Guard Against Email Spoofing ! Setup AWS Work Mail

Guard Against Email Spoofing ! Setup AWS Work Mail

Secure your email with AWS WorkMail. Set-up to prevent spoofing and enhance your email security today.

Published Feb 19, 2024

Problem Statement

Emails sent from hr1@company.com with the subject "Confidential - Offer Letter | Candidate XYZ @ Company 1" are not authenticated, leading to warnings in Gmail, unlike emails from Company 2 which are authenticated and received without issues.

Problem Illustration

From:- hr1@company1.com
To:- candidatexyz@gmail.com
Subject: Confidential - Offer Letter | Candidate XYZ @ Company 1
Security: Standard encryption (TLS)
Warning:- " Be careful with this message The sender hasn't authenticated this message so Gmail can't verify that it actually came from them. "
From:- hr1@company2.com
To:- candidatexyz@gmail.com
Subject: Confidential - Offer Letter | Candidate XYZ @ Company 1
Security: Standard encryption (TLS)
mailed-by: company2.com
signed-by: company2.20210112.gappssmtp.com
HR Unauthorized Company Mail server
HR Unauthorized Company Mail server
Company 1
Company 2

Possible Setup

Company might have used various cloud platform solution or traditional and hybrid approach for mail server setup to get capabilities like business emails, calendaring, and contacts.
Any e-mail hosting solution eg: Zoho Mail or offerings from Microsoft Office 365 and Exchange Online, G Suite Work Space, AWS WorkMail could have been used as per company's fit on features, pricing models,functionality,techstack, vendor partnership,security,compliance and integration capabilities.
We can consider AWS offerings like AWS Simple E-mail Service, AWS WorkMail and if required integrate with Entra ID users and directory.

Possible Solution

Company1.com should check with IT department or email administrator to review email server setup plan and publish SPF, DKIM, and DMARC records in their DNS which can allow them to arrive in candidate mailbox without any warning messages.

Protocols and Working

SPF, DKIM, DMARC are protocols that authenticate emails and verify the sender's claim that the email are genuinely shared by them.


SPF (Sender Policy Framework): SPF record DNS me add kiya jata hai aur ye verify karta hai ki koun se mail servers aapke domain se emails send kar sakte hain. Amazon WorkMail ke saath aapko apne domain ke DNS settings me ek SPF record add karna padega jo Amazon WorkMail servers ko authorize karta hai.
SPF (Sender Policy Framework) Authorizes only specified servers to send emails on behalf of your domain, reducing spam and phishing by flagging emails from unlisted servers as suspicious or unauthorized.
When SPF is configured for the top-level domain (TLD), it inherently applies to all subdomains, eliminating the need for separate tests on them.
An example SPF record is: v=spf1 include:spf.protection.outlook.com ~all. These records are designed to fit within a DNS TXT record, usually under 255 characters, to prevent fragmentation during DNS queries.
v=spf1 include:_u.company1.com._spf.dmarclb.com -all
allowed hosts are determined by the SPF records for _u.company1.com._spf.dmarclb.com, and any sender not matching this authorization should be considered unauthorized due to the -all policy
~allSoftfail: Be cautious with emails from unauthorized servers; don't outright reject.
-allFail: Reject emails from unauthorized servers.
+allPass: Allow emails from any server; not recommended.
SPF validation
1.An email is sent from a domain, say company1name1.com.
2.receiving server looks up the SPF TXT record for example.com in DNS.
3.If an SPF record is found, the process continues; otherwise, the check can end with a result like "Neutral" or "None" because no SPF policy was published.
4.SPF record is parsed to identify the allowed sending hosts and policies (include, ip4, ip6, a, etc.).
5.The IP address of the sending server is compared against the list of authorized IPs/domains specified in the SPF record.
Pass: If the sending server's IP matches one of the allowed IPs/domains in the SPF record, the email passes SPF validation.
Fail: If the sending server's IP does not match any of the allowed IPs/domains, the email fails SPF validation based on the -all, ~all, or other qualifiers.
Softfail: If ~all is used and the IP does not match, it indicates a soft failure, suggesting the email should be treated with suspicion but not outright rejected.
• Neutral: If ?all is present and there's no match, the policy states no strong opinion on the failure or pass, resulting in a neutral outcome.
Fragmentation in DNS queries can occur when a DNS response exceeds the 512-byte default maximum size for a DNS UDP packet, necessitating the division of the response into multiple packets. This can complicate response handling, increase the risk of packet loss, and pose reassembly challenges, potentially impacting the reliability and efficiency of DNS lookups.


DKIM (DomainKeys Identified Mail): DKIM ek email authentication method hai jo digital signature ka use karta hai. Amazon WorkMail aapko DKIM signatures ko apne outgoing emails me include karne ki suvidha deta hai. Iske liye, aapko Amazon WorkMail management console mein DKIM setup karna padega aur fir apne DNS me corresponding DKIM records add karne honge.


DMARC (Domain-based Message Authentication, Reporting, and Conformance) combines SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to form a policy that dictates how emails failing SPF or DKIM checks should be handled.
The DMARC policy is also configured as a DNS record.
DKIM Authentication Process
DKIM Authentication Process
Source: rejoiner.com
DMARC (Domain-based Message Authentication, Reporting, and Conformance) establishes a policy for handling emails that fail SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks.
It allows domain owners to specify how email receivers should treat emails that don't pass these authentication methods.
Domain owners publish a DMARC record in their DNS. This record outlines their policy (none, quarantine, reject) for emails that fail checks.
DMARC relies on SPF and DKIM to verify the sender's identity and email integrity.
If an email fails both SPF and DKIM checks, DMARC dictates whether it should be delivered, quarantined, or rejected based on the domain owner's policy.
DMARC also specifies how email receivers can report back to the senders about messages that pass or fail DMARC evaluations, allowing domain owners to monitor and adjust their email security practices.

