SecuTix sends either technical (transaction ...) emails or "marketing" emails via SAM.

In both cases, reliability of delivery is very important.

Technical measures

Set an SPF entry in your DNS

Introduction to SPF

Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses in emails.

SPF allows the receiver to check that an email claiming to come from a specific domain comes from an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.

The example below illustrates this SPF information in the header of an email from a fictive institution mosamuseum:

In this example, the SPF record which is authorized to sent emails on behalf of mosamuseum.com is:

v=spf1 ip4:192.28.148.112 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:mailgateway.xxx.com -all

SPF - Procedure to follow

• SecuTix provides a list of authorized servers used to send emails on behalf of the institution mosamuseum
• The mosamuseum institution publishes a corresponding SPF record in its DNS
  • create a SPF record:

• • Publish it in DNS

1. 1. 1. Open the DNS manager
      2. Log in to your domain account at your domain host provider
      3. Create a new TXT record in the TXT (text) section
      4. Set the Host field to the name of your domain
      5. Fill the TXT Value field with your SPF record (i.e. “v=spf1 ... include: exampledomain.com -all”)
      6. Specify the Time To Live (TTL), enter 3600 or leave the default
      7. Click “Save” or “Add Record” to publish the SPF TXT record into your DNS

Your new SPF record can take up to 48 hours to go into effect. For help adding TXT records, contact your domain administrator.

• Check your SPF record. Several Web sites exist:
  • https://mxtoolbox.com/spf.aspx
  • https://www.dmarcanalyzer.com/fr/spf-4/checker/
  • https://www.kitterman.com/spf/validate.html

Setup DKIM

Introduction to DKIM

SecuTix, acting as software-as-a-service providers (SaaS), allows you to define DomainKeys Identified Mail (DKIM) for sent emails. This requires coordination with SecuTix to set up the corresponding DNS records.
The example below illustrates this DKIM configuration with the header of an email from a fictive institution "mosamuseum":

In this example, the DKIM signature included in the header of the email is:

The recipient system can verify the authenticity by looking up the sender's public key published in the DNS. A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.

For further reading, please refer to https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

DKIM - procedure to follow

• The customer opens a service support request in order to enable signature of outgoing emails
• SecuTix provides a DKIM public key to the institution mosamuseum
• The mosamuseum institution publishes this DKIM public key in its DNS records
  • The customer must create 2 DNS records in their zone (to enable updates of keys)

stxsel1._domainkey.mosamuseum.com.  IN CNAME sel1-mosa._domainkey.dkim.secutix.com.

stxsel2._domainkey.mosamuseum.com.  IN CNAME sel2-mosa._domainkey.dkim.secutix.com.

!!! Be careful to change "mosamuseum" by the institution code. If any doubt, please open a support request for confirmation

• The mosamuseum institution publishes this DKIM public key in its DNS records

• SecuTix signs all emails sent with the DKIM private key (corresponding to the public key sent to the institution mosamuseum). This signature is included in the header of the email.