The ‘Must Know’ DNS Record checkers to know your email domain security posture.
Can you account for all the emails being sent from your organization’s email domain?
Not knowing this can be a huge problem for your organization. Why? Because this is where most of the email-based attacks are initiated. Email is the easiest and one of the most used communication tools for almost every organization.
However, it is also the easiest way for cyber criminals to use your brand name for pulling off scams and frauds. For cyber criminals, there is no other valuable tool than the ability to impersonate your brand and use outbound emails from your email domains as a paycheque.
Recently, big names like FedEx and DHL Express fell victims to such scams, infamously known as spoofing attacks. According to an article by Dark Reading, cyber criminals impersonated both brands to send out phishing emails to 10,000 users. These emails were laden with malicious links and attachments.
It is not only FedEx and DHL whose names have been misused by cyber criminals to send out phishing emails. There are thousands of organizations out there that fell victim to spoofing attacks. One of them was Microsoft, which became the most imitated brand in Q3 2020.
Irrespective of the firm size, cyber criminals can target any organization to make easy money. They are well aware of people trusting the brands. Consequently, it is critical for an organization to protect the brand against the increasing number of impersonators worldwide.
Protecting your brand not only helps you combat the impersonators but also increases your brand recognition and standard of quality among your competitors. Moreover, it prevents you from losing the customers’ trust.
So, to help you check your email domains’ security, I have listed the seven checkers that you can use for free:
#1. DMARC RECORDS
DMARC Record checker helps you find if your email domain has a valid DMARC record and if it’s published correctly.
WHAT IS A DMARC RECORD?
DMARC record is used by email receiving servers to authenticate an incoming email, given the sender has implemented DMARC. DMARC offers three different policies, which can be set up to determine what to do with the emails that fail authentication. You can start implementing DMARC by setting up a DMARC DNS record.
The DMARC policy you set up helps the recipient’s email server in deciding what action should be taken if the email sent from your domain fails the DMARC authentication.
You can choose one of these 3 DMARC policies:
None: This policy helps you gain deep insight into your email channel and allows all emails to reach the recipient’s inbox, no matter whether it fails or passes the DMARC authentication.
Quarantine: This policy instructs the ISPs to redirect emails failing the DMARC authentication to the recipient’s spam folder.
Reject: This policy instructs the ISPs to not deliver emails failing the DMARC authentication at all. The emails that fail DMARC authentication get bounced back.
#2. SPF RECORDS
SPF Records checker helps you verify if your email domain has a valid SPF record.
WHAT IS AN SPF RECORD?
The Sender Policy Framework or SPF record helps the email receiving server identify whether the IP address of an incoming email is approved by the administrators of the sender’s domain. Available in the form of a TXT record, this SPF record contains the list of email servers authorized to send emails on the behalf of the particular domain name.
WHAT DOES AN SPF RECORD DO?
An SPF record lets you assign a pool of authorized IP addresses to your email domain. When you send an email, the receiving server cross-checks the IP address of that email with the IP addresses included in the SPF record of the sender’s domain. If it matches successfully, your email passes SPF authentication.
HOW DOES SPF RECORD HELP?
SPF helps in boosting your email deliverability rate by building up trust with the ISPs. Similar to MFA, SPF adds an extra layer of security to your email domain and reduces backscatter bounces.
#3. DKIM RECORDS
DKIM Records checker allows you to verify if your email domain has a valid DKIM record.
WHAT IS A DKIM RECORD?
A DomainKeys Identified Mail (DKIM) record is a TXT record that signs the emails sent from your domain with a private key, allowing the receiving server to validate the emails using a public key available in the DNS as a TXT record. These records are revoked and renewed based on the different providers. Unlike the SPF, which can only register up to 10 records in the DNS, DKIM can store many records based on the various sources sending emails from a domain.
WHY DO WE NEED A DKIM RECORD?
While DKIM is not mandatory, emails signed with DKIM appear more legitimate to the ISPs. Just like SPF, DKIM is required for DMARC, which is a newer standard for reducing email spoofing and email domain forgery.
#4. MX RECORDS
With the MX Record checker, you will be able to check if your email domain has a valid MX record. You simply need to enter your domain name and it will display the MX record of that domain if it has been set up.
WHAT IS AN MX RECORD?
A Mail Exchanger record or MX Record specifies the mail server that is responsible for accepting emails on the behalf of a domain name. Available on the DNS, MX records are necessary for email delivery since they indicate how emails should be routed as per the SMTP.
#5. AAAA RECORDS
AAAA Records checker helps you verify if your email domain has a valid AAAA record.
WHAT IS THE AAAA RECORD?
Assigning a value to an AAAA record is as simple as providing your DNS management panel with an IP address to where the domain or subdomain should point. Like an A-record, an AAAA-record (also known as quad A-record) maps the name of your domain to an IP address. On the other hand, an A-record works with IPv4 whereas an AAAA-record works with IPv6.
AAAA RECORD FORMAT
An AAAA record is structured and configured in the same way as an A record. The only difference is that an AAAA record is larger. The resource record Type value for AAAA records is 128. Eight groups of 16-bit values are used to notate AAAA records. The AAAA record is defined in RFC 3596.
Here, <address> is an IPv6 address and looks like 2606:4700:3031::ac43:d64c.
The same IP can be defined with different names. It is not required for IP addresses to be in the same subnet or to use the same routing prefix. For preventing unintentional duplicate definitions, it is advisable to arrange AAAA records in either ascending or descending order.
After the experts realized we would eventually exhaust the existing IPv4 addresses, they had to come up with IPv6. Consequently, a new record type was created to support the address type that is now known as AAAA records.
#6. TXT RECORDS
TXT Records checker allows you to check if your email domain has a valid TXT record.
WHAT IS A TXT RECORD?
The ‘TXT’ (Text) record allows a domain’s administrators to enter text into the DNS record. A TXT record is a resource record that provides the ability to associate text with a zone. This record allows domain administrators to insert any text content into the DNS records.
An example of TXT record:
v=spf1 include:_spf.google.com ~all
Every record can have one or more than one character strings. Traditionally, these text fields were used for a number of non-standardized uses including an organization’s name or the address of a host.
TYPES OF TXT RECORDS
DKIM record: This record helps you store important information that is used for the validation of emails in transit.
DMARC record: DMARC records help in mitigating email domain forgery and email spoofing attacks.
SPF record: SPF records allow you to authorize a pool of IPs to send emails from your email domain.
Site Verification Records: This record helps you in proving the ownership of your domain. It can also be used for associating services including G-Suite or Microsoft 365 to a specific domain.
#7. NS CHECK
This NS checker performs a thorough DNS propagation lookup for your domain name.
WHAT IS NS CHECK?
The NS Check acts as a phone directory of every email address that exists on the internet. It compares the DNS servers that are responding to the queries and analyze the DNS data collected to confirm whether that website is completely propagated or not.