Thanks Daniel for alerting, even if it was not perfect that it was public, but definitely with good intentions and also allowed us to act quickly
Big mistake on our side and a chance to improve security more, eg adding passkey support
Login to reply
Replies (2)
Thanks. I know how hard it is to build trust in this industry and it’s very easy to destroy that in an instant.
Hoping this is a teachable moment for all of us in security best practices.
I was looking into getalby.com domain MX records using (very good tool to configure properly your email server) and I found these rules used for anti-spam and anti-phishing rules:
DMARC actual
v=DMARC1; p=none; rua=mailto:b02f99b6d44a47f595397b4b8fc195fd@dmarc-reports.cloudflare.net
I would put a stronger DMARC with:
v=DMARC1;p=reject;sp=quarantine;pct=10;rua=mailto:b02f99b6d44a47f595397b4b8fc195fd@dmarc-reports.cloudflare.net;ri=86400;aspf=r;adkim=r;fo=1;
SPF
v=spf1 include:zoho.eu include:spf.ourmailsender.com include:spf.mandrillapp.com ~all
I would change ~all into -all
In this way, in case of a phishing attack, the recipients email servers can reject more easily those phishing (fake) emails.
MX Lookup Tool - Check your DNS MX Records online - MxToolbox