Important reminder, if you own a domain name and don't use it for sending email.

Dale Reardon

@Jerry And if your domain is with Cloudflare they have a tool that can help you set this stuff up really easily - Just a few clicks if not sending emails for example

Ruaphoc

@Jerry

While you are securing your domain, 3 more good ideas:

1. Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.

2. Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.

3. Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).

Jerry Lerman

@Ruaphoc
Thanks for this! This is on my list to look at this weekend. Thank you!

[email protected]

@Jerry If I change my mind and I want to send e-mails from the domain: Can I expect that this will work, if I change the DNS records file again and wait for TTL seconds? Or will this take considerably longer?

Daniel, pined-lizard edition

@Jerry Can you undo this later without consequence?

Jerry Lerman

@daniel
Should be able to.

Jerry Lerman

@nimi
Hi,

Depending on the ISP, after making the changes, it usually takes up to 15 minutes for the changes to get distributed to all the DNS servers worldwide. It's pretty quick.

Daniel, pined-lizard edition

@Jerry (Just thinking from a cache perspective)

Jerry Lerman

@daniel
I've never had issues making changes, so I think it wouldn't be an issue. The caches should recognize they need updating.

𝔧𝔞𝔢

@Jerry great approach! let's consider upping the ante.

TXT "_dmarc", "v=DMARC1;p=reject;sp=reject;pct=100"

we can add sp=reject to cover subdomain spoofing and a pct=100 to explicitly address 100% of emails. this along with your suggestions should be rock solid!