{"id":5407,"date":"2024-10-17T23:54:26","date_gmt":"2024-10-17T21:54:26","guid":{"rendered":"https:\/\/www.lrob.fr\/?page_id=5407"},"modified":"2025-06-16T17:00:40","modified_gmt":"2025-06-16T15:00:40","slug":"security-and-email-standards","status":"publish","type":"page","link":"https:\/\/www.lrob.fr\/en\/doc\/e-mail\/securisations-et-normes-email\/","title":{"rendered":"Email security and standards"},"content":{"rendered":"<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Contents<\/h2><nav><ol><li class=\"\"><a href=\"#mx-serveur-de-reception-des-emails\">MX: Mail reception server<\/a><\/li><li class=\"\"><a href=\"#securite\">Email security<\/a><ol><li class=\"\"><a href=\"#helo\">FQDN, HELO, rDNS<\/a><\/li><li class=\"\"><a href=\"#spf-sender-policy-framework\">SPF (Sender Policy Framework)<\/a><ol><li class=\"\"><a href=\"#fonctionnement-de-spf\">How SPF works<\/a><\/li><li class=\"\"><a href=\"#regle-spf-de-l-rob\">LRob SPF Rule<\/a><\/li><li class=\"\"><a href=\"#erreurs-spf-courantes\">Common SPF errors<\/a><\/li><\/ol><\/li><li class=\"\"><a href=\"#dkim-domain-keys-identified-mail\">DKIM (DomainKeys Identified Mail)<\/a><ol><li class=\"\"><a href=\"#activer-dkim-via-plesk\">Activate DKIM via Plesk<\/a><\/li><\/ol><\/li><li class=\"\"><a href=\"#dmarc-domain-based-message-authentication\">DMARC (Domain-based Message Authentication)<\/a><\/li><li class=\"\"><a href=\"#les-blacklists\">Blacklists<\/a><\/li><\/ol><\/li><\/ol><\/nav><\/div>\n\n\n\n<p>The security and reception of emails are mainly ensured by the following rules <strong>DNS<\/strong> specific to your domain. These rules not only ensure that emails are received correctly, but also protect against spam and identity theft.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"mx-serveur-de-reception-des-emails\">MX: Mail reception server<\/h2>\n\n\n\n<p>In order for your domain to receive emails, an entry of type <strong>MX<\/strong> must be present in the <a href=\"https:\/\/www.lrob.fr\/en\/doc\/dns\/dns-zone\/\">DNS zone<\/a> of the domain. The registration <strong>MX<\/strong> corresponds to the SMTP server for receiving emails and always points to a domain name (canonical name), not an IP address.<\/p>\n\n\n\n<p>For example:<\/p>\n\n\n\n<p>If your domain is <strong>monsite.tld<\/strong> and your emails are hosted by <strong>LRob<\/strong> on the server <strong>ds.lrob.net<\/strong>Here's a sample recording:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mail A 138.201.17.216\nMX 0 mail.monsite.tld<\/code><\/pre>\n\n\n\n<p>This recording <strong>MX<\/strong> ensures that all emails to <strong>monsite.tld<\/strong> will be sent to the server <strong>mail.monsite.tld<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"securite\">Email security<\/h2>\n\n\n\n<p>Although universalizing email security standards is difficult, several standards are now widely adopted for :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce spam<\/strong><\/li>\n\n\n\n<li><strong>Limit identity theft<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Here are the main standards you can implement.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"helo\">FQDN, HELO, rDNS<\/h3>\n\n\n\n<p>Visit <strong>HELO<\/strong> is the presentation message sent by an SMTP server when an e-mail is sent. To be considered legitimate, the <strong>HELO<\/strong> must meet these criteria:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It must be a <strong>FQDN<\/strong> (domain name or full subdomain), pointing to the SMTP server's IP address.<\/li>\n\n\n\n<li>The FQDN must correspond to the <strong>reverse DNS<\/strong> (rDNS) of the SMTP server IP address.<\/li>\n\n\n\n<li>The rDNS must not <strong>not<\/strong> be in the default form (e.g. <strong>IPReversed.provider.tld<\/strong>), as this often indicates an unsecured server or a spam botnet.<\/li>\n<\/ul>\n\n\n\n<p>Our servers <strong>LRob<\/strong> are configured to reject emails with a <strong>HELO<\/strong> incorrect, as this is a basic standard to be respected for all email sending. If you receive emails blocked for this reason, we can, as a last resort, whitelist the sender, but this disables any verification of the authenticity of the sending server, which is strongly discouraged.