Fortify your email server. But why? Nowadays your email will risk getting bounced by the receiver for security reasons.

SPF record

SPF (sender policy framework) is a protocol designed to detect and block email spoofing. It is a mechanism in which a receiving email server is told which sources to trust. This information is stored in TXT record (do not expect an actual SPF record here)  in the DNS zone file for the domain for example as

mydomain.nl TXT v=spf1 ip4:80.20.219.145

Now any email with an @mydomain.nl address not originating from 80.20.219.145 is suspect.

This is how Google mail deals with SPF, first an email (raw body) without SPF settings:

Received: from vs935.mydomain.nl ([80.20.219.145])
 by mx.google.com with ESMTPS id w11-v6si590606edr.322.2018.06.30.03.59.17
Received-SPF: neutral (google.com: 80.20.219.145 is neither permitted 
nor denied by best guess record for domain of rik@mydomain.nl)
 client-ip=80.20.219.145;
Authentication-Results: mx.google.com;
 spf=neutral (google.com: 80.20.219.145 is neither permitted nor denied 
by best guess record for domain of rik@mydomain.nl) 
smtp.mailfrom=rik@mydomain.nl

Next the email with with a SPF record in the zone file

Received: from vs935.mydomain.nl ([80.20.219.145])
 by mx.google.com with ESMTPS id p1-v6si1303721edq.94.2018.06.30.13.22.39
 Received-SPF: pass (google.com: domain of rik@mydomain.nl designate 
81.26.219.145 as permitted sender) client-ip=80.20.219.145;
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of rik@mydomain.nl designates 
80.20.219.145 as permitted sender) smtp.mailfrom=rik@mydomain.nl

Note the SPF  = pass.

PTR record

Another thing is setting a PTR (pointer) record. This will allow a so-called reverse lookup. The receiving mail server wants to check if the source from which the email is sent is allowed to act as the mailserver advertised.

If the sending server is vs935.mydomain.nl with IP number 80.20.219.145 then a new zone file is created for 219.20.80.in-addr.arpa. Yes, the numbers in the IP address are reversed and yes, the PTR record is NOT created in the zone file of the domain itself.

The new zone file will then contain a single dns record:

145.219.20.80.in-addr.arpa. 3600 IN PTR vs935.mydomain.nl

Check the settings on the command-line:

dig -x 80.20.219.145
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61780
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;145.219.20.80.in-addr.arpa. IN PTR

;; ANSWER SECTION:
145.219.20.80.in-addr.arpa. 3600 IN PTR vs935.mydomain.nl.

 

Advertisements