SECURITY: Your own domain can prevent phishing

Saturday, July 12, 2025

An Original Thought

May I suggest that you have your own domain?

The common wisdom, or is that common whizdumb, is to own your own name as a domain name. I own “reinke.cc”. (I like saying “sea sea me at reinke.cc”! me@reinke.cc will actually work!) 

It gives one quite a bit of control. And, it’s very cheap. I know three solutions: wordpressdotcom with gmail, email only with 1and1, and domain+email+webspace also at 1and1. 

My point is not that you should use 1and1. http://www.1and1.com/?k_id=9113251 I could care less which one you use. It’s that getting on to your own domain with email is cheap and easy. 

And, it’s not aol, hotmail, yahoo, or gmail. It IS your own “personal brand”. And, the “bad guys” can’t fool you!

If you have your own domain, you can “bulletproof” your email from phishing and frauds!

Let’s assume that you have “your own domain” named “yourowndomain.com”, and you bank at “your bank” at “yourbank.com”.

You give “yourbank.com” your email address as “yourbankcom@yourowndomain.com”.  (Be prepared for some strange looks when you do this because the folk never heard of such and email address.)

Then you can set up an email filter  — let’s use Gmail as an example  —  that says:

  • Comes from “yourbank.com” and
  • Is addressed to “yourbankcom@yourowndomain.com” and 
  • You specify an label of “yourbank”

So all your email comes into GMAIL and gets assigned a label “INBOX”.

  • Anything that comes in that purports to be from “yourbank” MUST have the GMAIL assigned label of both “INBOX” and “yourbank”.
  • You can also set up an email filter for addressed to “yourbankcom@yourowndomain.com” and NOT addressed from “yourbank.com” and label it “PHISHING ATTACK”.
  • You can also set up an email filter for addressed NOT to “yourbankcom@yourowndomain.com” and addressed from “yourbankcom@yourowndomain.com” and label it “BANK GAVE OUT YOUR EMAIL ADDRESS”.

Pretty tricky and quickly eliminates PHISHING ATTACKS and identifies when the “BANK GAVE OUT YOUR EMAIL ADDRESS”.

Applause please?  

Why the email providers can’t protect you by using the appropriate internet protocols is beyond me!

*** begin quote ***

Email authentication methods and protocols 

  • SPF (Sender Policy Framework)

    A sender policy framework (SPF) is a record published in your DNS that lists all the IP addresses that are allowed to send emails on behalf of your domain. When an incoming email is received, the recipient server will check the SPF record to verify if the sending IP address is authorized to send emails for that particular domain. If it’s not listed in the SPF record, there’s a higher chance that the email will be marked as spam or blocked altogether. While SPFs can help to prevent spam and phishing attempts, they also may reject legitimate emails in situations where the sender’s domain SPF records aren’t properly configured.

  • DKIM (DomainKeys Identified Mail)

    DKIM stands as a pivotal technology in the battle against email spoofing by attaching a digital signature to each outgoing email, linked directly to the sender’s domain name. This signature enables the recipient’s email server to verify whether an email purportedly sent from a specific domain is authorized by that domain’s owner. Given that emails often undergo multiple hops—redistributed by mailing lists or forwarding rules—DKIM ensures that signed messages can be reliably relayed by any server, maintaining their integrity and authenticity throughout their journey.

  • DMARC (Domain-based Message Authentication, Reporting, and Conformance)

    The DMARC protocol was built on top of SPF and DKIM, and relies on senders and receivers sharing information to ensure a smooth validation process. DMARC refers to SPF and DKIM records to validate a sender’s identity, along with testing whether the domain they use is found in the “from” address. If an email does not pass the validation test, DMARC provides rules on how to treat the message based on certain conditions. This protocol can help domain owners block phishing attacks by filtering such messages into spam, or rejecting them altogether.

  • BIMI (Brand Indicators for Message Identification)

    If you’ve ever seen an email from a brand that included their logo right in the sender column, that brand was using BIMI. Improving email security with BIMI involves using an authentication system that enables trusted senders to display an icon of their choice directly in senders’ inboxes. BIMI can boost recipients’ trust in your messages, while heightening visibility of your brand.

  • MTA-STS (Mail Transfer Agent Strict Transport Security)

    MTA-STS is a security standard that enables you to send and receive messages securely over an encrypted SMTP connection. The MTA-STS protocol enhances email security by enabling an SMTP client to confirm the server’s identity during the TLS handshake. It does this by requiring the server to present its certificate fingerprint, which the client then matches with a trust store of certificates from verified servers. This process ensures the client does not connect to fraudulent servers, maintaining secure communication. 

  • TLS reporting

    TLS reporting is a mechanism that enables email senders to report issues with TLS connectivity.

    T is more effective when used alongside MTA-STS. The strict enforcement mode of MTA-STS will prevent email delivery if TLS issues are detected, ensuring a higher level of security and reliability in email communications.

