I have a custom domain for email. Do I need to configure DNS to prevent outgoing text messages with an address from my domain?

Question

I own a custom domain that I use for e-mail. The mail server is configured with a catch-all that redirects messages to any user to my inbox. For the first time this afternoon, I received a benign "auto-reply" to a message ("I'm driving and will get back to you later") that was "sent by" accnt966.wellsfargobanking.online02921@mydomain.com and sent to some phone number @vtext.com (which seems to be Verizon).

My domain is configured with SPF, which previously seemed effective at preventing spammers from spoofing the use of my domain (based on no longer receiving bounced messages). However, it seems pretty clear that someone managed to send a text message that looked like it came from my domain. Do I need to configure anything else to prevent this? Is this Verizon's fault for not checking? Or should I conclude that someone was able to send spam from my email provider?

Answer 1

Only using SPF, DKIM and DMARC does not protect you from spoofing addresses.

SPF supports "fail" and "soft fail". Some mail providers are using "soft fail" because it is like a debugging flag, which means "the sender is not valid, but i will accept it"

If you want to stop spoofing, you should use "fail" in your spf record. If you import the rules from your provider, you can override the qualifier. Only the last qualifier is important.

With SPF, the attacker should not able to use a different server. If you are in a hosted environment, another user can spoof your address, if the server does not check, if the user is allowed to use the mail address.

In 2020, Google was affected by such a vulnerability: https://ezh.es/blog/2020/08/the-confused-mailman-sending-spf-and-dmarc-passing-mail-as-any-gmail-or-g-suite-customer/

Using DKIM and DMARC, the server signs your email and the recipient can be sure, that the email was sent from a valid server and the user was allowed to send emails with this address.

RFC-7489 (https://www.rfc-editor.org/rfc/rfc7489) in chapter 3.1 is the behavior of DMARC and the "From:" field defiend.

Thus, this field is the one used by end users to identify the source of the message and therefore is a prime target for abuse. Many high-profile email sources, such as email service providers, require that the sending agent have authenticated before email can be generated. Thus, for these mailboxes, the mechanism described in this document provides recipient end users with strong evidence that the message was indeed originated by the agent they associate with that mailbox, if the end user knows that these various protections have been provided.

This means, if you are using SPF, DMARC and DKIM, the sender field "From:" is trusted.

The DKIM signature is not like S/MIME or PGP, it is a server signature, which only protects the headers and not the body of the mail..

Answer 2

SPF (RFC 7208) only protects the envelope sender used in SMTP MAIL FROM command. It doesn't prevent spoofing the From header, which is part of the message. DMARC (RFC 7489) is designed to protect that: it tells what the receiver should do if the domain used in the From header doesn't align i.e. match with the envelope sender passing SPF or a valid DKIM (RFC 6376) signature.