Setting up your DNS for Secure emails
What is DNS
The Internet uses IP addresses which are banks for 4 sets of up to 3 numbers to determine where anything is. For example;
202.92.68.227
Of course, when we want to go to a website or send an email, we do not type in the IP address we type in more meaningful text. To work out what IP address the text is referring to, we have Domain Name Services (DNS) which act as a match for domain names and IP addresses. So in the case of PRODOCOM, we have a domain Prodocom.com.au If you want to find our website you type in www.prodocom.com.au and your system will look up a DNS server and find our domain. It will see that we have a DNS record that says that you can find www.prodocom.com.au at 202.92.84.51 and your system can now find our website on the internet. Similarly if you want to send an email to support@prodocom.com.au then your mail server will look up a DNS server and see that the MX record (DNS language for mail server) of 202.92.68.227 so now your mail server can find our mail server and make a connection.
Against the records for a domain on a DNS server can be lots of other information, some of this is used by recipient email servers when another email server tries to make a connection. This is to authenticate that the sending server is authorized to send emails for the sender and to look for other information relevant to emails.
There are 3 main entries in your DNS records that a recipient’s mail server will look for;
SPF (Sender Policy Framework)
The first thing it will do is look to see if the IP address of the sending server is authorized to send for the sender’s domain. This is called an SPF lookup and is typically done as soon as the sending server tries to make a connection. If there is no entry or no match for the sending servers IP address, then the recipient server may simply drop the connection before the email can be delivered. If it does accept the connection and there is no IP address match, the email will either end up in SPAM, put into quarantine or simply deleted by the recipient’s mail server.
DMARC (Domain-based Message Authentication and Conformance)
A DMARC record has lots of information on what to do if the recipients server finds anything that is suspect. This includes a “Policy” which is typically “none” for don’t worry about it, to “reject” for do not accept anything which is suspect. This can also provide an email address to report any suspect activity to so the sender can be alerted to any suspect use of its domain.
One of the other things DMARC does is look at the email addresses in an email and used by the sender’s server for reporting and makes sure that they all match. The initial implementation of DMARC only looked at some of the email addresses, but latter implementations look at ALL email addresses, including those listed in the “From” field which should be just a name and NOT include an email address. This latter check is to stop people using the “Spoofing” technique which hackers exploited to try and convince you that the email was from someone you know when in fact it clearly isn’t.
It should be noted that the DMARC check will occur AFTER the connection between the sending and receiving email servers has been dropped. Thus, you may well get a delivery report saying the email was delivered, but the recipient may never see it.
DKIM (Domain Key Identified Mail)
You can effectively “sign” your emails with a “Key”. This will be done by your mail server. You can then list this key in your DNS settings. If a recipients server uses DKIM, then it will see your key and then go to check that it is valid by looking for a DKIM entry in your DNS and makes sure that it matches. If there is no match, the email will not get delivered or end up in SPAM.
As you can see, it is important to make sure that your IT department has all the correct settings in your DNS. It is also important that you do not use any third-party email service that uses the “Spoofing” technique as this will drastically reduce your chances of emails getting into people’s inboxes. Set it up right once and reap the rewards.
