Email Security Checklist

There are a lot of various standards and protocols in play around SMTP that are being used today to validate email. when setting up self hosting, recently, I found it useful to refer to the following checklist of the following validations that I should be configuring.

For a server receiving email on behalf of a domain:

  • Delegated by MX or A record
  • Correct PTR record matching server HELO
  • TLS Cert for StartTLS upgrade support
  • MTA-STS record to indicate the expectation of TLS
    • A dns record of the form IN TXT "v=STSv1; id=20160831085700Z;" defining the current policy ID
    • the presence of which triggers an HTTPS fetch of
    • that file contains a policy of the form
version: STSv1
mode: enforce

For longer term validation (these standards seem to still be getting adoption, so probably won’t be validated by most senders)

  • DNSSEC enabled for the domain
  • DANE dns records for the expected cert
    • there’s a tool to test your implementation.
  • CAA dns record to limit cert issuer

For a server sending email on behalf of a domain:

  • Coming from a stable IP, ideally the same as the receiving server
  • HELO matches both MAIL FROM sender and the sending IP’s PTR record
  • Equipped with the TLS cert for the domain to be able to offer as a client certificate
  • SFP record
    • of the form TXT "v=spf1 +mx -all" (or “a” instead of “mx”)
  • DKIM header signing of messages
    • DNS <selector> record with pubkey
  • ARC headers
  • Register the domain on
Categorized as Post