Dec 21, 2015

Why you shouldn’t be afraid to insert email authentication into your DNS

iStock-836547384-920×517-c-default

The Domain Name System is one of the core services on the Internet. It’s not much of an exaggeration to state that if DNS is down, the Internet is down. For some organizations, such as Internet service providers, a DNS outage can make for very, very bad press. Even in an enterprise network, an outage can be very expensive in time and money.

This has understandably made many people very hesitant to touch anything related to DNS.

For those who don’t work with it every day, DNS can seem like ‘dark art’: something that is very complicated and takes special knowledge to make it work properly. This perception makes newcomers very nervous about making any changes to DNS because they are afraid of breaking something. Once DNS is set up, people do not want to touch it, just in case their change causes a problem.

We also see many cases where the person who originally set up the DNS is no longer with the company and the people that take on the responsibility do not have the in-depth knowledge to feel confident making changes to the existing system.

In reality, there are two sides to configuring DNS, the complicated and the simple. In the complicated column would be setting up services such as DNSSEC which uses a public/private key configuration to cryptographically sign DNS responses. This requires a great deal of operational knowledge to get right and is not widely deployed.

Luckily, email authentication changes are nowhere near as complicated and can be made with no risk of impacting other systems that rely on DNS.

Where does email authentication come in?

There are two aspects to email services in DNS: mail server locations and email authentication configuration. Mail server location services (known as MX records) provide details for anyone looking for the email servers for an organization. Configuring these records is straightforward but is not required when configuring email authentication.

Modern-day email authentication consists of three main protocols: Sender Policy Framework (SPF)DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). Each of the three standards relies on DNS to work.

For more on the nitty-gritty of these standards, check out our FAQ on DMARC for ESPs.

Determining the contents of the DNS updates can be time-consuming, but services like Valimail make this easy. And once you have determined the correct contents for them, adding the records to DNS is a very straightforward process.

DMARC, SPF and DKIM configuration is done using text (TXT) records in DNS. Text records are a way to associate additional information, in this case security information, with a DNS record. Each has a separate function and format but the DNS changes are the same.

One important thing to note about inserting email authentication records into DNS: It will not break resolution of any other services. Services such as web servers, accounting systems, etc. typically involves use of Address (A or AAAA) records, and email requires mail exchange (MX) records. Configuring email authentication does not touch these types of records.

Email authentication is performed using TXT records. Any service that is not performing email authentication will ignore this data.

In short, even if the authentication-related TXT records don’t work, you won’t hurt any other services.

Also, remember that it is best practice to start authentication in monitoring mode. That way, even if you get the email authentication TXT records wrong, the worst that will happen is that emails will continue to be delivered as before, just without being authenticated. Monitoring mode allows you to test that the configuration is correct without affecting mail delivery and should always be the first step.

Inserting email authentication is not difficult

Hopefully this blog has given you more confidence about making changes to DNS for email authentication. If you are adding records to support email authentication capabilities, you can feel confident that inserting these records into DNS is not difficult — and you are not going to break other systems.

For more information on how Valimail can simplify email authentication via DNS, please visit www.valimail.com.

Subscribe to our newsletter