OK, here’s the deal: All of a sudden, you cannot send or receive external mail with Exchange. This topic is one that comes up very often on the Microsoft forums and forums for other platforms. What’s going on? Too often it’s because your IP has become blacklisted. How can this happen? Well, Exchange admins set up an Exchange server but sometimes fail to ensure the server is locked down and all records are in place. Does this mean they don’t know what they are doing? No, it is just a simple reminder that rushing to get email up and running and not taking into consideration a few guidelines to ensure you as a business are not attacked or hijacked. If this happens, your IP can become blacklisted and mail flow may cease. (More on that later.)
First, let’s look some records you need to get in place to avert this kind of disaster.
- MX records
- SPF records
- DMARC records
- DKIM records
Besides those records, you also need to decide how to route your email. Will it be:
- With a smart host (provided by an ISP)
And then you need to lock down your firewall to allow only allow mail from your ISP to your Exchange server and vice versa. Yes, there are a few more steps to ensure that you have stopped guys hijacking your server and using it to relay or having your IP blacklisted.
Why is your IP blacklisted?
Before I touch on the above, the big question always comes up: “How can my IP be blacklisted.” Well, it’s simple. User A brings a memory stick and plugs it into a machine after being at an Internet cafe the previous day or lent it to someone to download movies and ended up with malware or viruses that infect your network. The malware gets into your system and starts mailing spam (or worse) and all this unsolicited mail then gets your IP into trouble with the likes of Spamhaus, Barracuda, and others.
Your IP reputation is now down the drain and this is often hard to recover from. And this leads me to the records above and what they do to prevent your system from being taken over:
MX records: This tells the Internet that if you want to send mail to Domain A then use this record.
SPF records: SPF stands for Sender Policy Framework. This helps with domain spoofing where somebody tries to impersonate your domain and send mail. SPF nowadays is kind of not enough though as the Internet has become a “dangerous place” with these people looking to use your domain to send out spam and also scam the company out of money. SPF records are TXT records that look like this: v=spf1 a mx ip4:XXX.XXX.XXX.XXX include:_spf.domain.com ~all
We not going to cover what each option does but generally, people use the softfail option and others use the hardfail option. It depends on the needs of the company.
DMARC records: Today, you need to have this additional record in place along with SPF. Think of DMARC as the police officer inspecting the mail and not just allowing it through the system. DMARC reduces spam, phishing, and spoofing as it uses a set of policies. Take note that you do need to have an SPF record in place before setting up DMARC. Here is a sample of what a DMARC record looks like this: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaste[email protected]
DKIM records: DomainKeys Identified Mail is a record used to validate the authenticity of email messages. How is this done? When an email is sent it is signed using a private key and then it is validated with a public key on the recipient’s side. DKIM is also a TXT record that you need to create, just like the SPF and DMARC.
Now let’s take a look at how mail is sent. You can send mail using DNS. This means you have to have records in place externally so mail can route. It does a check/query for the recipient’s mx record and then sends the email straight to their server. If your system is compromised or if you have viruses or malware, then places like Google, Yahoo, and others will not accept your email and you will end up with large queues of bounced-back mail.
Sending mail using a smart host, your ISP will provide you with a DNS record that you can point to. This can be Mimecast, Spam Experts, Symantec, and others and each one has a record for mail.
This means that your Exchange server will send mail to one of the ISPs and then they will deliver the email to its destination. They will also filter mail so if you are sending stuff out that shouldn’t be sent it will be blocked. What do I mean? The CIO might have certain keywords defined or financial mail destined for a CFO checked for validity.
As an example, Symantec will block all the junk mail like newsletters or the infamous email that you have won the lottery or you have a dead cousin from four generations and you are set to inherit millions. Those kinds of emails are high risk to the business and can cause serious damage if they get through.
Lastly, let’s look at internal applications and mass mailing. Generally, you do not want your send connector open to allow everything. If you have an internal application like CRM or an internal app for your company, you will want to create a send connector and lock it down to just that application to avoid emails just being sent out. Fiddling with the receive connectors is not a good idea and best practice is to leave them as-is and create dedicated ones.
Mass mailing, of course, does not mean you are sending out spam. It can be bulk invoices for shipping or invitations if you are an events company. This should also be controlled and can be done with a server running IIS SMTP service so you can first, put in a username and password and also limit the amount of email going out per hour so you don’t end up with your IP being blacklisted.
Broken records mean broken mail
When it comes to email today, take the time and get those records set up. Speak to your ISP about only allowing mail from a certain set of IPs and ensure your SPF records are up-to-date, especially when you add more IPs to send mail. Having all this in place does not mean it is foolproof, it just means that you have that extra layer of security to keep the rubbish out.
Featured image: Pixabay