How do I stop my email address being spoofed?

Phishing emails designed to trick recipients into downloading malware or sharing confidential information have proven to be the easiest route into a network for cyber attackers.

We’ve shared plenty of guidance on spotting these kinds of emails and on stopping them from reaching your inbox. But once you know how to deal with email phishing that targets you, how can you stop your email domain being spoofed to target others?

This is where DMARC comes in

DMARC is a way of helping others authenticate emails sent from your domain, and it uses two existing authentication methods: SPF and DKIM. These two protocols are used to verify that the IP address or server sending an email from your domain are authorised to do so and that the contents of the email haven’t been tampered with.

If an email fails the SPF and DKIM checks, your DMARC protocol helps the receiving mail system decide whether or not to accept the email and creates a record.

For example, if info@yourdomain.com is a genuine email address used by your company then your DMARC policy tells other email servers that it’s okay to trust messages coming from this address, as long as they haven’t been tampered with and originate from a trusted server. If someone were to try sending an email from this address but from a server that’s not trusted, your DMARC policy could tell other email servers to reject the message and to generate a report about why the message was not accepted.

By correctly setting up your DMARC protocol, you can ensure that:

• Your supply chain and customers have more protection against scams. These users are the most likely to trust a message originating from your domain and therefore fall victim to a spoof email.
• Cyber criminals are able to see that you have a DMARC record and are less likely to attempt to spoof you.
• The deliverability of your emails is high, ensuring that email campaigns reach the intended recipients without being filtered into spam or junk folders.
• You receive insight into how your email domain is being used.

How do I know if my domain has a DMARC record?

If you’re using a reputable email service provider and have stuck with the email address provided by them – for example the @onmicrosoft.com address that comes with an Office 365 account – you possibly won’t need to do anything.

When you have a custom domain name or are unsure about your provider’s policy you can use this tool to check your DMARC record; just enter your domain in the box provided.

If DMARC is not in place, speak to your IT department or provider about getting this set up.

Don’t forget parked domains

To protect your brand you may have bought some domain names that are similar to the one you use for your website and email, to stop them from being used by others. Don’t forget to make sure these non-email sending (parked) domains are also protected by DMARC. The NCSC actually suggests that you tackle these domains first, as they’re easier to deal with and don’t require on-going maintenance.

What else can I do to stop my email address being spoofed?

• Try to provide just one contact email address on your website. Listing every staff member’s email address online not only means they’ll receive lots of spam; it also advertises to cyber criminals the email addresses likely to be trusted by recipients and the standard you use eg firstname.lastname@mydomain.com, which makes your email easier to spoof with apparent legitimacy.
• Make sure the password for your email account is strong and different from any other password you use. Cyber criminals don’t need to bother creating fake email addresses from your domain if they’ve managed to gain access to a real one.
• Try using a “throwaway” account to sign up for mailing lists and online accounts. That way if your email address is leaked in a data breach and abused, it’s a.) Less likely to be seen as a trusted sender by any recipients of spoof email and b.) Less hassle to delete.