CS Notes

Recent writing

See 648 more →

Email Security

380 words, 2 min read
Last updated on
🌟 Edit This Page!   🗓️ History

Xinyang YU

Abstract

  • Ways to ensure the security of emails

DNS Records

SPF

  • Sender Policy Framework
  • A TXT Record that specifies the list of emails server you authorise to send emails with your Domain Name. Receiver can use it to decide if he/she should accept or deny the email
  • Only one SPF TXT record associated with your domain

Authorise Google & Cloudflare email servers

TXT DNS Record: v=spf1 include:_spf.google.com include:_spf.mx.cloudflare.net ~all. ~all means soft deny, so unverified emails will still be accepted and placed in spam

SPF no longer required manually

In the past, providers checked the From domain for SPF. Now they check the Return-Path domain. Services like Postmark controls the Return-Path → so SPF will always pass by default without you adding anything.

DKIM

  • DomainKeys Identified Mail
  • DKIM works by attaching a Digital Signature to the header of your outgoing emails. The receiving mail server has access to a public key (stored in a CNAME Record or TXT Record) that can be used to decode and verify the signature. If the signature matches, the recipient can be more confident the email hasn’t been altered in transit
  • This ensures the email truly originated from your domain and the content of the email hasn’t been changed since it was sent

The DKIM DNS Record

The general TXT DNS Record format: [selector]._domainkey.yourdomain.com IN TXT v=DKIM1; k=rsa; p=[your public key data]

We can have multiple DKIM records for subdomains or for using different service providers

DMARC

_dmarc.yxy.ninja. 5m TXT "v=DMARC1; p=none; rua=mailto:[email protected]"
 
# If an email claims to be from `yxy.ninja` but fails SPF and DKIM checks, then **always rejects it (100% of the time)** and send me reports at `[email protected]`.
_dmarc.yxy.ninja. IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]"
  • Domain-based Message Authentication, Reporting & Conformance
  • A Policy Framework that builds on top of SPF and DKIM. It allows us to create a specific policy within your TXT Record telling receiving mail servers how to handle emails that fail SPF or DKIM checks
  • For setup guide refer to ‎Setting Up DMARC

Important

A domain must have exactly one DMARC record!

Having multiple DMARC TXT records is technically invalid, but many receiving servers either:

  1. treat it as “no DMARC” and fall back to normal spam checks, or
  2. pick the first record they like and ignore the rest.

Mentioned by

Graph View