Email security


1) Basic security: DNS MX, PTR
2) Advanced: Use SPF with DKIM and DMARC.

1) Basic security: DNS MX, PTR
Domain have DNS record for email : MX record.
domain un.org --MX-> (1) unasav5.un.org --A--> (2) 157.150.241.16 --PTR-> (3) unasav5.un.org

(1) must be the same as (3)

>nslookup -q=mx un.org 8.8.8.8
   un.org  MX preference = 10, mail exchanger = unasav5.un.org
>nslookup -q=a unasav5.un.org
   Address:  157.150.241.16
>nslookup -q=ptr 157.150.241.16
   16.241.150.157.in-addr.arpa     name = unasav5.un.org

Example when it is not configured:
>nslookup -q=mx exmple.com 8.8.8.8
exmple.com      MX preference = 10, mail exchanger = localhost.exmple.com
>nslookup -q=a localhost.exmple.com 8.8.8.8
Address:  127.0.0.1
>nslookup -q=ptr 127.0.0.1
*** google-public-dns-a.google.com can't find 1.0.0.127.in-addr.arpa.: Non-existent domain

2) Advanced security

SPF: firewall for source mail's
DKIM: 'HTTPS' for receiving mail's
DMARC: what happens to mail's if SPF and DKIM tests not pass.

SPF validates the domains/IPs that can send messages.
DKIM verifies that message content is authentic and not changed (help prevent email spoofing on outgoing messages.)
DMARC specifies how your domain handles suspicious emails that it gets.

https://toolbox.googleapps.com/apps/checkmx/
https://toolbox.googleapps.com/apps/dig/#TXT/

===SPF
Create a TXT record with the following values:
Name/Host/Alias: Enter @ or leave it blank.
TTL: Enter 3600 or leave the default.
Value examples:
v=spf1 include:_spf.google.com ~all
v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all
v=spf1 include:serverdomain.com include:_spf.google.com ~all
v=spf1 redirect=_spf.mail.ru



===DKIM
DKIM adds an encrypted signature to the header of all outgoing messages.
Email servers that get these messages use DKIM to decrypt the message header, and verify the message was not changed after it was sent.


DKIM uses a pair of keys, one private and one public, to verify messages.
A private domain key adds an encrypted header to all outgoing messages sent from your Gmail domain.
A matching public key is added to the Domain Name System (DNS) record for your Gmail domain. Email servers that get messages from your domain use the public key to decrypt message headers and verify the message source.
When you turn on email authentication in Gmail, DKIM starts encrypting the headers of outgoing messages.

1) Generate the domain key for your domain.
2) Add the public key to your domain's DNS records. Email servers can use this key to read message DKIM headers.
3) Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.

DNS:
In this example, the DKIM key is split into two text strings and each string is in quotes:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAraC3pqvqTkAfXhUn7Kn3JUNMwDkZ65ftwXH58anno/bElnTDAd/idk8kWpslrQIMsvVKAe+mvmBEnpXzJL+0LgTNVTQctUujyilWvcONRd/z37I34y6WUIbFn4ytkzkdoVmeTt32f5LxegfYP4P/w7QGN1mOcnE2Qd5SKIZv3Ia1p9d6uCaVGI8brE/7zM5c/"
"zMthVPE2WZKA28+QomQDH7ludLGhXGxpc7kZZCoB5lQiP0o07Ful33fcED73BS9Bt1SNhnrs5v7oq1pIab0LEtHsFHAZmGJDjybPA7OWWaV3L814r/JfU2NK1eNu9xYJwA8YW7WosL45CSkyp4QeQIDAQAB"


Check, in the header, find the line starting with "DKIM-Signature", as in this example (d is the sending domain and s is the signing domain):
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=google;


====DMARC
DMARC uses SPF and DKIM to verify that messages are authentic.
Messages that do not pass SPF or DKIM trigger your DMARC policy.

To turn on DMARC, update your domain settings with a DNS TXT record.

TXT record name: In the first field, under DNS Host name, enter:
_dmarc.solarmora.com

TXT record value: In the second field, enter the values that define your DMARC policy, for example:
v=DMARC1; rua=mailto:dmarc-reports@solarmora.com; p=quarantine; pct=90; sp=none



To pass the DMARC check:
- Incoming messages must be authenticated by DKIM, SPF, or both.
- The authenticated domain must align with the domain in message From header address.

The policy is in the form of a DNS TXT record, and defines how your domain handles suspicious emails.
A DMARC policy supports three ways to handle suspicious emails:
- Take no action on the message and log it in a daily report.
ex:  v=DMARC1; p=none; rua=mailto:dmarc@solarmora.com

- Mark the message as spam. Gmail puts these messages in the recipient's spam folder.
ex:  v=DMARC1; p=quarantine; pct=5; rua=dmarc@solarmora.com

- Tell the receiving server to reject the message. This also causes an SMTP bounce to the sender.
ex:  v=DMARC1; p=reject; rua=mailto:postmaster@solarmora.com, mailto:dmarc@solarmora.com