🛡️ Mastering Modern Red Teaming Infrastructure Part 3 — Securing Mail Services with DNS Records…

🛡️ Mastering Modern Red Teaming Infrastructure Part 3 — Securing Mail Services with DNS Records and OPSEC for Bypassing Mail Security Gateways

In this installment of the “🔒 Mastering Modern Red Teaming Infrastructure” series, we explore setting up and securing mail services for our domain online-notifications.net domain using DNS records such as SPF, DKIM, and DMARC, while implementing robust operational security (OPSEC) measures to bypass mail security gateways effectively. This guide walks through linking Zoho Mail with online-notifications.net domain that hosted on Cloudflare and creating a mail user account to operate stealthy phishing campaigns or other red team activities.

Table of Contents

1. 🔎 Why Secure Mail Services Matter for Red Team Operations
2. Step 1: Setting Up Zoho Mail for online-notifications.net domain
3. Step 2: Adding MX, SPF, DKIM, and DMARC Records on Cloudflare
4. Step 3: Implementing OPSEC Measures to Bypassing Mail Security Gateways
5. Final Thoughts

🔎Why Secure Mail Services Matter for Red Team Operations

Email remains one of the most effective vectors for social engineering, credential harvesting, and phishing. To ensure the success of such campaigns, it’s critical to:

• Establish credibility by sending emails from a verified domain.
• Avoid detection by email security systems (e.g., spam filters, DMARC validation).
• Maintain OPSEC by securing the infrastructure to avoid attribution.

By correctly implementing SPF, DKIM, and DMARC records and adding OPSEC, you can significantly ⬆ increase the deliverability of your emails while ⬇ minimizing the risk of exposure.

⚙️Step 1: Setting Up Zoho Mail for online-notifications.net domain

1. Create a Zoho Account

Open Zoho Mail and Register for an account using personal email.

Select a plan (Zoho was offering a free plan but now they changed their policy, so I will select 15 days free trial). (note: you can use other mail services. for example https://www.name.com provide free mail service)

Select a plan (Zoho was offering a free plan but now they changed their policy, so I will select 15 days free trial). (note https://www.name.com provide free mail service)

2. Link online-notifications.net Domain with Zoho

Add onlin-notificaions.net domain and proceed

Domain added and I will procced to domain verification

Zoho has recognized that my domain is managed by Cloudflare and has provided the following TXT record and value to verify domain ownership.

Therefore, I will add this TXT record to the Cloudflare DNS setting and save it

Return to Zoho and click verify TXT record after adding it in cloud flare

3. Create a Mail User Account

Once the domain is verified and linked, I will create an admin user.

After user created in next page it will ask if I need more email users, I will click proceed to setup groups

In group settings I will click on proceed to DNS mapping

🔧 Step 2: Adding MX, SPF, DKIM, and DMARC Records on Cloudflare

1. Adding MX, SPF and DKIM records

• SPF (Sender Policy Framework) helps mail servers verify that our domain is authorized to send emails.
• DKIM (DomainKeys Identified Mail) adds a digital signature to our emails, improving authenticity.

After creating the admin user, I will proceed by adding the following records to the Cloudflare DNS settings, like the previous steps. This time, I will add MX and TXT records with their respective hosts, values and priority.

Then add them into the Cloudflare DNS as below.

Then click verify all records on Zoho

After click verify you will get the below verification (sometimes you need to wait some minutes until DNS update the settings)

Click on “Proceed to Email Migration,” then “Proceed to Go Mobile,” and finally “Proceed to Setup Completion.” Be sure to save the SMTP values provided, as we will need them later when configuring mail in GoPhish.

After that, the [email protected] user will be created using the same password I used during the Zoho registration process.

2. Adding a DMARC Record

• DMARC (Domain-based Message Authentication, Reporting, and Conformance) specifies how receiving mail servers should handle SPF/DKIM failures. be sure you have a DKIM and SPF set before using DMARC.

Add a TXT record to your domain: type: TXT and Name: _dmarc and Value: v=DMARC1; p=none

• We selected DMARC version 1 with a “none” policy, ensuring no action is taken and email delivery remains unaffected.