Amazon WorkMail

Amazon WorkMail is an economical and easy-to-set-up email service designed for businesses. It allows users to easily set up and access their mailboxes from browsers, Outlook, iOS, and Android devices. Amazon WorkMail supports popular mail protocols such as IMAP and currently does not offer support for POP3 email access for various email clients.
Managing Amazon WorkMail is straightforward, offering features like backups and the ability to integrate with existing corporate directories to ensure compliance.
It includes features like encryption at rest and in transit to secure communications.
However, Amazon WorkMail is not a free service. The pricing structure is designed to be cost-effective, with offerings such as 50 GB of storage per user at approximately $4 per month.

Advantages of Amazon WorkMail

  • an integrated mail and calendar service, eliminating the need for hosting on other platforms like GoDaddy or BigRock when your organization is onboarded or using an AWS domain.
  • It facilitates easy migration from on-premises Microsoft Exchange Servers without the need for reconfiguration on mobile devices.
  • enterprise-grade security with automatic encryption through AWS KMS, ensuring data stored on mail servers is secure.
  • It is compatible with Outlook for Windows and macOS.
  • It integrates with Microsoft Active Directory, displaying employee contact details directly.
  • As a managed service, Amazon WorkMail alleviates the need to manage hardware, patches, backups, and upgrades, further simplifying IT management.
  • Additional features include journaling, an administrative SDK, remote management, and protection against spam and viruses, making it a viable solution for business email needs.

Region Unsupported

Amazon WorkMail is not available in Asia Pacific (Mumbai). Please select another region.
Supported Regions
• Europe (Ireland)
• US East (N. Virginia)
• US West (Oregon)

AWS WorkMail and AWS Directory Service

  • AWS Directory Service is used in conjunction with Amazon WorkMail because it provides directory services, such as managing user accounts, groups, and permissions.
  • Directory service is required for integrating Amazon WorkMail to manage email users and groups effectively.
  • AWS Directory Service integrates seamlessly with WorkMail, allowing for user authentication, mailbox management, and streamlining communication within organizations.
  • Utilizing this setup, administrators can easily add, delete, or modify users, ensuring the WorkMail environment remains secure and efficiently managed.

WorkMail Integration

Amazon WorkMail supports S/MIME signing and encryption in the Microsoft Outlook client and certain mobile devices like Apple iPhone and iPad.
The Amazon WorkMail web application currently does not support S/MIME signing and encryption.
All data in transit is encrypted using industry-standard SSL. Web applications, and mobile and desktop clients transmit data to Amazon WorkMail using SSL.
WorkMail supports only IMAP clients.
Amazon WorkMail is integrated with Amazon Key Management Service for the encryption of your data. Key management can be performed from the Amazon IAM console.


Implement DMARC (DKIM + SPF) configurations in AWS WorkMail for Company 1 to authenticate emails, ensuring they are recognized as legitimate by Gmail and improving their trustworthiness among recipients.For setting up a corporate mail server, which requires email storage, management, and user accounts, it would be better to use other AWS services like Amazon WorkMail.
Explore websites like Freenom for free domain registration, offering top-level domains (TLDs) such as .tk, .ml, .ga, .cf, and .gq at no cost.
these domains are not typically recommended for professional/enterprise use due to their frequent association with temporary projects.
After acquiring a domain, you can modify its MX record to transfer it to cloud services like AWS (Amazon Web Services).
Utilize AWS Route 53 to manage your domain's DNS settings and redirect MX records to AWS for email services.
  • Here's a basic guide to transfer MX records:
  1. Log into the AWS Management Console and select Route 53 or SES.
  2. Navigate to the DNS management section and create a new record set for your domain.
  3. Choose MX as the record type.
  4. Enter the MX record value provided by AWS or another email service provider.
  5. Note that DNS changes may take some time to propagate, typically a few hours up to 48 hours. Be patient after applying changes.
  6. Save the changes.

Step by Step

1.Select in supported region US East(N. Virginia) for Amazon Workmail
2.Corporate Domain would be available, check same with Route 53 be it purchased from registrar like godaddy ICANNA had charged extra percentage for that
or directly purchase from route 53 domain name register
Amazon Route53 Hosted Zones have a spend of $0.50 per month.
purchase a domain name (recommend through Route53)
$13 company1.com via route53
3.configured domain name in hosted zone. Route 53 is supported globally.
2 record types are created automatically in hosted zone .(1.Name Server(NS) 2.SOA(Start of Authority Record))
4. Create an Amazon WorkMail Organization, clicking on
Existing Route 53 domain ….
New Route 53 domain …
goto hosted zones and check records below:-
check organization created by AWS Work-Mail and enter into same.
Add users :-
to login to WorkMail from web browser
Turning off DMARC enforcement might result in my users receiving emails that are not sent by the sender they claim to be from.
Thus,turning on DMARC enforcement might result in inbound emails being dropped or quarantined based on the sender's domain configuration.
mailed-by: amazonses.com
signed-by: ictclouddevsecopsawsapps.com
security: Standard encryption (TLS)


1.For Custom Mail Setup SPF Authentication :-
2.RFC 7208 provides detailed instructions on implementing SPF to enhance email security, aiming to reduce spam and phishing by ensuring only authorized servers send emails on a domain's behalf.
  1. To Test SPF Validation ,enter domain name company1name.com , company2name.com :
  1. AWS WorkMail
5.Route 53
6.Enforcing DMARC