Email Protection Best Practices

In addition to installing and configuring Baruwa Enterprise Edition systems for your email protection you need to implement some email best practices.

Implementing these best practices will ensure, improved email performance and security.

Reverse DNS

The reverse DNS resolution (rDNS) maps an IP address to a hostname. Most email servers are configured to reject any email that doesn’t have a valid rDNS.

You need to configure the rDNS record for your external IP address to match the mail hostname you have configured for your Baruwa servers.

SPF

Sender Policy Framework (SPF) is an email validation system, it is designed to detect and prevent against email spoofing.

By creating an SPF record for your domains, systems that receive email purported to be from your domain are able to verify if the system sending the email is indeed authorized to send email using that domain name.

SPF needs to be configured in each domain’s Public DNS zone. The SPF syntax is documented on the openspf website. You can use the easySFP or mailradar generation tools to create your SPF records.

Various online tools exist to test SPF records you can use your favorite search engine to locate one.

DKIM

DomainKeys Identified Mail (DKIM) is an email authentication system, it is also designed to detect and prevent against email spoofing.

DKIM allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain which is done using cryptographic authentication.

DKIM keys need to be generated for each domain for which you are relaying email through the Baruwa server on your Baruwa server, and the public key needs to be added to the domain’s public DNS zone.

Various online tools exist to test DKIM records you can use your favorite search engine to locate one.

DMARC

Domain-based Message Authentication, Reporting & Conformance, is an email validation system designed to detect and prevent against email spoofing.

DMARC is built on top of two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

DMARC needs to be configured in each domain’s public DNS zone. Various tools exist to help you generate DMARC records, use your favorite search engine to locate one.

Various online tools exist to test DKIM records you can use your favorite search engine to locate one.

Eat your own dog food

If you are a hosting service provider, you need to use your own product for your own mail. No one is going to trust a provider that sells a product but uses a hosted product from a different SAAS provider for their own email.