DMARK policy option

• none: Monitor mode. No action is taken on emails that fail DMARC checks. This is typically used when setting up DMARC to monitor email traffic and gather reports without affecting delivery.
• quarantine: Suggests that emails failing DMARC checks should be marked as suspicious and moved to the spam/junk folder.
• reject: Instructs email receivers to reject emails that fail DMARC checks (they won’t be delivered).

🔒 Step 3: Implementing OPSEC Measures to Bypassing Mail Security Gateways

1. Test email security configuration score by mail-tester service

We will Mail-Tester service and it not only identifies issues but also provides actionable suggestions to improve your email deliverability and avoid spam filters.

Mail-Tester.com evaluates your email’s deliverability by checking:

• Email Authentication: Verifies SPF, DKIM, and DMARC records to ensure proper authentication.
• Spam Content: Analyzes for spammy language or formatting.
• Blacklist Status: Checks if your domain or IP is on spam blacklists.
• HTML/Text Balance: Ensures a proper ratio of HTML to plain text.
• Broken Links/Images: Verifies all links and images are functional.
• Embedded Images: Confirms images are properly hosted.
• Server Configuration: Checks reverse DNS, HELO, and email headers.
• IP Reputation: Assesses the reputation of your sending IP.
• HTML Quality: Ensures your email HTML code is clean and well-structured.
• Email Size: Verifies the email isn’t excessively large.
• DNS Records: Ensures your domain has correctly configured DNS records.

Visit https://www.mail-tester.com/. The site will provide an email address to send a test message.

Send an email from your mail account. For this example, I will send an empty message from [email protected]. To do this, I will use Zoho Mail through the dashboard or directly access it via https://mail.zoho.sa/zm/.

After sending the email, return to the Mail Tester site and click “Check your score”.

Below is the result of the check:

2. Enhancing Email Credibility through Signature Collection Techniques

To increase the credibility of the email, it’s recommended to use some signature from an email from the client. some method to get the signature below:

• Send an email to a non-existent address and check if the response has any signature.
• Search for public emails like [email protected] or [email protected] or [email protected] and send them an email and wait for the response.
• Try to contact some valid discovered email and wait for the response

3. Other OPSEC to bypass Mail Security Gateways

• Check your email configuration by sending an email to check-[email protected] and reading the response
• You could also send message to a Gmail under your control, and check the email’s headers in your Gmail inbox, dkim=pass
• If spammed then Removing from Spamhouse Blacklist https://book.hacktricks.xyz/generic-methodologies-and-resources/www.mail-tester.com and from Microsoft Blacklist https://sender.office.com/
• Check domain also here: https://malwareworld.com/
• Warm up the domain by sending benign emails to multiple trusted recipients over time and if landed in spam mark it as not spam.
• Tailored Content: Avoid suspicious keywords in the email subject and body and if possible, personalize emails to the target (e.g., include the target’s name or role).
• Attachment Techniques; Use password-protected ZIP files with the password included in the email OR Use less common file extensions that evade detection (e.g., .iqy, .iso). (in next parts will show you delivery through zip and ISO and bypass MOTW)
• Domain Reputation: Regularly rotate domains and user accounts to avoid detection.
• Payload Delivery: Host malicious payloads on trusted services (e.g., Google Drive, Dropbox) to avoid suspicion.

Final thoughts

Linking our domain’s mail services with Zoho Mail and securing it with SPF, DKIM, and DMARC not only improves deliverability but also ensures a high degree of stealth in red team engagements. Coupled with strong OPSEC practices, this setup enables us to bypass mail security gateways effectively, giving an edge in executing phishing campaigns and other social engineering attacks.

Part 4: Advanced OSINT Techniques, Credential Harvesting, and Azure AD Password Spraying Tactics

if you find this blog useful, don’t forget to hit the clap button and follow the blog.

Certifications:
OSEC3, CRTL, CRTO, OSCP, OSEP, OSWE, OSED, eMAPT … Others

Follow me on LinkedIn & Twitter(X) to stay updated and to know new things.

Bye Bye, Take Care.