MTA-STS and TLS-RPT are security-type mechanisms that go hand-in-hand which we use to make declarations to other Mail Servers (via DNS) that we only want to accept encrypted connections for MTA transactions.
It tells others that they shouldn't try deliver mail to us if a secure TLS connection can't be established to our Mail Servers. For this to be effective, you must first configure DNSSEC.
Moving on to the third article in our securing Email to stop spoofing series we configure DMARC, or Domain-based Message Authentication, Reporting, and Conformance.
DMARC, defined in RFC 7489, is in simple terms an alignment test using DKIM and SPF, so it's important that you first configure both SPF and DKIM.
Continuing with the second article in our securing Email to stop spoofing series we take a look at DKIM, or Domain Keys Identified Mail, which is an Email authentication method to detect forgeries, it allows the receiving Mail Server to check if an Email that claims to have come from a specific domain, actually did.
it does this is by the senders Mail Server adding a digital signature to each outbound message, then the receivers Mail Server looking up that domains public key in DNS to verify the signature.
I kind of started this series off with my recent DNSSEC article, saying with tongue in cheek Now you can move onto properly securing your Email with SPF, DKIM, and DMARC, after some feedback, I now find myself starting a mini series First up is SPF!
I am often asked why is DNSSEC such a PITA to implement, well, if you asked me this question ten years ago, I'd agree, maybe even five years ago, as then it was better, but still convoluted, so I get why many still are hesitant to use it, it's DNS, and nobody wants to mess up DNS, but Bind, since version 9.16 makes it very easy, it's even at the set and forget stage, so enabling DNSSEC in 2023 is child's play.
The well publicised GoDaddy outage on Sept 11 this year should be a huge wakeup for everyone to find out, just how good their network is designed.
So, you have multiple data links to multiple carriers, redundancy, failover, the works, even a wireless/microwave link in case someone digs up the entire block including your fibre. You've also got dual power supplies in your routers, switches, and servers, even redundant routers and switches, they are all protected by dual channel mains supplies, each with their own dedicated UPS and battery bank, both connecting into the grid by two separate diverse paths, backed up by two generators.
You can go to bed tonight and sleep easy can't you... Or can you?