Important reminder, if you own a domain name and don't use it for sending email.
-
@mirabilos In some records it is, and even required. It means the "root" or no sub domain name.
-
@amyipdev @jernej__s
What I learned is that every single home IP address from every single ISP provider is pre-blacklisted by spamhaus and several others I came across. It's not your ISP's fault. -
@b3lt3r I'm far from an expert, but if your redirect is at the server, and your server adds a ".forward" to the email, and does not alter anything, you should be fine because your SPF and DKIM should pass.
If your redirect is via an email client, or the server doesn't add a .forward, it may alter the email slightly, but in a way sufficient for DKIM to fail because the hash won't match any longer. But, I think in this case, if SPF passes, your email client would still accept it since the original DKIM passed before the forwarding.
It gets really complicated. Suggest you try it.
And this is based on my understanding, which, who knows?
-
@momo
Yep, people have mentioned it. I went back to try it and discovered my ISP does not allow a null MX record to be added. If it can be done, it's great, but an SPF that says nobody can send email should do the trick. If you could do, that's better. -
@esplovago
Yep.If you want to have different rules for subdomains, then the records get much more complicated. but "v=spf1 -all" pertains to the domain and subdomains.
-
Jerry Lermanreplied to Sharon of the Strange Times last edited by
@idoubtit
Mailpoet is a Wordpress plugin? You should still have appropriate SPF, DKIM, and DMARC records.If you gave Mailpoet the right to use your email's SMTP server (is this how it works?) then you're fine because it's using your credentials and SPF will pass as the SMTP server is authorized to send email for your credentials.
-
@leoncowle Thanks, Leon!
-
@mkj
Yeah, it is. But not all ISPs allow a null MX record. Mine doesn't (DreamHost). If you can, it's a nice extra protection. -
@Jerry And if your domain is with Cloudflare they have a tool that can help you set this stuff up really easily - Just a few clicks if not sending emails for example
-
While you are securing your domain, 3 more good ideas:
1. Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.
2. Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.
3. Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the βmta-sts.@β subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).
-
@Ruaphoc
Thanks for this! This is on my list to look at this weekend. Thank you! -
@Jerry If I change my mind and I want to send e-mails from the domain: Can I expect that this will work, if I change the DNS records file again and wait for TTL seconds? Or will this take considerably longer?
-
Daniel, pined-lizard editionreplied to Jerry Lerman last edited by
@Jerry Can you undo this later without consequence?
-
@daniel
Should be able to. -
@nimi
Hi,Depending on the ISP, after making the changes, it usually takes up to 15 minutes for the changes to get distributed to all the DNS servers worldwide. It's pretty quick.
-
Daniel, pined-lizard editionreplied to Jerry Lerman last edited by
@Jerry (Just thinking from a cache perspective)
-
@daniel
I've never had issues making changes, so I think it wouldn't be an issue. The caches should recognize they need updating. -
@Jerry great approach! let's consider upping the ante.
TXT "_dmarc", "v=DMARC1;p=reject;sp=reject;pct=100"
we can add
sp=reject
to cover subdomain spoofing and apct=100
to explicitly address 100% of emails. this along with your suggestions should be rock solid! -
-
-