email campaigns, be mindful of changes being rolled out by Google like the ones released last week. This update is specifically focusing on “validation”, verifying the sender is who they claim to be. They are doing this by focusing on three things:
- Authenticate their email;
- Enable easy unsubscription;
- Ensure they’re sending wanted email;
All three record recommendations in this post help address these requirements. There are a few additional ones, so I recommend you read more here on their guidelines.