Email Security Checklist

There are a lot of various standards and protocols in play around SMTP that are being used today to validate email. when setting up self hosting, recently, I found it useful to refer to the following checklist of the following validations that I should be configuring.

For a server receiving email on behalf of a domain:

  • Delegated by MX or A record
  • Correct PTR record matching server HELO
  • TLS Cert for StartTLS upgrade support
  • MTA-STS record to indicate the expectation of TLS
    • A dns record of the form _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" defining the current policy ID
    • the presence of which triggers an HTTPS fetch of https://mta-sts.example.com/.well-known/mta-sts.txt
    • that file contains a policy of the form
version: STSv1
mode: enforce
mx: mail.example.com

For longer term validation (these standards seem to still be getting adoption, so probably won’t be validated by most senders)

  • DNSSEC enabled for the domain
  • DANE dns records for the expected cert
    • there’s a tool to test your implementation.
  • CAA dns record to limit cert issuer

For a server sending email on behalf of a domain:

  • Coming from a stable IP, ideally the same as the receiving server
  • HELO matches both MAIL FROM sender and the sending IP’s PTR record
  • Equipped with the TLS cert for the domain to be able to offer as a client certificate
  • SFP record
    • of the form example.com. TXT "v=spf1 +mx -all" (or “a” instead of “mx”)
  • DKIM header signing of messages
    • DNS <selector>._domainkey.example.com record with pubkey
  • DMARC
  • ARC headers
  • Register the domain on postmaster.google.com