Securing your Mail Server
I recently noticed some bounced emails from a domain I managed and upon further inspection found out that someone is sending spam emails using random spoofed email addresses from that domain. At first I thought one of the email accounts was jeopardized but when I saw the bogus from address, I knew it was just spam abuse that would not end well for the true users of the domain. So I set out to find out how to secure the email server to minimize if not eradicate this abuse.
Before going further, I should say that this particular domain is using Site5 for hosting and Google Apps (the free version) for mail and other things. A great combination by the way.
Google already supports some of these features and it has great help on how to set this up, so the toughest thing is to setup your DNS just right. During this investigation and discovery I ran across Unlock The Inbox, which proved to be an absolute gem in teaching me what to do and then helping me verify the settings.
Here is what you need to do:
- Read the Google help on how to setup DKIM (DomainKeys Identified Mail) Signatures. Stop short of the last step to Start authentication, until you have finished all the DNS changes.
- Go to Unlock the Inbox and read about DKIM, DMARC (Domain-based Message Authentication, Reporting & Conformance), SPF (Sender Policy Framework) and ADSP (Author Domain Signing Policy). The combination of these will give you a pretty good level of security, although DKIM is the most important, followed by SPF.
- Create your DNS entries. For the sake of argument, assume the domain name is acme.com and remember that this was done on Site5, but Google has instructions for many popular providers.
- Login to you site’s cpanel
- Go to the advanced DNS editor.
- Enter the following four entries:
- Wait for a few hours so DNS propagates
- Go to KLOTH.NET and verify the settings with the Site5 DNS server
- Start authentication.
- As a final step, send an email from your domain to mailtest at unlocktheinbox dot com and you will receive a report on whether things are working or not.
Record Type: TXT Record Name: google._domainkey TTL: 3600 IP Address: v=DKIM1; k=rsa; p=MIGfMA0GCS...
This is the DKIM record. The IP Address above is really the value and you should get it from Google when you generate you domain key. The Record name should be the same regardless of your domain name, just make sure not to end it in a dot, so it appends your domain to it. The end result for the name should be google._domainkey.acme.com.
Record Type: TXT Record Name: acme.com. TTL: 3600 IP Address: v=spf1 include:_spf.google.com ~all
This is the SPF record and not how we put in our domain name and ended it with a dot. The Site5 DNS editor does not allow for @, per Google’s instructions, so this is the only way to get around this.
Record Type: TXT Record Name: _adsp._domainkey TTL: 14400 IP Address: dkim=all;
This is the ADSP record and again the name does not end with a dot so the domain gets appended to it just like our DKIM record.
Record Type: TXT Record Name: _dmarc TTL: 14400 IP Address: v=DMARC1; p=quarantine; adkim=s; aspf=s; \ rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; \ pct=100
This was the trickiest one only because the Site5 DNS editor replaces the @ in the email with your domain name. What I found out is that if I pasted the value just like above, it saved fine, but it would not display right when I tried to edit it. The email addresses are not necessary unless you want to receive a report when emails are spoofed from your domain. Once again, the name here does not end in dot so that the domain will get appended to it and most importantly, the backslashes are just used as line breaks, but are not part of the actual string you need to input.
Domain: google._domainkey.acme.com Server: dns.site5.com Query: TXT (text)
This should return the value you entered above once DNS has been updated. You can repeat the same process for the other entries to make sure as well.
I did this over a period of a few days, first enabling DKIM, then SPF and once those were verified, I then enabled DMARC and ADSP. In any case, once all of this is in place, you should have very little to no email spoofing on your domain, and even if it does, you should get an email with reports so you can followup.
Make sure to read the links provided here so you know exactly what each of the records are doing.
August 20, 2012 at 8:16 am
I included many links to Unlock The Inbox in his article and used it extensively to get everything setup. Definitely recommend.
August 19, 2012 at 2:35 pm
This is very useful information. Not sure if you’d be interested in a wizard type tool for creating dmarc records but I found a pretty good one at http://www.unlocktheinbox.com/dmarcwizard/ that you may want to check out.