Cybersecurity

@[email protected]

This is a great idea! Thank you for posting it!

This is overall best practices and overall correct (as in: you should probably do this, and it will never hurt), but realistically any domain that doesn't at least have an SPF record will be already treated as unable to send mail at all by any properly configured receiving server, especially ones that would report you to a blocklist.

This isn't bad advice regardless, just a bit redundant.

DMARC record that tells the receiving email server how to handle email that fails either check.

Could be that I misunderstood you, but: It tells what to do if no mechanism (DKIM or SPF) results in a pass. DMARC actually only requires one mechanism to pass. So an email with a DKIM fail, but an SPF pass is considered OK. And vice-versa.

Edit: good advice by the way regarding protecting your domain reputation, I'll check our non-email domains at work first thing tomorrow.

There is nothing admin-wise I hate more than dealing with email security. Fucking google is horrible. At least when Microsoft randomly decides the half dozen family members on my personal domain are bulk email spammers, there's a form to reach out. Google is a piece of shit in this way just like in so many other ways.

@[email protected]

While you are securing your domain, 3 more good ideas:

1. Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.

2. Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.

3. Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).

@[email protected] Personally, i also add this as a wildcard for the domain. Not sure if its really required, but better safe than sorry. Due to a standardized function i built for myself in my #dnscontrol files, its no additional work.

@[email protected] Nitpick: SPF record is not named "@", it just needs to be at apex of zone. @ is often a shorthand to say apex in zonefiles, but doesn't exist as such really in DNS queries and answers. Also, if you want to fully protect your domain, you can have a null MX record (RFC 7505) and for other matters than email, but also still important, a null CAA record to prevent any rogue certificates issued for it.

@[email protected] Last I knew, my roommate who ran a homebrew server was frustrated that they can't run an email server because outgoing email was assumed to be spam anyway. It would be nice if there were an actual way out of this!

@[email protected] Thank you for this

@[email protected] No-email domains can also set a null MX:

https://www.rfc-editor.org/rfc/rfc7505.html

MX 10 "."

@[email protected] @[email protected] This is a gold nugget of a tip. Partly because it’s timeless. One of us should build a directory page full of #infosectips

@[email protected] would adding those txt records cause any issue to a wildcard redirect I use for myself?

I have xxxxx.com and an auto redirect by my dns provider so that anything sent to [email protected] is forwarded to [email protected] so when I give out the address I can see if it's been shared.

I like the idea of protecting against unauthorized use but wouldn't want to lose my throwaway capability.

I find email servers to be akin to dark arts so am at a loss here tbh.

Very good tip! Thank you.

@[email protected] I have this problem! But I also use my domain for sending post notifications via MailPoet. What are my options?

@[email protected] This is especially true if you defensively registered a bunch of lookalike domains.

@[email protected] @_[email protected] Thank you for sharing this.

@[email protected] The M3AAWG provides best practices for parked domains, including the recommendation to implement a wildcard DKIM signature.

*._domainkey.example.com TXT “v=DKIM1; p=”

https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf

@[email protected] If I change my mind and I want to send e-mails from the domain: Can I expect that this will work, if I change the DNS records file again and wait for TTL seconds? Or will this take considerably longer?

Yeah I regularly get DMARC reports for domains I’m not using. For ease I just added them as an alias to an Google workspace account I already have and use the DKIM, DMARC etc that Google provides. In case I ever need to send an email with that domain

@[email protected]

Thank you!!!

There's an article at gov.uk also covering DKIM and null-records:
https://www.gov.uk/guidance/protect-domains-that-dont-send-email
@[email protected]

@[email protected] Interesting. I own two domains (one I plan to use, one I use to connect to things remotely) and maybe I should set this up.

@[email protected] thank you sir

@[email protected] arghh forgot to up date the IP address …. 🤬
Good tip

@[email protected] @[email protected]

@[email protected] also good idea while you’re in there to make sure you don’t have any old records pointing to servers you don’t own anymore.

This is such thoughtfully written advice even though I’m not in CSI I’m still going to save it for later. Who knows. Thank you.

Right. I should do this.

@[email protected] That's how it's done. Short and clear writeup. Thank you!

@[email protected] thanks for sharing this. It was boosted into my neck of the woods and I don’t actually know who you are - is there a semi-authoritative place this advice is documented that I can 1) double check, because that seems like a good idea at least in principle with security related stuff like this and 2) pass on to others?