1

I have an email service in domain example.com. How can I protect it from spoofing USER email addresses in From header?

Scenario:

Attacker sends email from malory@example.com - connect to my SMTP service, authenticate correctly as malory and sends message with header From: alice@example.com

SPF can't help, because attacker use my legitimate SMTP service, have own account and correctly authenticate.

DKIM can't help either, from the same reasons - attacker uses real, legitimate email account, so massage have proper digital signatures.

DMARC can't help, because only checks if envelope and RFC5322.From domains matches, not user accounts.

Is there any way to check if an envelope and From WHOLE addresses matches? How can I protect properly SMTP service against spoofing?

Thanks for the help!

puceduw
  • 11
  • 3
  • This is up to your mail server settings, validating from addresses. Mailinabox.email includes this in its standard config using postfix, so maybe look at their config. – Synchro Nov 08 '17 at 15:19

1 Answers1

1

In order to prevent spoofing in your case, your email server example.com would have to include a DKIM-Signature message header that resolves to your own domain. This would only work if the private encryption key used is unique to your organization and not shared among service users like you pointed out.

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=subdomain; d=mydomain.com; ...

To accomplish this, your email server would need to provide you with the public key or publish the it on their own domain. Using the latter case, you would point to the public key using a DNS CNAME record.

TXT subdomain._domainkey.mydomain.com "p=..."

OR

CNAME subdomain._domainkey.mydomain.com uniqueid.xxx.example.com
Scriptonomy
  • 3,975
  • 1
  • 15
  • 23