Hetzner - DokuWiki



Mail security

In this article, you can learn how to make various settings on your konsoleH account to improve the security and integrity of your mail domain. First and foremost, it is important to prevent spammers from using your domain to send emails with fake sender addresses. DKIM and SPF records are two protocols that you can use protect to the authenticity of your emails.

DKIM - DomainKeys Identified Mail

DKIM is an identification protocol for ensuring the authenticity of email senders. When you use it, a signature is attached to all your outgoing emails using asymmetric encryption, which can be checked and validated by the receiving mail server. This makes it possible to determine whether an email has actually been sent from your domain and has not been changed by third parties on the way.

How does DKIM work?

To make an automatic signature of your emails, you need a key pair consisting of a private and a public key. The private key is stored on the mail server and used for the digital signature of your emails. The public key is published in the domain name system for your domain and can be retrieved by all receiving mail servers to verify the signature. The signature can be used not only to verify that an email has actually been sent from your domain, but also that it has not been altered by third parties on the way.

How does DKIM differ from other methods like PGP and S/MIME?

In contrast to PGP and S/MIME, DKIM works on a domain basis, meaning all of your domain's sender addresses are validated. It does not validate individual senders or identities. In addition, both the signature and verification itself take place directly on the respective mail servers and not in mail programs. So you do not need any additional plugins to use DKIM.

Activating DKIM for your domain

When you click on "Activate DKIM", it will automatically generate a new key pair for your domain and store it on the mail server. In addition, you must store the public key on the name servers responsible for your domain. If you use the konsoleH name servers, you may be able to store this key automatically in some cases. In all other cases, the TXT record will be displayed or you can view it by going to "Advanced settings".

Entering the public key in the domain name server

If it is not possible to store the DKIM record for your domain automatically (for example, because you are using external name servers), a TXT record will be displayed after installation. (You can also view it at any time on konsoleH by going to "Advanced settings"). You must store the TXT record on the name servers responsible for your domain. The record should look something like this:

 default_1707._domainkey IN TXT

Note: The above example is a TXT record that has been divided into several character strings. Usually, it should be possible to store this directly in the zone file. But with some name servers, you may need to use a different format. If necessary, please contact the operator of your DNS service.

Can I use my own key pair?

Yes, this is possible. Click on "Generate new key" under "Advanced settings" and simply overwrite the automatically generated key pair with your own keys on the page that appears. Make sure that the private key is not protected by a password.

How do I change a key?

First create a new key pair under "Advanced settings" -> "Create new key". Then assign a suitable "selector" (key name) and click on "Save key". Now open "Advanced settings" again, select the new key using the selector, and click on "Update key". That way, the private key will be saved on the mail server. Please do not forget to store the public key in the DNS! (See "Entering the public key in the domain name server").

SPF - Sender Policy Framework

SPF is a method to prevent the forgery of sender addresses. An SPF record is stored in the domain name system for your domain; this defines the mail servers responsible for your domain. In this method, the receiving mail server can check whether an email was actually sent by an authorized mail server for your domain.

Note: When using the konsoleH name servers, a standard SPF record is automatically stored for your domain.

How do SPF records work?

An SPF entry is just a TXT record in which the mail servers responsible for your domain are stored. You can store individual IP addresses, entire address ranges, and host names in SPR entries. In the simplest form, the entries are all IP addresses that are already stored in your zone file, including all A (IPv4 address) records or MX (mail exchange) records.

Entering the SPR record in the DNS

If you use the konsoleH name servers, you can store the created SPF record directly in the zone file. If you use external name servers, you must store the displayed TXT record on those servers. If necessary, please contact the operator of your DNS services.

Possible issues with SPF records

Under certain circumstances, using SPF records can cause problems if you use mail services from unregistered mail servers. This is often the case, for example, with mailing lists that may send and forward emails on your behalf. If you run into issues, you have to add the corresponding address ranges here or, if necessary, do not use SPF at all. In addition, be very careful when entering fixed IP addresses. For example, you may accidentally make an invalid entry because of a server migration. It is smart, therefore, to set the A or MX records as a general rule. This will help make sure your SPF record stays up-to-date.

© 2019. Hetzner Online GmbH. Alle Rechte vorbehalten.