A Guide to Email Security for Domain Owners

Email is a critical piece of our technical stack as business owners. This is especially true if you’re using your domain for emails (e.g., tony@noc.org vs tony@gmail.com). Ensuring the security of this piece of our tech stack is imperative.

Emails have proven an easy vector to abuse, contributing to successful Phishing campaigns, Account Takeovers, Spoofing and slew of other nefarious actions by bad actors. This article aims to combat this by providing you with security best practices that can be easily implemented to reduce the risks introduces by these threats.

Domain Records To Improve Email Security

If you own your domain and run email off it, you want to be aware of a few records that will help improve your domain emails security. These records get added to your Authoritative DNS via the domains zone files.

AImplement SPF (Sender Policy Framework)Configure SPF records in your domain’s DNS settings. SPF helps prevent email spoofing by specifying which IP addresses are authorized to send emails on behalf of your domain. This ensures that only legitimate servers are recognized as valid senders.
BDeploy DKIM (DomainKeysIdentified Mail)Enable DKIM to add a digital signature to your outgoing emails. This cryptographic signature verifies that the message was sent by an authorized sender and hasn’t been tampered with in transit. This significantly enhances the authenticity of your emails.
CDMARC (Domain-based Message Authentication, Reporting, and Conformance)Implement DMARC policies to further strengthen email authentication. DMARC builds on SPF and DKIM, providing a policy framework to help domain owners protect their domains from unauthorized use.

Administrative Tasks To Improve Email Security

In addition to the domain records discussed above, there are a few administrative actions you should take:

1Regularly Monitor and Update DNS RecordsStay vigilant about the DNS records associated with your domain. Regularly review and update SPF, DKIM, and DMARC records to adapt to changes and ensure ongoing security.
2Use Dedicated Email Security SolutionsInvest in dedicated email security solutions that offer advanced threat detection, filtering, and protection. These solutions can help identify and block malicious emails before they reach your recipients. Please don’t run your own email service, these days look at a platform like Gmail.
3Educate Your TeamTrain your team to recognize and report suspicious emails. Conduct regular awareness programs to keep everyone informed about the latest email security threats and best practices.
4Enforce Strong Password PoliciesEnsure that all accounts associated with your domain have strong, unique passwords. Enforce password policies to mitigate the risk of unauthorized access.
5Enforce 2FA / MFAEnforce 2FA or MFA for all email accounts associated with your domain. This adds an extra layer of protection by requiring users to provide a second form of verification, such as a code from a mobile app, in addition to their password.

Email Security is For all Domain Owners

Whether you’re a small business or large conglomerate, email security is imperative if you’re using your own domain. The recommendations above are both practical (i.e., records you can leverage) and programmatic (i.e., configurations and maintenance steps to take). Doing both will be instrumental in helping to improve your email security.

For those that leverage their domains for email campaigns, be mindful of changes being rolled out by Google like the ones released last week. This update is specifically focusing on “validation”, verifying the sender is who they claim to be. They are doing this by focusing on three things:

  1. Authenticate their email;
  2. Enable easy unsubscription;
  3. Ensure they’re sending wanted email;

All three record recommendations in this post help address these requirements. There are a few additional ones, so I recommend you read more here on their guidelines.