Domain-Based Email Security Best Practices

## The Email Security Threat Landscape Your domain is an identity. When someone sees an email from `@yourcompany.com`, they associate it with your brand and the trust you've built. Attackers know this — which is why email spoofing, phishing using your domain name, and business email compromise (BEC) attacks are among the most common and damaging cyber threats. The good news: most domain-based email security is implemented through DNS (Domain Name System) records and Email Hosting settings that you control. This guide covers the full security stack, from authentication records to account hardening to ongoing monitoring. ## Layer 1: Authentication Records (Foundation) ### SPF: Define Authorized Senders SPF Record declares which mail servers can legitimately send email from your domain. Configure it with the minimum set of authorized senders: ``` v=spf1 include:_spf.google.com -all ``` Use `-all` (hard fail) rather than `~all` (soft fail) for strict security. This tells receiving servers to reject any email not coming from authorized sources — not just mark it as suspicious. If you use multiple legitimate sending services (Google Workspace + a marketing platform + a transactional service), include all of them but keep the list as short as possible: ``` v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -all ``` Review and audit your SPF record quarterly. Remove services you no longer use. Every `include:` is a potential security surface. ### DKIM: Cryptographic Message Signing DKIM provides cryptographic proof that email claiming to be from your domain was actually signed by you. Receiving servers verify the signature against the public key published in your DNS (Domain Name System). **Use 2048-bit keys** (not 1024-bit, which is cryptographically weak): - Google Workspace now generates 2048-bit keys by default - If you have old 1024-bit DKIM keys, rotate them to 2048-bit **Rotate DKIM keys annually** as a security hygiene practice: 1. Generate a new key pair in your email provider's admin console with a new selector name 2. Publish the new public key as a TXT Record in DNS (Domain Name System) (e.g., `dkim2026._domainkey`) 3. Wait for DNS Propagation 4. Switch the email provider to sign with the new key 5. Keep the old key's DNS record for 7–14 days (for email in transit), then delete it ### DMARC: Policy Enforcement and Reporting DMARC is where authentication becomes security policy. Start with monitoring, then enforce: **Phase 1 (Monitoring):** ``` v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1 ``` **Phase 2 (Quarantine):** ``` v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected] ``` **Phase 3 (Reject — Full Protection):** ``` v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected] ``` At `p=reject`, any email claiming to be from your domain that fails both SPF alignment and DKIM alignment is rejected outright. This makes it technically impossible for attackers to successfully send spoofed email from your exact domain to organizations that enforce DMARC. **Critical**: Cover your subdomains with `sp=reject`: ``` v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected] ``` Without `sp=`, attackers can spoof `billing.yourdomain.com` or `support.yourdomain.com` even if your main domain is protected. ### Protecting Domains That Don't Send Email Every domain you own — even parked domains — should have anti-spoofing records. Attackers specifically target secondary domains because organizations often neglect their authentication: ``` # For domains that never send email: MX @ 0 . (null MX) TXT @ v=spf1 -all (reject all senders) TXT _dmarc v=DMARC1; p=reject; rua=mailto:[email protected] ``` ## Layer 2: BIMI — Brand Indicators for Message Identification BIMI (Brand Indicators for Message Identification) is an emerging standard that displays your logo next to emails in supporting clients (Gmail, Apple Mail, Yahoo Mail). Beyond branding, it's a security signal — legitimate verified senders display logos, making spoofed emails more obviously wrong. BIMI requires: 1. DMARC at `p=quarantine` or `p=reject` 2. A Verified Mark Certificate (VMC) from a CA like DigiCert or Entrust (requires trademark registration) 3. A BIMI TXT record pointing to your logo in SVG format ``` TXT default._bimi v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/authority.pem ``` BIMI is optional and the VMC is an added cost, but for organizations where email trust is business-critical, it provides visible authentication that protects against phishing. ## Layer 3: Account Security ### Multi-Factor Authentication (MFA) Enable MFA on every account that has access to: - Your Email Hosting admin console - Your domain's Domain Registrar account - Your DNS provider A compromised admin account can change MX records to redirect your email elsewhere, change nameservers to an attacker-controlled provider, or delete your domain. MFA dramatically reduces this risk. Use hardware security keys (FIDO2/WebAuthn) as the strongest MFA option. Authenticator apps (TOTP) are a good second choice. SMS-based MFA is better than nothing but vulnerable to SIM-swapping. ### Privileged Access Management Limit who has admin access to your email and DNS infrastructure: - **Principle of least privilege**: