How to prevent domain email spoofing on AWS
If you set up domain email forwarding on AWS and don’t properly configure DKIM settings then spammers can send emails pretending to be from your domain.
You may be thinking that spammers will have no interest in using your domain and won’t even know it’s there. Wrong. Spammers use automated scanning to look for domains that don’t have DKIM enabled. You may have a brand new domain that nobody knows about and within a week spammers will be spoofing you.
There are two techniques to prevent sender spoofing. SPF allows the receiving mail server to verify that an email claiming to be from a domain was actually sent by an authorised host on that domain. DKIM attaches a digital signature for a similar purpose. The receiving mail server can retrieve the public DKIM key from DNS and verify the signature. AWS Simple Email Service uses DKIM.
Without this, you may suffer two things. One, mail servers may start blacklisting your domain due to volumes of spam email claiming to be from your domain. Two, when a spam email gets bounced by the receiving mail system, it will come back to you because it looks like you were the sender.
Configure DKIM on AWS
Go to your SES management console, make sure you’re in the right region, and view your domains.
If the “DKIM Status” isn’t “Verified”, you need to do it. Click through to the domain details, and expand the DKIM section.
Setting up DKIM involves 3 steps:
- Generate DNS entries
- Add the generated records to your DNS
- Enable DKIM
Click “Generate DKIM settings”. You’ll be shown three CNAME entries to add to your DNS. If you’re using Route 53 you can click the button to do it automatically.
Once AWS SES verifies the presence of those new DNS entries, you will see the option to enable DKIM for the domain.
You only need to set up Easy DKIM for the domain that you use in your “From” address. The settings for that domain apply to all subdomains.
AWS SES automatically adds a 1024-bit DKIM key to every email that you send from that domain, so there’s nothing else you need to do.
That is all you have to do to prevent domain email spoofing on AWS.
AWS DKIM documentation is here.