Outbound Email Security – Part 1 – SPF
September 4, 2015
Email, as a technology, has been around for longer than “The Web”. While one often hears about security for the web (in the form of encryption, tor, etc), rarely do people discuss email security. As with any technology there are many areas to “secure”, however this series will focus on outbound email security as it relates to anti-spam and anti-phishing. There are three key technologies in play, SPF, DKIM, and DMAC, so this will be a three part series. We’re going to be covering both the “How” (to set it up) along with the very important “Why” (you should set it up). Today we’re starting with Sender Policy Framework, or SPF.
AWS SES + Postfix + DKIM
May 28, 2013
For the last year or so I’ve been using SendGrid to relay all emails coming from my server. I don’t send a lot of emails through the system; it’s mostly notifications from the blog and a few related automated messages. While I like paid version of SendGrid (which I’ve used at work), the free version is lacking a few features and includes an unsubscribe link on emails which is really annoying. I decided to mix things up a bit and give Amazon Simple Email Service (AWS SES) a shot. Along with SES I wanted to configure all my mail to be signed with DKIM, on my server. I hope the internet continues to allow the anonymity it currently does, but that comes with a price (because people are abusive bastards), and that price is trust. DKIM is like trust, for email!
Gmail thinks “This message may not have been sent by...” you
June 29, 2011
Yesterday, Google rolled out a new feature in Gmail which warns you when it isn’t sure who the email was sent by. This warning isn’t due to some confusion on the server side, this issue is because Google wants to force more people to use SPF records and DKIM signatures. Both of these are good technologies to use (I personally have them both enabled), but I worry about Google’s move to “force” this… and how it will effect users.