I'm considering writing a zine about owning a domain! (DNS! registrars! certificates! TLS! HSTS! MX records!). What questions do you have about domains? Will try to answer as many as I can.
234
159
2,319
Conversation
This Tweet was deleted by the Tweet author. Learn more
Also really worth noting that email has no authenticated encryption without setting up MTA-STS and/or DANE TLSA records. Other email servers can't validate your server's certificate without doing this. Ideally, set up both, since many servers only use one of these to validate.
1
Google only uses MTA-STS. Many email servers in Europe use DANE. There's not much overlap where both are used.
Setting up an email server securely where you have authenticated encryption for inbound + outbound along with anti-spoofing for inbound + outbound is far from trivial.
1
1
As a great example of the difficulty in doing it, Google still uses DMARC p=none for gmail.com due to backwards compatibility concerns over broken email setups. That means sending spoofed emails as *@gmail.com works. Can be detected as likely spoofed but is allowed.
1
It's not trivial even if you're outsourcing to another provider. You still have to set up SPF, DKIM, DMARC, MTA-STS, DNSSEC and ideally TLSA records. Email security heavily depends on DNS security even if you don't use DANE. Can set it up securely, but most other servers won't.
1
1
Pass internet.nl/test-mail/ for baseline email server security including authenticated encryption & anti-spoofing for mails sent from your domain.
Check hardenize.com for MTA-STS so Google can you send mail securely.
sparkpost.com/email-tools/au to check SPF/DKIM/iprev.
1
1
Not checked by those: MTA-STS enforcement for outbound mail (send mail to Google securely) and DMARC for inbound mail to prevent sending spoofed emails from domains with enforcing DMARC.
Further things to worry about, like not letting users send email as others if multi-user.
This Tweet was deleted by the Tweet author. Learn more
Replying to
It already has one. It's not clear why you think you "need" that app and it supports forwarding to a proxy.
It also doesn't seem relevant to this thread.