Recommendations

1. 1Change your DMARC policy from p=none to p=reject to block spoofing▾

   With p=none, your DMARC record only monitors — it doesn't actually block spoofed emails. Attackers can still send emails as your domain and they'll be delivered normally. Switching to p=reject instructs receiving servers to drop fraudulent messages before they reach the inbox.

2. 2Harden your SPF by replacing ~all with -all (hardfail)▾

   With ~all (softfail), unauthorized senders are flagged but emails are usually still delivered. Switching to -all (hardfail) explicitly tells receiving servers to reject emails from unauthorized sources, providing much stronger protection against spoofing.

3. 3Enable DKIM in your email provider and add the public key to your DNS zone▾

   DKIM adds a cryptographic signature to your emails, proving they haven't been tampered with in transit and genuinely originated from your domain. Without it, attackers can forge emails that pass basic checks, and your legitimate emails are more likely to land in spam.

4. 4Add MTA-STS to enforce TLS encryption for incoming emails▾

   Without MTA-STS, an attacker performing a man-in-the-middle attack can downgrade the connection between mail servers to plaintext, intercepting emails in transit. MTA-STS tells sending servers to only deliver via TLS with a valid certificate, preventing downgrade attacks.