  • ARC (Authenticated Received Chain)

    ARC acts as a “chain of custody” for email messages. It enables every entity involved in processing the message to clearly see which entities have previously interacted with it. At every stage of handling, it provides a detailed authentication assessment. The primary advantage of ARC, now adopted by the majority of mail servers, is its solution to a significant issue: previously, when a DMARC-protected email was forwarded, it would fail DKIM authentication and, consequently, DMARC. ARC preserves all original authentication information, allowing the final recipient’s mail server to verify that the email was DKIM authenticated before being forwarded.

*** end quote ***

— 30 —

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

SECURITY: Do NOT use the “Go to Apple ID.” link

Wednesday, November 27, 2024

https://www.tomsguide.com/computing/online-security/new-scam-says-your-apple-id-is-suspended-watch-out-for-this-attack?lrh=20fd2805ce1d1131c95034f150bb97a3971479cbf1c94537a55e6a39cfe362aa

New scam says your Apple ID is suspended — watch out for this attack
News
By Amber Bouman
last updated 16 hours ago

  • Don’t let hackers get their hands on your Apple ID with these tips

*** begin quote ***

Another day, another attempt to steal your log in credentials – this time courtesy of a phishing email that claims to be from Apple Support. Don’t be fooled however, this isn’t from Cupertino. It’s actually an attempt to get you to click on a link so hackers can steal your login credentials and other sensitive information.

This email, like many other phishing attempts, uses look-a-like formatting and other details to make you think it’s coming from a legitimate source. This latest threat says that your Apple ID has been suspended due to unusual activity or missing or invalid information. The email looks remarkably similar to actual emails from Apple Support and contains a blue button that says “Go to Apple ID.”

*** end quote ***

It is really amazing that this <synonym for excrement> still works.

Browsers should not automatically make emails clickable.

Argh!

—30—

Leave a Comment » | SECURITY | Tagged: , , , | Permalink
Posted by reinkefj

VOCABULARY: “Tainted Leaks”

Sunday, June 4, 2017

https://www.schneier.com/blog/archives/2017/05/tainted_leaks.html

Schneier on Security
Tainted Leaks

*** begin quote ***

This report describes an extensive Russia-linked phishing and disinformation campaign. It provides evidence of how documents stolen from a prominent journalist and critic of Russia was tampered with and then “leaked” to achieve specific propaganda aims. We name this technique “tainted leaks.” The report illustrates how the twin strategies of phishing and tainted leaks are sometimes used in combination to infiltrate civil society targets, and to seed mistrust and disinformation. It also illustrates how domestic considerations, specifically concerns about regime security, can motivate espionage operations, particularly those targeting civil society.

*** end quote ***

NOW, this is something to be concerned about.

It’s going to make “leaks” harder to determine and authenticate.

# – # – # – # – # 

Leave a Comment » | VOCABULARY | Tagged: , , , , , | Permalink
Posted by reinkefj

SERVICE: OPENDNS recommended for everyone

Thursday, July 19, 2012

*** begin quote ***

Announcing new Parental Controls categories

We recently announced several improvements to the Domain Tagging system, our content categorization engine, and two new categories that you can enable for your home networks, effective immediately, to secure your family’s Web browsing.

As with every new feature we deliver, these improvements are the direct result of your feedback. Our team spent weeks evaluating both the current categories and your suggestions, and ultimately we decided which categories need to be added and which ones could use a facelift. By simply logging into your Dashboard and adjusting your custom settings, you can now filter Anime/Manga/Webcomic and Click/Survey/Pharmaceutical Web Spam. To our knowledge, OpenDNS is the first and only filtering service to offer a Web spam category, though Web spam is increasingly present online.

As the Internet evolves we’ll continue to evaluate our Web filtering categories and your requests to make sure we’re ahead of the curve. If you’d like to get more involved, join our Domain Tagging community and help make the Internet better for millions around the world!

*** end quote ***

Item #4 is for those with children. First this is free. Second, it’s invisible to all but the most techie kids.

* Open a free account on OpenDNS. (Not even sure this is required, but it’s a trivial step that allows them to enumerate their User community.)

* Open your favorite browser, connect to your router, (usually http://192.168.1.1 or 2.1)

* Find the screen where the router holds the DNS entry. (Easy. Most routers have tabs on their admin screen. One will be labeled: “DNS”.)

* Replace what the ISP gives you (theirs. so they can collect ad $ on you) with the OpenDNS values. 208.67.222.222 208.67.220.220.

That’s it. Each platform that starts up will shift to use the OpenDNS.

No one is the wiser that you’re protecting them.

You should check from time to time. You don’t “own” the router; the ISP does. From time to time, they will push a “refresh” or “software update”. (Not for your benefit, but theirs.)

Some of the more paranoid, not me, actually put another router after the ISP router. They wish to prevent the ISP from browsing their platforms or seeing the intra-platform traffic.

FMPOV who cares.

p.s., I use OpenDNS to prevent popup porn, phishing, and malware. Been using it for eons. I don’t understand why more people don’t. Don’t have to think about it. Most bad sites just won’t resolve. YMMV

# – # – # – # – #   

Leave a Comment » | SERVICE | Tagged: , , , | Permalink
Posted by reinkefj