Re: EDITED: Proper Way to Configure a Domain which never sends emails
Hi, We (Arnold Holzel and I) gave a talk about SPF (with macros), DKIM, DMARC and MTA-STS during Black Hat USA two weeks ago. The slides contains example DNS records you can use. Also a kink to a Splunk app for get insight whether Your domain are abused. Link: https://i.blackhat.com/USA-19/Thursday/us-19-Hoelzel-How-To-Detect-That-Your-Domains-Are-Being-Abused-For-Phishing-By-Using-DNS.pdf Sincerely yours, Karl > On 19 Aug 2019, at 18:56, Dean Eckstrom wrote: > > > You might also want to set a DMARC Policy record with appropriate 'rua' and > 'ruf' email reporting addresses. > > rua and ruf depend on remote mail centers being willing to send you this > information (which is not always consistently done). Yet the reports might > provideoccasional feedback if you are actually being spoofed. It's additional > information that normally you wouldn't be able to > get.(https://tools.ietf.org/html/rfc7489). > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDITED: Proper Way to Configure a Domain which never sends emails
You might also want to set a DMARC Policy record with appropriate 'rua' and 'ruf' email reporting addresses. rua and ruf depend on remote mail centers being willing to send you this information (which is not always consistently done). Yet the reports might provideoccasional feedback if you are actually being spoofed. It's additional information that normally you wouldn't be able to get.(https://tools.ietf.org/html/rfc7489). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDITED: Proper Way to Configure a Domain which never sends emails
Hi, I would think declaring SPF as you say is the right course of action. I would consider setting up DMARC as well. Whether it's your intention or not, if you set up DMARC (a way for people to report mail claiming to be from you) you've essentially created a honey pot; maybe somebody will be happy to take those DMARC-instigated reports from you. On Mon, 19 Aug 2019, Ignacio García wrote: I have to set up dns records for a domain just for a web site, for which we will NEVER send emails (though we might receive some from old customers), so I would like to announce somehow that emails sent from this domain should always be disregarded. Outgoing mail should be disregarded. I was thinking of setting just A and records for @ and www, NS records, MX records (for receiving) Incoming mail should be received. and SPF with a record just consisting of v=spf1 -all , not declaring an A and MX records at all. Contradicts earlier assertions. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDITED: Proper Way to Configure a Domain which never sends emails
On 19.08.19 15:01, Ignacio García wrote: I have to set up dns records for a domain just for a web site, for which we will NEVER send emails (though we might receive some from old customers), so I would like to announce somehow that emails sent from this domain should always be disregarded. I was thinking of setting just A and records for @ and www, NS records, MX records (for receiving) and SPF with a record just consisting of v=spf1 -all , not declaring an A and MX records at all. above you said you will declare A/ records... I'm not sure at all this is a proper way of declaring this. In fact, what I would like is to EXPLICITELY mention somehow that we will never send emails from that domain. Could anybody help me with this? Note that when you point A and records for the domainname, people may try to send mail to/from the domain name (the implicit MX points to those addresses). To avoid this, you can point the MX for the domain to ".", some MTAs understand this as "this domain doesn't provide mail service". -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
EDITED: Proper Way to Configure a Domain which never sends emails
(Sorry, there was a typo in the original message) Hi there. Thanks for your support. First message to the list, sorry if already posted a similar question, but I haven't found mention anywhere. I have to set up dns records for a domain just for a web site, for which we will NEVER send emails (though we might receive some from old customers), so I would like to announce somehow that emails sent from this domain should always be disregarded. I was thinking of setting just A and records for @ and www, NS records, MX records (for receiving) and SPF with a record just consisting of v=spf1 -all , not declaring an A and MX records at all. I'm not sure at all this is a proper way of declaring this. In fact, what I would like is to EXPLICITELY mention somehow that we will never send emails from that domain. Could anybody help me with this? Thanks so much in advance. Ignacio ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
