Important reminder, if you own a domain name and don't use it for sending email.
-
-
@tychotithonus @Jerry
It will probably work OK with 10 - that's supposed to be a relative number, for when there's more than one MX record and a "main MX / backup MX" disposition is desired.As with line numbers in BASIC, the default is 10 to allow for numbers to be added above and below.
The important part is the null host (single dot).
But I wouldn't want to rely on every other mail server interpreting that correctly. -
@Jerry How in practice can I do this for my site if dynu.com does the dns, and not a dns server I control?
-
Trinity Blair 🥀🔞+ (age in bio or blocked)replied to Jerry Lerman last edited by
@Jerry if you do use your domain for email, is adding these still helpful or unnecessary?
-
Jerry Lermanreplied to Mx Amber Alex (she/it) last edited by
-
Jerry Lermanreplied to Trinity Blair 🥀🔞+ (age in bio or blocked) last edited by
@trinityblair
If you don't have the 3 records, much of your email that you send will go into spam folders because email clients will have reason to be suspicious of your emails since there's no protection, and eventually, you may see people spoofing your domain, if they aren't trying already.I have a few domains and I see attempts weekly to spoof my domains, both with domains I don't use for email, and those that I do. Fortunately, the spoofs fail.
My friend had a spoof attempt on his domain 4 weeks ago.
So, yep. You should have an SPF, DKIM and a DMARC record.
-
@adingbatponder
Can you open a support ticket for help? Or, maybe, they've already done it for you. You can check at https://www.dnsdomainlookup.com/ and pick dns summary from the dropdown.If you see the spf, dkim, and dmarc records, then you're all set.
-
@dec23k @tychotithonus
My DNS provider doesn't allow just a dot. Many don't. But saying nobody is allowed to send emails for me (SPF record) should cover it. -
-
@mirabilos In some records it is, and even required. It means the "root" or no sub domain name.
-
@amyipdev @jernej__s
What I learned is that every single home IP address from every single ISP provider is pre-blacklisted by spamhaus and several others I came across. It's not your ISP's fault. -
@b3lt3r I'm far from an expert, but if your redirect is at the server, and your server adds a ".forward" to the email, and does not alter anything, you should be fine because your SPF and DKIM should pass.
If your redirect is via an email client, or the server doesn't add a .forward, it may alter the email slightly, but in a way sufficient for DKIM to fail because the hash won't match any longer. But, I think in this case, if SPF passes, your email client would still accept it since the original DKIM passed before the forwarding.
It gets really complicated. Suggest you try it.
And this is based on my understanding, which, who knows?
-
@momo
Yep, people have mentioned it. I went back to try it and discovered my ISP does not allow a null MX record to be added. If it can be done, it's great, but an SPF that says nobody can send email should do the trick. If you could do, that's better. -
@esplovago
Yep.If you want to have different rules for subdomains, then the records get much more complicated. but "v=spf1 -all" pertains to the domain and subdomains.
-
Jerry Lermanreplied to Sharon of the Strange Times last edited by
@idoubtit
Mailpoet is a Wordpress plugin? You should still have appropriate SPF, DKIM, and DMARC records.If you gave Mailpoet the right to use your email's SMTP server (is this how it works?) then you're fine because it's using your credentials and SPF will pass as the SMTP server is authorized to send email for your credentials.
-
@leoncowle Thanks, Leon!
-
@mkj
Yeah, it is. But not all ISPs allow a null MX record. Mine doesn't (DreamHost). If you can, it's a nice extra protection. -
@Jerry And if your domain is with Cloudflare they have a tool that can help you set this stuff up really easily - Just a few clicks if not sending emails for example
-
While you are securing your domain, 3 more good ideas:
1. Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.
2. Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.
3. Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).
