Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleTechnical details, click to develop...


Info
iconfalse

Date: Wed, 26 Jun 2019 15:49:40 -0500 (CDT)
From: Mosa Museum <xxx@mosamuseum.com>
Received: from mail.mosamuseum.com ([192.28.148.112])
  by mailgw1.xxx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Jun 2019 22:49:42 +0200

...
Received-SPF: Pass (mailgw1.xxx.com: domain of
  postmaster@mosamuseum.com designates 192.28.148.112 as
  permitted sender) identity=xxx; client-ip=192.28.148.112;
  receiver=mailgw1.xxx.com;
  envelope-from="307-QLA-991.0.109448.0.0.25078.9.15158552-23-364@mail.mosamuseum.com";
  x-sender="postmaster@mosamuseum.com";
  x-conformance=sidf_compatible; x-record-type="v=spf1";
  x-record-text="v=spf1 a -all"


Subject: Here is a message from SecuTix SECUTIX infrastructure, with a SPF record authorized by mosamuseum.com

...


...

SPF - Procedure to follow

  • SecuTix SECUTIX provides a list of authorized servers used to send emails on behalf of the institution mosamuseum
  • The mosamuseum institution publishes a corresponding SPF record in its DNS
    • create a SPF record:

...

Setup DKIM

Introduction to DKIM

...

Expand


Info
iconfalse

Date: Wed, 26 Jun 2019 15:49:40 -0500 (CDT)
From: Mosa Museum <xxx@mosamuseum.com>
...
DKIM-Signature: d=mosamuseum.com; i=@mosamuseum.com; a=rsa-sha256; s=sel1-mosa._domainkey.dkim.secutix.com
    ...
    bh=WTjrH3YovAOLmv02UPKrOs1RP8f44D+rDd/nVHKRB9s=;
    b=dYPEA8XsfrF9fFZzkHsj59zo7XnJkR2uXJ7QEvg6oWLmZJpzNfZe7DbLpK5PKhEH
    SS7wPy4xfGai2MYvlk/DmSfNjoCo/Hgbnv1hpY034ELNKtWQu9m0xGoBsMLof3cDu8J
    JV70p/IYLswI/4chWS9J3y6tVCj9r9Zi1xCwKhsw=

    ...

Authentication-Results: ... dkim=pass (signature verified) header.i=@mosamuseum.com ...


Subject: Here is a message from SecuTix SECUTIX infrastructure, but with a DKIM signature authorized by mosamuseum.com

In this example, the DKIM signature included in the header of the email is:

Info
iconfalse

    bh=WTjrH3YovAOLmv02UPKrOs1RP8f44D+rDd/nVHKRB9s=;

    b=dYPEA8XsfrF9fFZzkHsj59zo7XnJkR2uXJ7QEvg6oWLmZJpzNfZe7DbLpK5PKhEH

    SS7wPy4xfGai2MYvlk/DmSfNjoCo/Hgbnv1hpY034ELNKtWQu9m0xGoBsMLof3cDu8J

    JV70p/IYLswI/4chWS9J3y6tVCj9r9Zi1xCwKhsw=


...

For further reading, please refer to https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

DKIM -

...

Procedure to follow

  • The customer opens a service support request in order to enable signature of outgoing emails
  • SecuTix generates a pair of DKIM public/private key for two given selectors
  • The mosamuseum institution add the two following DNS records in their zone (to enable updates of keys)

    stxsel1._domainkey.mosamuseum.com.  IN CNAME sel1-mosa._domainkey.dkim.secutix.com.

    stxsel2._domainkey.mosamuseum.com.  IN CNAME sel2-mosa._domainkey.dkim.secutix.com.

    !!! Be careful to change:

    domain name "mosamuseum.com" with the domain name which is defined in Sales Channels (Parameters => Sender email)

    institution code "mosa" with the institution code

  • SecuTix The customer opens a service support request in order to enable signature of outgoing emails
  • SECUTIX generates a pair of DKIM public/private key for two given selectors
  • SECUTIX signs all emails sent with the DKIM private key. This signature is included in the header of the email.

Setup MX

See https://abnormalsecurity.com/glossary/mx-record, which includes "if you want to successfully deliver emails, you need an MX record".

Setup DMARC

Introduction to DMARC

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email. Source: https://dmarc.org/.

DMARC - Procedure to follow

Due to recent changes to email handling by Google and Yahoo for anyone sending more than 5,000 emails daily, you should ensure that you have a DMARC record in your DNS settings.

If you don't know anything about DMARC, then we recommend you add the following DNS record:

Please check afterwards with https://mxtoolbox.com/dmarc.aspx: it shouldn't include any errors (i.e. anything flagged with Status ProblemImage Added). Please also read https://support.google.com/a/answer/10032473 to progressively improve your DMARC record.