L’email spoofing is a technique used by cyber attackers to send fraudulent email messages, making them appear to come from a legitimate sender. As we have mentioned in many of our articles, in fact, the sender of the email is easily falsified. In another article we saw how each user can check where an email comes from and who sent it. It often happens that domain names left unused for a long time are exploited by bad actors. How to go about block spam emails and phishing sent from domains that are not used (which for example register but remain “parked” for a long time…).
Prevent email spoofing and block spam and phishing through email
One of the most effective ways to prevent the phenomenon ofemail spoofing consists in correctly configuring the DNS settings of the domain. Since February 2024, Google and Yahoo have introduced new rules to block potentially unwanted emails. The policy they concern all subjects who send at least 5.000 email (mass mailing) in a single day.
To prevent your unused domains from being exploited by third parties for sending fraudulent emails, it is advisable to follow some steps that are particularly effective. We look at them briefly below.
Set a NULL MX record
Il record MX (Mail Exchange) is commonly used to tell email servers to which systems they should direct email messages destined for the specific domain.
When a domain is not used for sending and receiving emails, it is advisable to set the record MX su NULL, so that email servers reject emails from that domain. An example configuration is as follows:
nomedeldominio.abc. 1 IN MX 0 .
Configure the SPF record
SPF (Sender Policy Framework) is a standard designed to provide valuable assistance in combating activities aimed at falsifying the sender’s address.
IT administrators create a list of authorized servers for sending emails on behalf of a specific domain. When an email is received by an email server, the destination server checks theauthenticity of the sender by comparing the IP address of the sending server with the list of authorized servers present in the domain’s SPF record.
For “parked” domains, which do not need to send and receive emails, the following configuration can be used:
nomedeldominio.abc. 1 IN TXT "v=spf1 -all"
The SPF record establishes a very restrictive policy for the specified domain. In the SPF qualification mechanism, the minus sign (“-“) followed by all indicates that all emails from the domain should fail SPF verification. In other words, the configuration specifies that email servers should reject all emails that do not come from authorized servers (and no authorized servers are specified).
Set up a DKIM record
The use of the record DomainKeys Identified Mail (DKIM) consists of an email authentication method that allows you to verify that each message comes from a legitimate sender and that its content has not been modified during transmission.
Configuring a DKIM record for a domain, adds a company digital to the header of all emails sent, allowing email servers to verify the authenticity of the emails managed. An example configuration for unused domains is as follows:
*._domainkey.nomedeldominio.abc. 1 IN TXT "v=DKIM1; p="
The first part of the directive uses a selettore wildcard which can be used to extend the policy p= to the domain and all subdomains. The option specifies the DKIM public key
for the domain. Since, in this case, the key is not indicated, the DKIM check regarding the authenticity of the sender automatically fails and the email delivered to the recipient is reported as unauthorized.
Create a DMARC Policy Lo standard Domain-based Message Authentication, Reporting, and Conformance(DMARC
) allows domain owners to specify how emails that fail SPF and DKIM checks should be handled. Configure one politica DMARC
_dmarc.nomedeldominio.abc. 1 IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"
for a domain, allows you to specify whether emails with a specific domain reference in the sender address should be accepted, rejected or subjected to further checks. An example configuration is as follows:
The command configures a DMARC record for the specified domain: the very restrictive policy means that emails that do not pass SPF and DKIM checks are automatically rejected, both for the main domain and for subdomains.
Avoid problems with domains not sending emails This paragraph provides detailed instructions on how to correctly verify and configure the DNS settings
for a domain that does not send emails, in order to prevent spoofing and phishing attacks. nslookupThe use of well-known commands dig , hoste
host -t MX nomedeldominio.abc depending on the operating system in use, allows you to check and confirm the DNS records for the domain not used for the purposes of sending and receiving email messages.
host -t TXT nomedeldominio.abc Command that returns the MX (Mail Exchange) records for the specified domain. These are the email servers authorized to receive emails for the domain.
host -t TXT *._domainkey.nomedeldominio.abc Requires viewing of TXT records for the domain. They may contain additional information such as domain security policies.
host -t TXT _dmarc.nomedeldominio.abc The command allows you to access the TXT records for the specified DKIM subdomain. This way you get information about the DKIM public keys used to sign emails.
Returns the TXT records for the DMARC subdomain. This contains information about the email authentication policies for the domain.