Users should have only the access they need - **Separate admin accounts**: Create dedicated admin accounts distinct from regular-use accounts - **Audit access regularly**: Review who has admin access quarterly and remove former employees immediately ### Domain Registrar Security Apply **registry lock** (also called registrar lock) to high-value domains. This prevents transfer, deletion, or nameserver changes without additional out-of-band verification — making it much harder for attackers to perform domain hijacking even if they compromise your Domain Registrar credentials. Most registrars offer a free basic lock (prevents unauthorized transfers) and a premium registry lock (requires phone verification or notarized documents for any change). For mission-critical domains, premium registry lock is worth the cost. Enable **WHOIS privacy** (or RDAP privacy) to conceal your contact information from public WHOIS lookups. This prevents targeted phishing using your contact details. ### Email Account Security Secure the mailboxes themselves: - **Strong, unique passwords**: Use a password manager; every email account gets a different password - **MFA on all accounts**: Every user's mailbox, not just admins - **Monitor for suspicious logins**: Google Workspace and Microsoft 365 both provide login activity dashboards - **Session management**: Review active sessions and revoke unexpected ones ## Layer 4: Monitoring and Detection ### DMARC Reporting DMARC aggregate reports (RUA) show you who is sending email claiming to be from your domain. Review them weekly or use a service that alerts on anomalies: - **dmarcian.com**: DMARC report parsing and visualization (free tier available) - **Valimail**: Automated DMARC enforcement with source detection - **EasyDMARC**: User-friendly dashboard for DMARC reports Watch for: - Unknown IP addresses appearing in SPF results - New sending services you don't recognize - DKIM failures from your authorized senders (may indicate configuration drift) - Sources sending large volumes without DKIM signing ### Email Notification for Account Changes Set up alerts in your email provider's admin console for: - New admin account creation - MX record changes (if your provider tracks this) - Unusual login activity or locations - Forwarding rule changes Google Workspace offers Workspace Alerts Center. Microsoft 365 provides alerts in the Security and Compliance Center. ### DNS Change Monitoring Changes to your DNS records — especially MX records, nameservers, and authentication records — should trigger alerts. Services that monitor DNS changes include: - **Uptime monitoring services**: Many include DNS monitoring (Uptime Robot, Better Uptime) - **Cloudflare**: If your domain uses Cloudflare DNS, you can set up audit log webhooks Unexpected MX Record changes are a major red flag: it could indicate your Domain Registrar account was compromised and an attacker is redirecting your email to their server. ## Layer 5: Preventing Business Email Compromise (BEC) BEC attacks don't necessarily spoof your exact domain — they use lookalike domains (`yourcompany-billing.com` vs `yourcompany.com`) or display name spoofing (`Accounts Payable `). **Register defensive domains**: Own common variations of your primary domain: - Common misspellings (`yoourcompany.com`, `yourcompamy.com`) - Hyphenated versions (`your-company.com`) - Alternative TLDs (`.net`, `.co`, `.org` if you use `.com`) Configure null MX and SPF `-all` on all defensive registrations so they can't send email even if obtained. **Train employees** to: - Verify unusual financial requests via phone using known contact numbers - Be suspicious of urgent payment or wire transfer requests via email - Check the actual From address (not just the display name) - Confirm domain names character by character for high-stakes transactions **Implement technical controls**: - Microsoft 365 and Google Workspace can flag external emails with banners ("This email came from outside your organization") - Configure mail flow rules to alert on emails containing keywords like "wire transfer", "urgent payment", "gift cards" ## Email Security Checklist Use the DNS Record Helper to verify each of these is correctly configured: **DNS/Authentication:** - [ ] SPF Record with `-all` qualifier - [ ] DKIM with 2048-bit key configured and enabled - [ ] DMARC at `p=reject` with `sp=reject` - [ ] Null MX and SPF `-all` on all non-sending domains - [ ] DMARC record on all subdomains that send email **Account Security:** - [ ] MFA enabled on Domain Registrar account - [ ] MFA enabled on DNS provider account - [ ] MFA enabled on email provider admin console - [ ] MFA enabled on all email user accounts - [ ] Registrar lock enabled on primary domain - [ ] WHOIS privacy enabled **Monitoring:** - [ ] DMARC report parsing service configured - [ ] DNS change monitoring in place - [ ] Email admin audit log alerts configured ## Next Steps - **SPF, DKIM, DMARC: Email Authentication Trilogy** — Technical configuration of authentication records - **Email Deliverability: How Domain Reputation Matters** — Security and reputation are interlinked - **Troubleshooting Email Delivery Issues** — Debug authentication failures - **Custom Email with Your Domain: Complete Setup Guide** — Foundation for all email security