...
In both cases, reliability of delivery is very important.
Technical measures
Set an SPF entry in your DNS
Introduction to SPF
Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses in emails.
SPF allows the receiver to check that an email claiming to come from a specific domain comes from an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.
The procedure to be followed is:example below illustrates this SPF information in the header of an email from a fictive institution mosamuseum:
| Info | ||
|---|---|---|
| ||
Date: Wed, 26 Jun 2019 15:49:40 -0500 (CDT)
... |
In this example, the SPF record which is authorized to sent emails on behalf of mosamuseum.com is:
| Info |
|---|
Name: mailgateway.xxx.com Address: 192.28.148.112 |
SPF - Procedure to follow
- SecuTix provides a list of authorized servers used to send emails on behalf of the institution "mosamuseum" using its SPF recordThe "mosamuseum" institution mosamuseum
- The mosamuseum institution publishes a corresponding SPF record in its DNS
Setup DKIM
...
Introduction to DKIM
SecuTix, acting as software-as-a-service providers (SaaS), allows you to define DomainKeys identified mail Identified Mail (DKIM) for sent emails. This requires coordination with SecuTix to set up the corresponding DNS records.
The example below illustrates this DKIM configuration with the header of an email from a fictive institution "mosamuseum":
| Info | ||
|---|---|---|
| ||
Return-path:<communication@></communication@>SecutixDate: Wed, 26 Jun 2019 15:49:40 -0500 (CDT) ... Authentication-Results: ... dkim=pass (signature verified) header.i=@mosamuseum.com ...
|
...
...
In this example, the DKIM signature included in the header of the email
...
All systems receiving emails can perform a verification of the authenticity of the issuer by verifying the signature included in the message against who claims to be the issuer ("from" clause of the message). In the example below the two values must match:
...
is:
| Info | ||
|---|---|---|
| ||
bh=WTjrH3YovAOLmv02UPKrOs1RP8f44D+rDd/nVHKRB9s=; b=dYPEA8XsfrF9fFZzkHsj59zo7XnJkR2uXJ7QEvg6oWLmZJpzNfZe7DbLpK5PKhEH SS7wPy4xfGai2MYvlk/DmSfNjoCo/Hgbnv1hpY034ELNKtWQu9m0xGoBsMLof3cDu8J JV70p/IYLswI/4chWS9J3y6tVCj9r9Zi1xCwKhsw= |
The recipient system can verify the authenticity by looking up the sender's public key published in the DNS. A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.
For further reading, please refer to https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
DKIM -
...
procedure to follow
- The customer opens a service support request in order to enable signature of outgoing emails
- SecuTix provides a DKIM public key to the institution mosamuseum
- The mosamuseum institution publishes this DKIM public key in its DNS records
- The customer must create 2
...
- DNS records in their zone (to enable updates of keys)
stxsel1._domainkey.mosamuseum.com. IN CNAME sel1-mosa._domainkey.dkim.secutix.com.
stxsel2._domainkey.mosamuseum.com. IN CNAME sel2-mosa._domainkey.dkim.secutix.com.
!!! Be careful to change "
...
mosamuseum" by the institution code. If any doubt, please open a support request for confirmation
...
- The mosamuseum institution publishes this DKIM public key in its DNS records
SecuTix signs all emails sent with the DKIM private key (corresponding to the public key sent to the institution mosamuseum). This signature is included in the header of the email.