Rule n° 217 - The email domain is authenticated

Emails sent to users are crucial to the quality of online experiences. It is therefore important to ensure that they arrive safely, do not end up in spam folders, and that the email servers associated with the website or application are considered trustworthy throughout the entire email transmission and reception chain. To achieve this, it is essential to authenticate the email domain correctly.

#Basics #Development #Security
Previous Next

Goal

  • Protect users from fraudulent or spoofed emails,
  • Improve the deliverability of legitimate emails (newsletters, confirmations, alerts),
  • Strengthen the reputation and reliability of the sending domain,
  • Reduce the risk of emails being classified as spam,
  • Comply with the requirements of major email providers,
  • Monitor emails sent with the domain name.

Solution technique

For each domain used to send emails:
  • SPF: Add a TXT record to the domain's DNS listing the servers authorized to send emails for that domain.
  • DKIM: Configure cryptographic signing of emails sent via a private key, and publish the public key in the domain's DNS.
  • DMARC: Define a policy (none, quarantine, reject) and specify a return address for reports via a DNS record.

Moyen de contrôle

For each domain used to send emails:
  • Use DNS configuration testing tools (e.g., https://mxtoolbox.com, https://dmarcian.com),
  • Check that SPF, DKIM, and DMARC records are present and correctly configured,
  • Analyze the headers of received emails to confirm that signatures are being applied correctly,
  • Ensure that the policies defined (particularly DMARC) are consistent with the site's sending practices.