Spoofed email - how to avoid them

jader · November 30, 2023, 12:29pm

Hi

I’d like to understand how configure my own server to never get e-mails from an account at my own domains.
So if my domain is @jader.my nobody can send any e-mail saying they are me@jader.my (or should use authentication to do it!).
I have configured SPF and DMARC (not sure about DKIM), but nothing stop spammers.
I don’t care if they can send e-mails to anyone else saying they are myself, but MY OWN SERVER should never accept that kind of e-mail (neither should ANY really well configurated e-mail server).
If I say SPF about who can send e-mail , any SMTP receiving shoud say SORRY CANNOT GET EMAIL from you, you FAILED on SPF test.
We need to tight configure the SMTP server to do not allow bad guys to spoof e-mails.
If someone else is misconfigured that’s someone else problem, I just cannot get them more!

Can someone help me to get a RELLY TIGHT configuration of SMTP on NS7?

Regards,

Jáder

capote · December 2, 2023, 12:23am

If someone sends someone else’s mail with your domain name in the sender’s name, this does not mean that they have sent it from your mail server. He is just trying to create the impression and thus deceive the recipient.

However, you cannot effectively prevent this. You can try to instruct the receiving servers to treat mails that do not really come from your server as junk. SPF is the key to this, and DMARC/DKIM/DNSSec/DANE increase the authenticity of your server.

Some links:

github.com

internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md

<img align="right" src="images/logo-internetnl-en.svg">

# DANE for SMTP how-to
This how-to is created by the Dutch Internet Standards Platform (the organization behind [Internet.nl](https://internet.nl)) in cooperation with industry experts (hosters and vendors) and is meant to provide practical information and guidance on implementing DANE for SMTP.

# Executive Summary
* DANE is a best-practice technology for securing the transfer of email (SMTP) between organizations across the public Internet.
* Successful DANE deployments require additional operational discipline.
    - Automated monitoring of your own email servers and related DNS records is a must.
    - Robust automation of coordinated DNS and email server certificate chain updates.
    - These topics will be covered in more detail in this how-to.
* Please plan carefully and then deploy DANE for your email servers. Botched deployments not not only harm the domain in question, but also have a deterrent effect on adoption by others.
* For more information on adoption statistics and software support, take a look at: [https://github.com/baknu/DANE-for-SMTP/wiki](https://github.com/baknu/DANE-for-SMTP/wiki)

# Table of contents
- [What is DANE?](#what-is-dane-)
- [Why use DANE for SMTP?](#why-use-dane-for-smtp-)
  * [Risks of SMTP with opportunistic TLS](#risks-of-smtp-with-opportunistic-tls)
  * [DANE addresses these risks](#dane-addresses-these-risks)
  * [How about MTA-STS?](#how-about-mta-sts-)

This file has been truncated. show original

https://dane.sys4.de
https://dane.sys4.de/common_mistakes

jader · December 6, 2023, 8:38am

Hi Marko

Thanks by your answer, and sorry my delay to answer you.
I’m aware I cannot make others comply with my way of thinking.
I’m looking for BEST PRACTICES to implement on my own NS7 to get maximum security on my e-mail server.
I wish never receive an e-mail from @my-own-domain when it came from an non-authenticated user.
I wish my SMTP never accept a connection from someone else saying it has e-mails from @my-own-domain to delivery.
I wanna to make my own server to respect SPF, DKIM, DMARC and any other best practices for my own domain and all other domains.
So if someone-else-domain publish SPF I’d like to verify and comply with “~a” or “-a” option from SPF record. The same for all others options (DMARC, DKIM, …)