1 comment

[ 0.27 ms ] story [ 14.7 ms ] thread
Domain spoofing, a fraudulent practice where attackers impersonate a domain they don't own to send misleading emails, often with nefarious intentions like phishing or spreading malware, is a significant problem for domain owners. Domain authentication measures like DMARC, DKIM, and SPF work well in tandem to protect domains from spoofing on the open internet. Unfortunately, a weakness in DMARC leaves domain owners vulnerable to spoofing attacks if their SPF record authorizes a large shared IP address space to send emails from the domain, such as the Microsoft 365 service, the Google Workspace service, or a transactional email-sending service like MailChannels.

This problem is so acute that the working group preparing the next version of DMARC is debating whether to remove SPF from the next iteration of the DMARC standard. As an example of the severity of the problem, UPS recently fell victim to an impersonation attack in which a phishing gang could get Gmail to render the official UPS logo next to messages sent by the attacker, even though DMARC would normally prevent this. The Gmail team had to scramble a priority 1 response, changing how it interprets SPF record lookups when authorizing the display of logos for major brands within Gmail. “It passed DMARC because UPS use Microsoft for email (and it’s in their SPF record), so you just need to send it from any Microsoft account.”

To fight this problem, MailChannels has created a DNS-based solution it is calling Domain Lockdown, allowing domain owners to lock their domains to specific MailChannels accounts and sender-ids to prevent others from spoofing them in the service from different accounts.