Email Forwarding Security Risks

TL;DR

Email forwarding can introduce security risks like email spoofing, data leakage and compromised accounts. Using strong SPF/DKIM/DMARC records, multi-factor authentication (MFA), and regularly reviewing forwarding rules are key to mitigating these.

Understanding the Risks

Domain email forwarding – sending emails from your domain (e.g., yourname@yourdomain.com) to another email provider (like Gmail, Outlook or a work account) – is convenient but isn’t always secure by default. Here’s why:

• Spoofing: Attackers can potentially send emails *as if* they are from your domain, making phishing attacks more convincing.
• Data Leakage: Forwarded emails aren’t necessarily encrypted in transit or at rest with the same security as your primary email provider.
• Compromised Accounts: If the receiving account is compromised, attackers gain access to all forwarded emails.

How to Secure Your Email Forwarding

Here’s a step-by-step guide to improve the security of your domain email forwarding:

1. Implement SPF Records

1. What it does: Sender Policy Framework (SPF) tells receiving mail servers which servers are authorised to send emails on behalf of your domain.
2. How to do it: Add a TXT record to your DNS settings. The exact record depends on where you’re forwarding *from*. For example, if using Google Workspace:

   v=spf1 include:_spf.google.com ~all

3. Check your SPF record: Use an online SPF checker (many free tools are available) to ensure it’s valid and includes all authorised sending sources.

2. Set up DKIM Records

1. What it does: DomainKeys Identified Mail (DKIM) adds a digital signature to your emails, verifying they haven’t been tampered with during transit.
2. How to do it: Your email provider will give you a DKIM record (usually a long TXT string). Add this to your DNS settings. This is often found in the security or authentication section of your domain control panel.
3. Verify DKIM: Use a DKIM checker tool to confirm proper setup.

3. Enable DMARC Records

1. What it does: Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on SPF and DKIM, telling receiving servers what to do with emails that fail authentication checks (e.g., reject them or quarantine).
2. How to do it: Add a TXT record to your DNS settings. Start with a policy of p=none to monitor results before enforcing stricter rules.

   v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; ruf=mailto:forensics@yourdomain.com; adkim=r; aspf=r; pct=100

3. Monitor DMARC reports: Regularly check the reports sent to your specified email addresses (rua and ruf) to identify potential spoofing attempts and adjust your policy accordingly.

4. Multi-Factor Authentication (MFA)

1. What it does: Adds an extra layer of security to the email account you’re forwarding *to*. Even if someone gets your password, they’ll need a second factor (like a code from your phone).
2. How to do it: Enable MFA on all accounts involved in the forwarding process. Most major providers offer this – Google, Microsoft, etc.

5. Regularly Review Forwarding Rules

1. What to do: Check your domain control panel periodically to ensure only authorised email addresses are being forwarded. Remove any rules you no longer need.
2. Look for unexpected entries: Be alert for forwarding addresses that you didn’t set up yourself.

6. Consider Using a Dedicated Email Security Service

For more advanced protection, explore email security services that offer features like threat detection, data loss prevention (DLP), and enhanced filtering.