Can Pihole tackle email spoofing and phishing like cloudflare?

not sure if this is a features request or already built into Pihole on some level but came across this article today about Cloudflare using DNS to prevent spoofing and phishing.

my initial thought is that Pihole can do the same with the blocklists, but the article talks about email headers and DNS and specifically,

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication Reporting and Conformance (DMARC)

don't know enough about any of this to understand if we as Pihole users protected in the same manner, but seems emails may need to route through Cloudflare to enable this feature?

Thoughts?

Article on Tackling Email Spoofing and Phishing

SPF, DKIM and DMARC are mechanism that make use of DNS by defining specific DNS record formats and content.

While certainly useful und recommendable, they are relevant only for someone who owns a domain and runs an e-mail service for it. For those that use e-mail accounts like Google Mail, Hotmail, etc., the respective service providers should be expected to have created the associated DNS records to improve e-mail security.

In addition, creating those records falls well out of Pi-hole's scope:
For those DNS records to be useful, they'd have to publically available.

Pi-hole is a DNS filtering engine for your private network - it is not meant to be publically available.

1 Like

From the article you linked:

The new Email Security DNS Wizard can be used to create DNS records that prevent others from sending malicious emails on behalf of your domain.

This is exactly what Bucking_Horn said

What Cloudflare mentions is neither applicable to Pi-hole or DNS filtering in general nor really a protection. It is just a tool that helps you creating some DNS records when your are a Cloudflare customer. Nothing I'd be too excited about, other global players have similar tools for over a decade.

1 Like

thank you both for clarying this. makes sense. for some reason when I saw DNS and thought it was from the receiver side to prevent spoofing and phishing scams, not the sender side.

unless others have anything to add, guess we can close the thread since it's not an applicable use case