Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SecuTix

Table of Contents

SECUTIX sends either technical (transaction ...) emails or "marketing" emails via SAM.

In both cases, reliability of delivery is very important.

Technical measures

...

Set an SPF entry in your DNS

Introduction to SPF

Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses in emails.

SPF allows the receiver to check that an email claiming to come from a specific domain comes from an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.

The example below illustrates this SPF information in the header of an email from a fictive institution mosamuseum:

Expand
titleTechnical details, click to develop...


Info
iconfalse

Date: Wed, 26 Jun 2019 15:49:40 -0500 (CDT)
From: Mosa Museum <xxx@mosamuseum.com>
Received: from mail.mosamuseum.com ([192.28.148.112])
  by mailgw1.xxx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Jun 2019 22:49:42 +0200

...
Received-SPF:

...

> > > Eric to fill in

2) Set up DKIM

...

Pass (mailgw1.xxx.com: domain of
  postmaster@mosamuseum.com designates 192.28.148.112 as
  permitted sender) identity=xxx; client-ip=192.28.148.112;
  receiver=mailgw1.xxx.com;
  envelope-from="307-QLA-991.0.109448.0.0.25078.9.15158552-23-364@mail.mosamuseum.com";
  x-sender="postmaster@mosamuseum.com";
  x-conformance=sidf_compatible; x-record-type="v=spf1";
  x-record-text="v=spf1 a -all"


Subject: Here is a message from SECUTIX infrastructure, with a SPF record authorized by mosamuseum.com

...


In this example, the SPF record which is authorized to sent emails on behalf of mosamuseum.com is:

Info
v=spf1 include:spf.secutix.com ~all

SPF - Procedure to follow

  • SECUTIX provides a list of authorized servers used to send emails on behalf of the institution mosamuseum
  • The mosamuseum institution publishes a corresponding SPF record in its DNS
    • create a SPF record:
    • Publish it in DNS
      1. Open the DNS manager
      2. Log in to your domain account at your domain host provider
      3. Create a new TXT record in the TXT (text) section
      4. Set the Host field to the name of your domain
      5. Fill the TXT Value field with your SPF record (i.e. “v=spf1 include:spf.secutix.com ~all”)
      6. Specify the Time To Live (TTL), enter 3600 or leave the default
      7. Click “Save” or “Add Record” to publish the SPF TXT record into your DNS

Your new SPF record can take up to 48 hours to go into effect. For help adding TXT records, contact your domain administrator.

Setup DKIM

Introduction to DKIM

SECUTIX, acting as software-as-a-service providers (SaaS), allows you to define DomainKeys identified mail Identified Mail (DKIM) for sent emails. This requires coordination with SecuTix SECUTIX to set up the corresponding DNS records.
The example below illustrates this DKIM configuration with the header of an email from a fictive institution "mosamuseum":

Expand


Info
iconfalse
Return-path:<communication@></communication@>Secutix

Date: Wed, 26 Jun 2019 15:49:40 -0500 (CDT)
From: Mosa Museum <xxx@mosamuseum.com>

From<sender@></sender@>mosamuseum.com>

...
DKIM-

signature: s = s1024; d =mosamuseum.com
Subject: here is a message from SecuTix

Signature: d=mosamuseum.com; i=@mosamuseum.com; a=rsa-sha256; s=sel1-mosa._domainkey.dkim.secutix.com
    ...
    bh=WTjrH3YovAOLmv02UPKrOs1RP8f44D+rDd/nVHKRB9s=;
    b=dYPEA8XsfrF9fFZzkHsj59zo7XnJkR2uXJ7QEvg6oWLmZJpzNfZe7DbLpK5PKhEH
    SS7wPy4xfGai2MYvlk/DmSfNjoCo/Hgbnv1hpY034ELNKtWQu9m0xGoBsMLof3cDu8J
    JV70p/IYLswI/4chWS9J3y6tVCj9r9Zi1xCwKhsw=

    ...

Authentication-Results: ... dkim=pass (signature verified) header.i=@mosamuseum.com ...


Subject: Here is a message from SECUTIX infrastructure, but with a DKIM signature authorized by mosamuseum.com

In this example, the DKIM signature included in the header of the email is:

Info
iconfalse

    bh=WTjrH3YovAOLmv02UPKrOs1RP8f44D+rDd/nVHKRB9s=;

    b=dYPEA8XsfrF9fFZzkHsj59zo7XnJkR2uXJ7QEvg6oWLmZJpzNfZe7DbLpK5PKhEH

    SS7wPy4xfGai2MYvlk/DmSfNjoCo/Hgbnv1hpY034ELNKtWQu9m0xGoBsMLof3cDu8J

...

    JV70p/IYLswI/4chWS9J3y6tVCj9r9Zi1xCwKhsw=


The recipient system can verify the authenticity by looking up the sender's public key published in the DNS. A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.

For further reading, please refer to https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

DKIM - Procedure to follow

...

  • The mosamuseum institution add the two following DNS records in their zone (to enable updates of keys)

    stxsel1._domainkey.mosamuseum.com.  IN CNAME sel1-mosa._domainkey.dkim.secutix.com.

    stxsel2._domainkey.mosamuseum.com.  IN CNAME sel2-mosa._domainkey.dkim.secutix.com.

    !!! Be careful to change:

    domain name "mosamuseum.com" with the domain name which is defined in Sales Channels (Parameters => Sender email)

    institution code "mosa" with the institution code

  • The customer opens a service support request in order to enable signature of outgoing emails
  • SECUTIX generates a pair of DKIM public/private key for two given selectors
  • SECUTIX signs all emails sent with the DKIM private key

    (corresponding to the public key sent to the institution "mosamuseum")

    . This signature is included in the header of the email.

All systems receiving emails can perform a verification of the authenticity of the issuer by verifying the signature included in the message against who claims to be the issuer ("from" clause of the message). In the example below the two values must match:

3) use a sender email address that can really receive emails.

4) SecuTix ensures that the IP addresses used to send the emails are separated between transactional emails and marketing emails, and in both cases, IPs are "clean"

Setup MX

See https://abnormalsecurity.com/glossary/mx-record, which includes "if you want to successfully deliver emails, you need an MX record".

Setup DMARC

Introduction to DMARC

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email. Source: https://dmarc.org/.

DMARC - Procedure to follow

Due to recent changes to email handling by Google and Yahoo for anyone sending more than 5,000 emails daily, you should ensure that you have a DMARC record in your DNS settings.

If you don't know anything about DMARC, then we recommend you add the following DNS record:

Please check afterwards with https://mxtoolbox.com/dmarc.aspx: it shouldn't include any errors (i.e. anything flagged with Status ProblemImage Added). Please also read https://support.google.com/a/answer/10032473 to progressively improve your DMARC record.