Important reminder, if you own a domain name and don't use it for sending email.
-
@mkj
Yeah, it is. But not all ISPs allow a null MX record. Mine doesn't (DreamHost). If you can, it's a nice extra protection. -
@Jerry And if your domain is with Cloudflare they have a tool that can help you set this stuff up really easily - Just a few clicks if not sending emails for example
-
While you are securing your domain, 3 more good ideas:
1. Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.
2. Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.
3. Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).
-
@Ruaphoc
Thanks for this! This is on my list to look at this weekend. Thank you! -
@Jerry If I change my mind and I want to send e-mails from the domain: Can I expect that this will work, if I change the DNS records file again and wait for TTL seconds? Or will this take considerably longer?
-
Daniel, pined-lizard editionreplied to Jerry Lerman last edited by
@Jerry Can you undo this later without consequence?
-
@daniel
Should be able to. -
@nimi
Hi,Depending on the ISP, after making the changes, it usually takes up to 15 minutes for the changes to get distributed to all the DNS servers worldwide. It's pretty quick.
-
Daniel, pined-lizard editionreplied to Jerry Lerman last edited by
@Jerry (Just thinking from a cache perspective)
-
@daniel
I've never had issues making changes, so I think it wouldn't be an issue. The caches should recognize they need updating. -
@Jerry great approach! let's consider upping the ante.
TXT "_dmarc", "v=DMARC1;p=reject;sp=reject;pct=100"
we can add
sp=reject
to cover subdomain spoofing and apct=100
to explicitly address 100% of emails. this along with your suggestions should be rock solid! -
-
-