Your email domain is being abused…

/ Blog / By

Your email domain is being abused by bad actors worldwide if you’re not taking the steps below. You need to protect your email domain. When properly implemented, you should see a deliverability boost of 10% or more. I’ll cover the deliverability boost further down.

I had no visibility into what was happening with my email domains being abused until we set up SPF, DKIM, and DMARC with a SaaS provider.

Once set up, I was amazed at how many spammers from China, Russia, Korea, Romania, Nigeria, and other countries used my domain names to send emails. Once I saw what was going on, I could understand my 23-year-old domain being abused (yes, my first website was registered in 1998!), but I was surprised that even domains that were just a few weeks old were being abused.

Now I started to realize that my email reputation was at stake. I needed to get this fixed; otherwise, my ability to do business was at risk if my domains got blocklisted.

Example

Recently, bad actors from Korea and China tried to use one of my newly created domains to send emails, as shown below. We had already configured SPF, DKIM, and DMARC, so all emails were rejected.

What do you need to do?

Hopefully, you’re grasping the importance and severity of the situation by now. What do you need to do? Well, you or your team needs to:

  • add (3) important TXT records to your domain’s DNS – SPF, DKIM and DMARC records.
  • receive and analyze email reports OR use a SaaS provider to receive, analyze and generate reports (more on this later).

SPF Record

The Sender Policy Framework (SPF) record in your DNS allows Internet Service Providers / Email Service Providers to verify that your email server(s) is authorized to send email from your domain.

v=spf1 include:example.com -all

DKIM Record

DomainKeys Identified Mail (DKIM) contains a public key to verify a message’s signature. The email provider provides the key. As of this writing, GoDaddy does not support nor provide this, and one of several reasons I have my emails hosted by RackSpace.

v=DKIM1; k=rsa; p=[long string of characters making up the public key]

DMARC Record

The DMARC record includes the action to take if SPF and/or DKIM fail and where to send the reports.
The policy is what follows “p=”. Start with none and gradually move to quarantine and finally reject if possible.

  1. none – this allows monitoring but takes no action. Use this to gather data for the DMARC reports. Thorough examination of reports is necessary in order to ensure proper settings before setting to #2 or #3 below.
  2. quarantine – this instructs email receiving servers to put the email in a junk / spam folder. Not all email services honor this setting.
  3. reject – email server receivers should bounce this message. The email server will reject the email.
v=DMARC1; p=none; rua=mailto:[email protected];
v=DMARC1; p=quarantine; rua=mailto:[email protected];
v=DMARC1; p=reject; rua=mailto:[email protected];

The email address to deliver reports to follows “rua=”. You can either:

  1. setup a dedicated email account to receive the emails and then create a process to parse and generate reports. This is cumbersome, time-consuming and expensive. This requires a high-level of expertise.
  2. use a service like DMARCIAN or DMARCLY to do all the heavy lifting for you. Their services vary from free to paid. I highly recommend going this route.

Improve Deliverability

Okay, do you want to know what could boost your email deliverability by 10% or more? Especially for email campaigns?

As noted above, the SPF record needs to have your email servers’ domain name(s) – which is not always the same as your company’s domain. I have my sites hosted at GoDaddy, and my email servers are at Rackspace with a different domain name. If you forget a server, its emails will be rejected with p=reject.

Get up to 30% off all new products with GoDaddy!

When you are comfortable with the SPF and DKIM settings, you’ll update p=quarantine to p=reject in the DMARC record, which will boost deliverability because ISPs and ESPs will view your emails as more trustworthy.

Setting this up is pretty straightforward for small- and medium-sized businesses. It is more time-consuming for larger companies with many email servers and/or services. If you carefully plan, communicate and review the reports that show email sources, the implementation should not be impactful.

If you need help or have questions, reach out to us at [email protected].