There are a lot of various standards and protocols in play around SMTP that are being used today to validate email. when setting up self hosting, recently, I found it useful to refer to the following checklist of the following validations that I should be configuring.
For a server receiving email on behalf of a domain:
- Delegated by MX or A record
- Correct PTR record matching server HELO
- TLS Cert for StartTLS upgrade support
- MTA-STS record to indicate the expectation of TLS
- A dns record of the form
_mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;"defining the current policy ID - the presence of which triggers an HTTPS fetch of
https://mta-sts.example.com/.well-known/mta-sts.txt - that file contains a policy of the form
- A dns record of the form
version: STSv1 mode: enforce mx: mail.example.com
- Add the domain to the tls policy list
For longer term validation (these standards seem to still be getting adoption, so probably won’t be validated by most senders)
- DNSSEC enabled for the domain
- DANE dns records for the expected cert
- there’s a tool to test your implementation.
- CAA dns record to limit cert issuer
For a server sending email on behalf of a domain:
- Coming from a stable IP, ideally the same as the receiving server
- HELO matches both MAIL FROM sender and the sending IP’s PTR record
- Equipped with the TLS cert for the domain to be able to offer as a client certificate
- SFP record
- of the form
example.com. TXT "v=spf1 +mx -all"(or “a” instead of “mx”)
- of the form
- DKIM header signing of messages
- DNS <selector>._domainkey.example.com record with pubkey
- DMARC
- ARC headers
- Register the domain on postmaster.google.com