StackShield

Email Security

Medium

Checks email configuration for security best practices.

Estimated fix time: 45 minutes

What is Email Security?

Email security prevents spoofing, phishing, and unauthorized use of your domain for sending emails. SPF, DKIM, and DMARC are essential DNS records that authenticate your emails.

Security Impact

Severity: High

  • Email spoofing
  • Phishing attacks using your domain
  • Deliverability issues
  • Reputation damage
  • Business email compromise

How to Fix

1. Configure SPF Record

# DNS TXT record
yourdomain.com. TXT "v=spf1 ip4:YOUR_SERVER_IP include:_spf.google.com ~all"

# Explanation:
# v=spf1 - SPF version
# ip4:IP - Allow specific IP
# include: - Allow third-party service
# ~all - Soft fail for others

2. Configure DKIM

Laravel with Mailgun example:

# Generate DKIM keys
php artisan vendor:publish --tag=mailgun-config

Add DNS TXT records provided by your email service:

default._domainkey.yourdomain.com. TXT "k=rsa; p=YOUR_PUBLIC_KEY"

3. Configure DMARC

# DNS TXT record
_dmarc.yourdomain.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

# Explanation:
# p=quarantine - Quarantine suspicious emails
# rua= - Send reports to this email
# pct=100 - Apply to 100% of emails

4. Laravel Mail Configuration

// config/mail.php
'from' => [
    'address' => env('MAIL_FROM_ADDRESS', 'noreply@yourdomain.com'),
    'name' => env('MAIL_FROM_NAME', 'Your App'),
],

'dkim' => [
    'domain' => 'yourdomain.com',
    'selector' => 'default',
    'private_key' => storage_path('dkim/private.key'),
],

5. Test Configuration

# Test SPF
dig yourdomain.com TXT

# Test DKIM
dig default._domainkey.yourdomain.com TXT

# Test DMARC
dig _dmarc.yourdomain.com TXT

# Send test email
# Check with https://www.mail-tester.com

Verification Steps

  1. Send test email to mail-tester.com
  2. Check SPF: dig yourdomain.com TXT
  3. Check DKIM: Send email, view headers
  4. Check DMARC: dig _dmarc.yourdomain.com TXT
  5. Monitor DMARC reports

Email Services Configuration

Mailgun

MAIL_MAILER=mailgun
MAILGUN_DOMAIN=mg.yourdomain.com
MAILGUN_SECRET=your-secret

Add Mailgun's DNS records to your domain.

Amazon SES

MAIL_MAILER=ses
AWS_ACCESS_KEY_ID=your-key
AWS_SECRET_ACCESS_KEY=your-secret
AWS_DEFAULT_REGION=us-east-1

Verify domain and add SES DKIM records.

DMARC Policy Progression

# Phase 1: Monitor only
p=none; rua=mailto:dmarc@yourdomain.com

# Phase 2: Quarantine suspicious
p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com

# Phase 3: Reject unauthorized
p=reject; rua=mailto:dmarc@yourdomain.com

Common Issues

SPF Record Too Long

# Split using includes
yourdomain.com. TXT "v=spf1 include:_spf1.yourdomain.com include:_spf2.yourdomain.com ~all"
_spf1.yourdomain.com. TXT "v=spf1 ip4:IP1 ip4:IP2"
_spf2.yourdomain.com. TXT "v=spf1 include:_spf.google.com"

Multiple SPF Records

Only one SPF record is allowed. Consolidate multiple into one.

  • DNS Security
  • IP Reputation
  • Subdomain Takeover

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

IP Reputation

Checks if the domain IP is listed in abuse databases.

Medium

DNS Security

Checks DNS configuration and security settings.

Medium

Learn More