Simply performance and safety.

Blog
Doc
Portal

Email security and standards

The security and reception of emails are mainly ensured by the following rules DNS specific to your domain. These rules not only ensure that emails are received correctly, but also protect against spam and identity theft.

MX: Mail reception server

In order for your domain to receive emails, an entry of type MX must be present in the DNS zone of the domain. The registration MX corresponds to the SMTP server for receiving emails and always points to a domain name (canonical name), not an IP address.

For example:

If your domain is monsite.tld and your emails are hosted by LRob on the server ds.lrob.netHere's a sample recording:

mail A 138.201.17.216
MX 0 mail.monsite.tld

This recording MX ensures that all emails to monsite.tld will be sent to the server mail.monsite.tld.

Email security

Although universalizing email security standards is difficult, several standards are now widely adopted for :

  • Reduce spam
  • Limit identity theft

Here are the main standards you can implement.

FQDN, HELO, rDNS

Visit HELO is the presentation message sent by an SMTP server when an e-mail is sent. To be considered legitimate, the HELO must meet these criteria:

  • It must be a FQDN (full domain name), pointing to the IP address of the SMTP server.
  • The FQDN must correspond to the reverse DNS (rDNS) of the SMTP server IP address.
  • The rDNS must not not be in the default form (e.g. IPReversed.provider.tld), as this often indicates an unsecured server or a spam botnet.

Our servers LRob are configured to reject emails with a HELO incorrect, as this is a basic standard to be respected for all email sending. If you receive emails blocked for this reason, we can, as a last resort, whitelist the sender, but this disables any verification of the authenticity of the sending server, which is strongly discouraged.

SPF (Sender Policy Framework)

Visit SPF is a security mechanism that defines which servers are authorized to send e-mail for a given domain. This is done via a TXT in the domain's DNS zone. The SPF helps prevent identity theft by ensuring that only authorized servers can send emails under your domain name.

How SPF works

When a receiving server receives an e-mail from your domain, it checks for the presence of a SPF in the DNS zone of the sending domain:

  • If the DNS zone contains a valid and respected SPF rule, the email is accepted.
  • If no SPF rule is present, the email may pass through, but is more likely to be flagged as spam.
  • If the SPF rule is not respected, the email may be rejected (depending on the parameter -all) or marked as spam (~all).

LRob SPF Rule

The default SPF rule for domains hosted at LRob is as follows:

v=spf1 +mx include:_spf.lrob.net -all

Common SPF errors

  • Create multiple SPF entries SPF rules: There should be only one SPF rule per domain. If you have more than one, it may cause random read errors by the destination servers.
  • Using the wrong SMTP server You must use an SMTP server authorized in your SPF rule. If you use another server, your e-mails will certainly be rejected.

DKIM (DomainKeys Identified Mail)

Visit DKIM is a standard for digitally signing e-mails sent from your domain. This signature is verified by the recipient servers thanks to a public key registered in your DNS zone, guaranteeing the message's integrity and authenticity.

Activate DKIM via Plesk

  1. Visit your Plesk control panel.
  2. Go to the Email addressesthen Messaging settings.
  3. Check box "Use the DKIM anti-spam system to sign outgoing e-mails"..
  4. Click on OK.

This will automatically activate the DKIM for your emails and the corresponding DNS entry.

DMARC (Domain-based Message Authentication)

Visit DMARC is a complementary norm to SPF and DKIM which defines a policy in the event of non-compliance with these two standards. Visit DMARC allows you to choose the action to be taken (reject, mark as spam, etc.) if an email fails SPF or DKIM checks.

Example of a DMARC rule

Here's the rule DMARC by default in the DNS zone of LRob :

"v=DMARC1; p=reject; sp=reject; aspf=s; rua=mailto:dmarcreport@lrob.fr; ruf=mailto:dmarcreport@lrob.fr; rf=afrf; pct=100; ri=172800

This rule :

  • Rejects emails that do not comply with policy SPF.
  • Allows tolerance in the event of problems with DKIM.
  • Prevents emails being sent from unauthorized subdomains.
  • Send rejection reports to dmarcreport@lrob.fr.

Blacklists

Visit blacklists are public lists of IP addresses associated with spamming. If the IP of a sending SMTP server is included in one of these lists, it is likely that its e-mails will be rejected by recipient servers.

Related pages :

en_US
fr_FR en_US