DNS records for email security and how to set them up

DNS records for email security and how to set them up

Jul 07 2023 DNS Network Security DKIM record DMARC record DNS DNS records DNS zone Domain Name System FQDN IP address MX record PTR record SPR record TXT record

With email remaining a primary method of communication, especially in business settings, ensuring the security of email systems is paramount. Email security not only protects the data and information sent via email but also safeguards the integrity of your business communication. One of the often-underestimated ways to enhance email security is through the use of Domain Name System (DNS) records. This post will explore how DNS records can bolster email security, with a focus on SPF, DKIM, DMARC, and PTR records.

Introduction to DNS

Before diving into specifics, let’s first establish what DNS is. The Domain Name System (DNS) is like a phonebook for the internet. It translates human-readable domain names, such as www.example.com, into Internet Protocol (IP) addresses that computers use to identify each other on the network. It’s also where DNS records come into play. DNS records include information about a domain, such as IP addresses, where to request emails, and how to ensure SSL certificates.

DMARC record explained in detail

Importance of DNS records in email security

Email security is a significant concern in contemporary digital life—fraudulent emails, phishing scams, and spoofed messages are just some potential threats. One way that DNS records can reinforce your email security is by providing validation. When other servers receive messages from your domain, they can check your DNS records to validate if the message is genuinely from your domain.

The four DNS record types that directly contribute to email security are Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting, and Conformance (DMARC), and Pointer (PTR).

SPF records

Sender Policy Framework (SPF) is a type of DNS record that helps prevent email spoofing, a common technique used in phishing attacks. An SPF record lists all the servers authorized to send email on behalf of your domain. When an email is received, the receiving server checks the SPF record of the sender’s domain to verify if the email’s source IP address is authorized. If it’s not in the list, the email is considered untrustworthy, potentially marked as spam or rejected altogether.

Setting up SPF records

SPF configuration involves adding a TXT record to your DNS. The simplest version contains “v=spf1 mx -all”, meaning only mail servers in your MX records can send emails for your domain. However, if you use third-party services like email marketing platforms, their servers must also be included in your SPF record. Overlooking this can result in SPF failure and your emails being marked as spam or phishing.

DKIM records

DomainKeys Identified Mail (DKIM) is another DNS record type that adds an extra layer of security. DKIM allows an email server to generate a unique cryptographic signature for each outgoing email. The private key used to generate the signature is kept secure on the sending server, while the public key is published in the DNS record of the sender’s domain.

When an email is received, the recipient server uses the public key from the sender’s DNS to check if the email’s DKIM signature matches the email content. If they match, it validates the email as untampered, and the source is authentic. If not, the email could be spam or malicious, leading to rejection or spam-flagging.

Implementing DKIM records

Configuring DKIM is slightly more complex, as it involves cryptographic keys. You will first need to generate a private-public key pair. The private key is used to create a unique signature for each outgoing email, stored on your email server, while the public key is added to your domain’s DNS as a TXT record. When emails are received, the recipient server uses the public key to verify the signature.

Remember that for each selector (a specific DKIM key), a separate DKIM record is needed. Also, to maintain robust security, it’s advisable to rotate these keys periodically.

DMARC records

Domain-based Message Authentication, Reporting & Conformance (DMARC) takes SPF and DKIM a step further. A DMARC record published in the DNS provides instructions for recipient servers when either SPF or DKIM validation fails. DMARC provides three policy options: none, quarantine, or reject. It can also specify an email address to receive reports about emails failing SPF or DKIM checks. This not only helps with ensuring that your emails are trustworthy but also provides feedback about potential issues.

Leveraging DMARC records

DMARC is built on top of SPF and DKIM and requires both to be in place. To create a DMARC record, add a TXT record to your DNS with a name like “_dmarc.yourdomain.com”. The simplest DMARC policy is “v=DMARC1; p=none”, which won’t affect email flow but will start collecting data. As you understand the data and become confident that legitimate emails pass SPF and DKIM checks, you can change the policy to “quarantine” or “reject” to provide maximum security.

Remember, DMARC also allows you to specify an email address to receive aggregate and forensic reports. These reports provide valuable insights into who is sending email on behalf of your domain, enabling you to detect any unauthorized or malicious activity.

PTR Record 

The PTR (Pointer) record is another type of DNS record that has a crucial role in email server security. A PTR record resolves an IP address to a domain or hostname. This is the opposite of what an A record does, which is why it is sometimes referred to as a Reverse DNS record.

Setting up PTR records

Unlike other DNS records, PTR records are not managed within your domain’s DNS settings. They need to be set up on the server that has authority over the IP address – usually, this means working with your Internet Service Provider (ISP) or DNS hosting provider to set these up.

To set up a PTR record, the owner of the IP block, usually your DNS hosting provider or ISP needs to create a PTR record for a specific IP address in their reverse DNS zone file. This record should point to your server’s fully qualified domain name (FQDN). 

For instance, if your server’s IP address is 192.0.2.1 and the domain name is mail.example.com, the PTR record would look like this: 

1.2.0.192.in-addr.arpa IN PTR mail.example.com.

This PTR record simply says that anyone receiving a connection from the IP address 192.0.2.1 can check the PTR record and see that this IP is officially associated with the domain mail.example.com.

Conclusion

Email security is a crucial component of any robust cybersecurity strategy, and DNS records play a vital role in ensuring the integrity and authenticity of email communications. The correct implementation of SPF, DKIM, DMARC, and PTR records can greatly reduce the risk of email spoofing and phishing attacks, enhancing your email security posture. Regularly reviewing and updating these DNS records, as part of a comprehensive email security policy, can help keep your communications secure and trustworthy.