Why does Email Security matter for Laravel security?

Failing to address email security can leave your Laravel application vulnerable to attacks. StackShield continuously monitors for this issue so you can catch it before attackers do.

How do I fix a Email Security issue?

This is rated as an medium fix, typically taking 45 minutes. See the full documentation above for step-by-step instructions.

How to Fix Email Security - SPF, DKIM, DMARC

What This Check Detects

Checks email configuration for security best practices.

Full Documentation

What is Email Security?

Email security prevents spoofing, phishing, and unauthorized use of your domain for sending emails. SPF, DKIM, and DMARC are essential DNS records that authenticate your emails.

Security Impact

Severity: High

Email spoofing
Phishing attacks using your domain
Deliverability issues
Reputation damage
Business email compromise

How to Fix

1. Configure SPF Record

# DNS TXT record
yourdomain.com. TXT "v=spf1 ip4:YOUR_SERVER_IP include:_spf.google.com ~all"

# Explanation:
# v=spf1 - SPF version
# ip4:IP - Allow specific IP
# include: - Allow third-party service
# ~all - Soft fail for others

2. Configure DKIM

Laravel with Mailgun example:

# Generate DKIM keys
php artisan vendor:publish --tag=mailgun-config

Add DNS TXT records provided by your email service:

default._domainkey.yourdomain.com. TXT "k=rsa; p=YOUR_PUBLIC_KEY"

3. Configure DMARC

# DNS TXT record
_dmarc.yourdomain.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

# Explanation:
# p=quarantine - Quarantine suspicious emails
# rua= - Send reports to this email
# pct=100 - Apply to 100% of emails

4. Laravel Mail Configuration

// config/mail.php
'from' => [
    'address' => env('MAIL_FROM_ADDRESS', 'noreply@yourdomain.com'),
    'name' => env('MAIL_FROM_NAME', 'Your App'),
],

'dkim' => [
    'domain' => 'yourdomain.com',
    'selector' => 'default',
    'private_key' => storage_path('dkim/private.key'),
],

5. Test Configuration

# Test SPF
dig yourdomain.com TXT

# Test DKIM
dig default._domainkey.yourdomain.com TXT

# Test DMARC
dig _dmarc.yourdomain.com TXT

# Send test email
# Check with https://www.mail-tester.com

Verification Steps

Send test email to mail-tester.com
Check SPF: dig yourdomain.com TXT
Check DKIM: Send email, view headers
Check DMARC: dig _dmarc.yourdomain.com TXT
Monitor DMARC reports

Email Services Configuration

Mailgun

MAIL_MAILER=mailgun
MAILGUN_DOMAIN=mg.yourdomain.com
MAILGUN_SECRET=your-secret

Add Mailgun's DNS records to your domain.

Amazon SES

MAIL_MAILER=ses
AWS_ACCESS_KEY_ID=your-key
AWS_SECRET_ACCESS_KEY=your-secret
AWS_DEFAULT_REGION=us-east-1

Verify domain and add SES DKIM records.

DMARC Policy Progression

# Phase 1: Monitor only
p=none; rua=mailto:dmarc@yourdomain.com

# Phase 2: Quarantine suspicious
p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com

# Phase 3: Reject unauthorized
p=reject; rua=mailto:dmarc@yourdomain.com

Common Issues

SPF Record Too Long

# Split using includes
yourdomain.com. TXT "v=spf1 include:_spf1.yourdomain.com include:_spf2.yourdomain.com ~all"
_spf1.yourdomain.com. TXT "v=spf1 ip4:IP1 ip4:IP2"
_spf2.yourdomain.com. TXT "v=spf1 include:_spf.google.com"

Multiple SPF Records

Only one SPF record is allowed. Consolidate multiple into one.

Related Issues

DNS Security
IP Reputation
Subdomain Takeover

How to Fix This Issue

Missing SPF, DKIM, and DMARC records allow attackers to send spoofed emails from your domain. Configure email authentication now.

Read the full fix guide

Related Security Checks

IP Reputation

Checks if the domain IP is listed in abuse databases.

Medium fix 30 minutes

DNS Security

Checks DNS configuration and security settings.