Login based on the email domain


I'm thinking of a system where only users who have email with domain empresa.com can register. After registration an email will be sent to the email validation.

So far so good, I can easily check the email domain when the user is registering.

Let's also assume that the person responsible for distributing the emails from the empresa.com domain has full control of all active emails.

Now my question is, is there a security breach that could allow users with other domains to sign up, or to mask their email?

For example, [email protected] mail is not an actual email, but can the user mask the email so that [email protected] is redirected to [email protected] ?

Is there any possibility that DNS poisoning could affect the security of this system?

Please note that the question is not related to how to implement, but what are the possible security holes or attacks that I may experience in an attempt to circumvent email domain verification.

asked by anonymous 15.06.2016 / 16:54

5 answers


What you want to validate in the foreground is not the email user, but the domain itself.

If the primary DNS is compromised everything is possible, so these validations are accomplished through TXT records, so you can verify that the owner has validated.

Another point is to work with third-party certified SSL companies, so most applications by default will fail to check if any hosts try to impersonate through DNS attacks or compromise the primary DNS servers.

See how Google Apps requires the TXT field:


You should also read more about recent email security measures (spf, dkim, dmarc):


17.06.2016 / 21:01

In fact there is no sure way to ensure that the email even belongs to the company. The failure will always be on the side of the company, because if a person who has access to the DNS provide information to third parties, or the password to access the DNS falls into the wrong hands, there is nothing you can do to ensure the integrity of who is accessing .

As if you had a login and normal password and the password fell into the wrong hands, there is not much to do.

What you can do is make it difficult to access possible security holes.

  • Map the location where most of a user's access is made, and as soon as it is accessed from a different location, generate confirmation or warning emails to those responsible.
  • For certain companies that have fixed IP you can validate accesses only of those IP's registered to that company / user.
  • There is not much that is done, the fault will always be on the side of the user / company, large sites like google, amazon and others also have problems in ensuring the integrity or authenticity of who is accessing.     

    21.06.2016 / 23:18

    If the empresa.com domain belongs to the company that owns the software, it is safe . In fact security depends on who owns the domain.

    For example, I have my domain splitz.com.br , if someone tries to register for some service (Google, Microsoft, etc.) using my domain as [email protected] a confirmation email will be sent to [email protected] , but as I am the owner of the domain I am the one who receives the email, not the invader. Result: It will not have your email confirmed and your account will not be activated on the service

    It happened to me ... They tried to register to Facebook using my email [email protected] , the result is that I received the confirmation email, confirmed the account, I logged into Facebook of the staff (intruder?), I changed her password, and exclude this account from Facebook.

    Finalizing ... who owns the domain does whatever you want. The attacker would have to have access to the domain's DNS to cause problems. I say have the password to access the site Regitro.Br (or GoDaddy, CentralNic, etc.) to modify the DNS entries below.

    Only by having access to this screen could the attacker, as you said mask the email so that [email protected] is redirected to [email protected]?

    17.06.2016 / 17:29

    I'll try to answer the two things you asked for (or what I understood in the question):

    To automatically check if email belongs to the company you want to restrict use the following code:


    $ verify = explode ('@', $ email);


    $ domain = $ checks [1];


    if ($ domain == 'company.com.br') {return true; }

    Now let's talk about security in emails: It really is safe, and it is very difficult for a person to circumvent the RECEIPT of an email by choosing a domain. For someone to circumvent the SEND of an email used a very easy code, which I do not know if it has been corrected today. In the email header, some soft allow you to change the header when sending (already done :). Simply change where is the property from: [email protected] This is only for sending, but if you send an email to that email, iso will get stuck on the IMAP SERVER, which possibly will not find anything.

    That is, the person sends fake emails but does not receive that false email.

    So this proposal is SAFE;)

    - Just remembering that the beginning of Facebook was thus restricted to anyone who had edu.com (or just university students) emails.

    23.06.2016 / 03:19

    If the "attacker" has access to this company's emails, and creates a redirect, it can circumvent it.

    Based on the principle that it is a company with its own domain, they follow some ideas:

  • SPF Check
  • You can make checks for the SPF and DNS records for the domain. By checking the domain SPF, you can get the company's MX's IPs. You can

    algorithm: dns_get_record ("domain.com", DNS_TXT); locate the records with v = spf1 locate all the IPs in this line and put them in an array for example if the MX contains: restrict access to the network 200.10.20 .__

  • Whois Check
  • You can get the IPs of the company's domain, and check the IP of who is accessing. Doing a Whois on the IP of who is accessing will confirm to you who owns the IP, if the company uses fixed IP. You can restrict access to broadband providers such as GVT, OI, etc. .. Or simply do not query in these cases.

    algorithm: gethostbyname ("domain.com") applies a whois in the domain filters by organization name

  • Map IP History
  • You can simply make a database with the history of IPs used by each domain (users with emails @ domain.com) when accessing the system. So you can see if they are on the same network every time. If some access "fades" to the network pattern, you can specifically block the user.

    For example:

    [email protected] - IP [email protected] - IP [email protected] - IP

    You can use a frequency pattern for "200.10.20".

    [email protected] - IP - Block (totally different IP)

    24.06.2016 / 05:48