Mail DNS Security Records

3 minute read

Description:

This post is meant to consolidate the different email securities that are common practice for organizations that host their own mail. Essentially, in order to not be marked as spam to other email servers, you need to setup and configure multiple records for your email server on your DNS server.

To Resolve:

  1. The most common initial email security check to setup is SPF records. These records are used to prevent fake emails to appear to be sent by you. I describe the setup for this record in my DNS Records post but for convenience:

    • SPF Record Setup Example: v=spf1 a mx ip4:12.218.xxx.xxx ip4:66.128.xxx.xxx/27 ~all
    • V=spf1 = Means it’s defining a SPF record
    • A = Look at all my A records and allow those
    • MX = Look at all my MX records and allow those.
    • Ip4: 12.218.xxx.xxx = Trust emails from this ip
    • Ip4: 66.128.xxx.xxx/27 = Trust all hosts between 66.128.xxx.xx0 – 191
    • ~all = soft fail. Trust us, but use your own filtering rules if necessary
    • Statement => Result => Meaning
    • +all => pass => Allow all mail
    • -all => fail => Only allow mail that matches one of the parameters (IPv4, MX, etc) in the record
    • ~all => softfail => Allow mail whether or not it matches the parameters in the record
    • ?all => neutral => No policy statement
    • SPF Record Implementation: On your DNS provider interface (or local server if you don’t have an external DNS provider), create a TXT file similar to:
      v=spf1 a mx ip4:12.218.xxx.xxx ip4:66.128.xxx.xxx/27 ~all

  2. Sender ID => Similar to SPF, but is not the same. This is used to verify senders => but is not used often and is considered obsolete.

  3. DKIM => DomainKeys Identified Mail (DKIM), is a method to associate the domain name and the email, allowing to a person or company assume the responsibility of the email. Follow this guide for an example setup.

    • DKIM Record Setup Example: v=DKIM1;k=rsa;p=randChars
    • V=DKIM1 = Means it’s defining a DKIM record
    • K=rsa = Encryption type
    • P= (key) = Your public key
    • DKIM Record Implementation: On your DNS provider interface (or local server if you don’t have an external DNS provider), create a TXT file similar to:
    1
2
3
4

    Name = randChars_domainkey  
TTL = 14400  
Type = TXT  
Data = "v=DKIM1;k=rsa;p=randChars"

  4. FCrDNS is used to make sure that PTR/A records match for a domain.

    • Why Forward Confirmed rDNS is Important => FCrDNS helps prevent others from spoofing your hosts. If I’m the bad guy and I control the reverse lookup for my IP addresses I can put anything in there. I could pretend to be your bank and try to trick you into giving up your account information. However what I can’t spoof is if you do a lookup on the fake name I return and it either doesn’t resolve or resolves to a different IP address then you know it’s not genuine. If it does resolve to the same IP address then you know it’s good. This is because only the domain owner can make FCrDNS work correctly. This is a very important tool in detecting email phishing scams.
    • Here’s how it’s suppsed to work. Suppose your IP is 1.2.3.4:
    • 1.2.3.4 => PTR Record => hostname.example.com
    • hostname.example.com => A Record => 1.2.3.4
    • The name that is returned by the rDNS lookup needs to point back to the same IP address. Source

  5. Demarc records => Specify how mail servers should handle messages from your domain that don’t have proper SPF and DKIM setup. I used these two guides here and here. The main thing to note is that you need to setup DKIM and SPF before setting up Demarc records.

    • Demarc Record Setup Example: v=DMARC1; p=quarantine; sp=none; ruf=mailto:tech@domain.com; rf=afrf; pct=100; ri=86400

    • Where
    • Tag Name Purpose Sample
    • v Protocol version v=DMARC1
    • pct Percentage of messages subjected to filtering pct=20
    • ruf Reporting URI for forensic reports ruf=mailto:authfail@example.com
    • rua Reporting URI of aggregate reports rua=mailto:aggrep@example.com
    • p Policy for organizational domain p=quarantine
    • sp Policy for subdomains of the OD sp=reject
    • adkim Alignment mode for DKIM adkim=s
    • aspf Alignment mode for SPF aspf=r
    • Source
    • Following that same guide as SPF records,it is best to go from None => Quarantine => Reject to get tighter controls.
    • The None record would be: v=DMARC1; p=quarantine; sp=none; ruf=mailto:user@example.com; rf=afrf; pct=100; ri=86400
    • Demarc Record Implementation: On your DNS provider interface (or local server if you don’t have an external DNS provider), create a TXT file similar to:
    1
2
3
4

    Name = _demarc  
TTL = 14400  
Type = TXT  
Data = "v=DMARC1; p=quarantine; sp=none; ruf=mailto:tech@domain.com; rf=afrf; pct=100; ri=86400"

Comments

You May Also Enjoy