So you’re in charge of your organization’s DNS and hybrid access, and part of the job is providing DNS records to make systems easily accessible but you also need to make sure that you’re preventing spoofed domains, which can lead to a security breach. The first step is to ensure that your workforce is educated about what your domain is and how hostnames on this domain look.

Education is never enough though. Ensuring that your domains are configured correctly is the next step.

There are many free tools and various ways to check on your domains and get guidance on how to actively prevent spoofing. For example, Smartfense’s Spoof Check at https://www.smartfense.com/en-us/tools/spoofcheck/ will give you a quick summary about the “spoofability” of your domain. In this example, we have a known “spoofable” site, sso-getbnn.com. The “sso-<yourdomain>.com” pattern of fake domains are being actively used to infiltrate organizations and steal credentials.

As you can see, the tool gives you some information about what can be done to further lock down your domain.

Spoof Check bad screenshot

In this example, our corporate domain is checked and shows the measures we have employed to lock it down.

Spoof Check good screenshot

The next set of tools come from MxToolbox and can be found at https://mxtoolbox.com. This tool can be used to check configurations for Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) records.

What is SPF and what does it have to do with spoofed domains?

The SPF Record Check is a diagnostic tool that acts as a Sender Policy Framework (SPF) record lookup and SPF validator. This test will look up an SPF record for the queried domain name, display the SPF Record (if found), and run a series of diagnostic tests (SPF Validation) against the record, highlighting any errors found with the record that could impact email delivery.

Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses or subnets that are authorized to send email on their behalf. The goal is to reduce the amount of spam and fraud by making it much harder for malicious senders to disguise their identity.

SuperTool SPF screenshot

What is the DMARC?

The DMARC Record Lookup / DMARC Check is a diagnostic tool that will parse the DMARC Record for the queried domain name, display the DMARC Record, and run a series of diagnostic checks against the record. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism for policy distribution by which an organization that is the originator of an email can communicate domain-level policies and preferences for message validation, disposition, and reporting.

DMARC Records standardize how mail originators associate and authenticate domain identifiers with messages, handle message policies using those identifiers, and report about mail using those identifiers. According to RFC 7489, the DMARC mechanism for policy distribution enables the strict handling of email messages that fail authentication checks, such as SPF and/or DKIM. If neither of those authentication methods passes, DMARC tells the receiver how to handle the message, such as treating it as junk (quarantine) or reject the message entirely.

SuperTool DMARC screenshot

Additional Resources

You can also visit Whois and check https://shop.whois.com/domain-registration/index.php to find Registered On and Expires On dates for a domain. An organization that has been around for a long time with have registered their domain a long time ago. New stuff may be fake. Also, organizations want to make sure they lock in domains so something that was only registered for year may mean it’s a temporary fake.

Whois screenshot

Another clue to let you know if a domain is valid requires checking the SSL certificate by visiting https://www.sslshopper.com/ssl-checker.html. In the example below, again for domain sso-getbnn.com, we see that the certificate was issues by a valid organization, Let’s Encrypt. However, the certificate has expired and was only valid for three months. While this short lifetime is typical for certificates coming from Let’s Encrypt, the fact that it has expired and wasn’t update prior to that is a rare occurrence for a real, actively used domain.

SSL Checker screenshot

Of course, even these measures can come up short, especially when your users decide to click on links to spoofed domains. To prevent this, an active defense such as Banyan’s Internet Threat Protection (ITP) is needed. Banyan Security’s ITP is a cloud-based, AI-driven content filtering and threat protection service, that can be deployed and configured in minutes.

To learn more about ITP visit https://www.banyansecurity.io and stay tuned for an upcoming blog covering ITP’s advanced functionality and use cases.

author avatar
Ashur Kanoon