Excalibur's Sheath

Guide to DNS Records That Help Secure an E-Mail Server

Sep 26, 2024 • linux,server,dns,networking,e-mail

E-mail servers rely on various DNS records to ensure proper function, security, and deliverability. Configuring these records correctly can protect your domain from spoofing, phishing, unauthorized use, improve e-mail deliverability, and protect your reputation. This article provides an in-depth explination of the DNS records which are crucial for e-mail server operations and security, including newer standards, like BIMI and MTA-STS.

I will discuss the following DNS Record Types:

  • MX
  • A and AAAA
  • PTR
  • CNAME
  • TXT
    • SPF
    • DKIM
    • DMARC
    • MTA-STS
    • TLS-RPT
    • BIMI

MX Records

MX Records are the primary record for e-mail services. MX records specify which servers can receive e-mail for a domain. Each MX record has a priority value, which indicates the order in which mail servers should be used, if multiple servers are listed.

Key Considerations

Priority Value: Lower numerical values have a higher priority. The best setting for multiple servers is to make sure the primary e-mail server has the lowest value, and then increment the numerical priority value for each backup server listed. For example you could set the priority for the main server to 10, and increment by 5 for every additional value. Redundancy” Including multiple MX Records for multiple e-mail servers provides e-mail deliverability even if the main e-mail server is unavailable. Target Domain: The target of a MX Record should be a domain name which resolves to an IP Address, and not an IP Address directly.

A and AAAA Records

A records map a domain name to an IPv4 address, and AAAA records map a domain to an IPv6 address. For e-mail these records are needed as they map the resolve the domain names specified in the MX record to an IP Address.

Key Considerations

Consistency: Ensure tthe A and AAAA records correctly point to the IP Address of your mail servers. **Reverse DNS Compatibility **: The IP Address of your mail server should have a corresponding PTR Record that resolves back to the domain name.

PTR (Pointer) Record

PTR Records are used for reverse DNS lookups, mapping an IP Address to back to a domain name. It is not recommended to have more than one PTR record per server, even if your server is hosting more than one domain. Thre reason for this, is because the PTR record is used to find the canonical hostname of the server. An example of a canonnicle hostname is hostname.example.com. The address is also stored differently. It is store in reverse with .in-addr.arpa added to the end. An Example PTR Record with an address of 127.0.0.1 and a domain of hostname.example.org would look like this:

1.0.0.127.in-addr.arpa. IN PTR hostmane.example.org.

Key Considerations

Consistency with A and AAAA Records: Ensure the PTR record points back to the domain which has the corresponding A or AAAA record. ISP Configuration: Since PTR records are typically controlled by the ISP, corridnate with them to ensure correct setup.

CNAME (Canonical Name) Record

CNAME records are used to alias one domain name to another. In e-mail system, CNAME records are often used for custom tracking or bounce domains.

Key Considerations

Alias Configuration: Use CNAME records to alias subdoamins for specific purposes, like tracking links or managing bounce e-mails. Avoid Conflicts: Ensure CNAME Records do not conflict with existing MX or other DNS records for the domain.

The following record types all use the TXT DNS record. I will split them into two categories. The first category are proven mature and useful; they are SPF, DKIM, and DMARC. The second category are new and evolving; they are MTA-STS, TLS-RPT, and BIMI.

SPF (Sender Policy Framework) Record

SPF is a TXT record that helps prevent unauthorized senders from sending e-mails on behalf of your domain. It specifies which IP Addresses or hosts are permitted to send e-mail for the domain.

Key Considerations

Authorized Senders: List all IP Addresses and Domains which are authorized to send e-mail on behalf of your doamin, including any third-party services. Mechanism Use: Common Mechanisms

  • include ip4, ip6 for IP ranges
  • include domain names for specific domains
  • ~all or -all to specify a soft or hard fail. Proper Syntax: Incorrect SPF syntax can result in validation errors, leading to mail delivery issues.

DKIM (DomainKeys Identified Mail) Record

DKIM uses cryptographic signatures to verify the authenticity of e-mails. It involves publishing a Public Key as a DNS TXT record and adding a digital signature to each outgoing e-mail. ###Key Considerations Public Key Setup: Publish the DKIM public key in a txt record under a subdomain like selector._domainkey.example.ord. Selector Management: You can rotate DKIM selectors periodically to maintain security. The selector used in the DKIM signature must match the one published in DNS. Signature Alignment: Ensure the domain (d=) and selector (s=) fields in the DKIM signature match your domain and DNS record.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) Record

DMARC builds on SPF and DKIM to provide instructions on how e-mail providers should handle e-mails that fail authentication checks. It also enables reporting on potential abuse of your doamins.

Key Considerations

Policy Definition: The p= tag specifies the action for e-mails which fail DMARC checks, possible values are:

  • none (monitor)
  • quarantine (send to spam)
  • fail (reject) Alignment Requirements: Use the adkim and aspf (DKIM and SPF alignment) tags to enforce strict or relaxed alignment between the doamain from the header and the domains in the DKIM and SPF record. Reporting: Use rua for aggregate reports and ruf for forensic reports. These reports help you monitor e-mail traffic and identify unauthorized activity.

MTA-STS (Mail Transfer Agent Strict Tansport Security)

MTA-STS is a policy that enforces the use of TLS (Transport Layer Security) fpr e-mail transmission. This ensures that e-mails sent to your domain are encrypted and secure from evesdropping or tampering.

Key Considerations

Policy Setup: Publish the MTA-STS policy file on a secure web server at https://mta-sts.example.org/.well-known/mta-sts.txt DNS Record: At a MTA-STS TXT record at _mta-sts.example.org with parameters like v=STSv1; id=1234567890; The ID should be changed whenever the mta-sts.txt file is updated. Policy Modes: use either enforce to force TLS or testing to monitor without enforcement. The mode is specified in the mta-sts.txt file.

TLS-RPT (TLS reporting)

TLS-RPT works alongside MTA-STS to provide reports on mail delivery issues related to TLS encryption. It helps idnetify potential issues wotj secire e-mail transmission.

Key Considerations

DNS Record: Create a TXT record at _smtp.tls.example.org specifying the rua (reporting URI) for receiving JSON-formatted reports about e-mail encryotion and delivery issues. Report Analysis: Regularly review the reports to identify and address issues with e-mail encryption and delivery.

BIMI (Brand Indicators for Message Identification)

BIMI allows email senders to display their brand logo alongside authenticated emails. This enhances brand visibility, and provides visual trust for the receipents.

Key Considerations

SVG Logo File: Prepare a BIMI complaiint SVG file of your logo and host it on a secure (HTTPS) server. DNS Record: Add a TXT recorod at default._bimi.example.org with a value like v=BIMI1; l=https://example.org/bimi-logo.svg;. VMC Certification: BIMI was created to be used with TRADEMARKED logos. Some email providers require a VMC Certificate, which has to be obtained from a trusted source, like a SSL certificate. The trusted source will require proof of Trademark from certain countires trademark offices.

Conclusion

Properly configuring DNS records is critical for the security, deliverability, and reputation of your e-mail server. From fundamental records (MX, A, AAAA, CNAME), to standards (SPF, DKIM, DMARC) to advanced standards (MTA-STS, TLS-RPT, BIMI), each record plays a unique role in the e-mail ecosystem. Understanding and amintaining these records is essential for protecting your domain from unauthorized use. This ensures secure e-mail tansmission, and builds trust with your recipients. Regularly reviewing and updating your DNS configurations will help keep your server up to date with evolving security standards and best practices.