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"spf-sender-policy-framework\">SPF (Sender Policy Framework)<\/h3>\n\n\n\n<p>Visit <strong>SPF<\/strong> is a security mechanism that defines which servers are authorized to send e-mail for a given domain. This is done via a <strong>TXT<\/strong> in the domain's DNS zone. The <strong>SPF<\/strong> helps prevent identity theft by ensuring that only authorized servers can send emails under your domain name.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"fonctionnement-de-spf\">How SPF works<\/h4>\n\n\n\n<p>When a receiving server receives an e-mail from your domain, it checks for the presence of a <strong>SPF<\/strong> in the DNS zone of the sending domain:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the DNS zone contains a valid and respected SPF rule, the email is accepted.<\/li>\n\n\n\n<li>If no SPF rule is present, the email may pass through, but is more likely to be flagged as spam.<\/li>\n\n\n\n<li>If the SPF rule is not respected, the email may be rejected (depending on the parameter <strong>-all<\/strong>) or marked as spam (<strong>~all<\/strong>).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"regle-spf-de-l-rob\">LRob SPF Rule<\/h4>\n\n\n\n<p>The default SPF rule for domains hosted at <strong>LRob<\/strong> is as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>v=spf1 +mx include:_spf.lrob.net -all<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"erreurs-spf-courantes\">Common SPF errors<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Create multiple SPF entries<\/strong> SPF rules: There should be only one SPF rule per domain. If you have more than one, it may cause random read errors by the destination servers.<\/li>\n\n\n\n<li><strong>Using the wrong SMTP server<\/strong> You must use an SMTP server authorized in your SPF rule. If you use another server, your e-mails will certainly be rejected.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"dkim-domain-keys-identified-mail\">DKIM (DomainKeys Identified Mail)<\/h3>\n\n\n\n<p>Visit <strong>DKIM<\/strong> is a standard for digitally signing e-mails sent from your domain. This signature is verified by the recipient servers thanks to a public key registered in your DNS zone, guaranteeing the message's integrity and authenticity.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"activer-dkim-via-plesk\">Activate DKIM via Plesk<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Visit your <a href=\"https:\/\/www.lrob.fr\/en\/doc\/wiki-hosting\/plesk-control-panel\/\">Plesk control panel<\/a>.<\/li>\n\n\n\n<li>Go to the <strong>Email addresses<\/strong>then <strong>Messaging settings<\/strong>.<\/li>\n\n\n\n<li>Check box <strong>\"Use the DKIM anti-spam system to sign outgoing e-mails\".<\/strong>.<\/li>\n\n\n\n<li>Click on <strong>OK<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p>This will automatically activate the <strong>DKIM<\/strong> for your emails and the corresponding DNS entry.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"dmarc-domain-based-message-authentication\">DMARC (Domain-based Message Authentication)<\/h3>\n\n\n\n<p>Visit <strong>DMARC<\/strong> is a complementary norm to <strong>SPF<\/strong> and <strong>DKIM<\/strong> which defines a policy in the event of non-compliance with these two standards. Visit <strong>DMARC<\/strong> allows you to choose the action to be taken (reject, mark as spam, etc.) if an email fails SPF or DKIM checks.<\/p>\n\n\n\n<p>Example of a DMARC rule<\/p>\n\n\n\n<p>Here's the rule <strong>DMARC<\/strong> by default in the DNS zone of <strong>LRob<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\"v=DMARC1; p=reject; sp=reject; aspf=s; rua=mailto:dmarcreport@lrob.fr; ruf=mailto:dmarcreport@lrob.fr; rf=afrf; pct=100; ri=172800<\/code><\/pre>\n\n\n\n<p>This rule :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rejects emails that do not comply with policy <strong>SPF<\/strong>.<\/li>\n\n\n\n<li>Allows tolerance in the event of problems with <strong>DKIM<\/strong>.<\/li>\n\n\n\n<li>Prevents emails being sent from unauthorized subdomains.<\/li>\n\n\n\n<li>Send rejection reports to <strong><a href=\"mailto:dmarcreport@lrob.fr\">dmarcreport@lrob.fr<\/a><\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"les-blacklists\">Blacklists<\/h3>\n\n\n\n<p>Visit <strong>blacklists<\/strong> are public lists of IP addresses associated with spamming. If the IP of a sending SMTP server is included in one of these lists, it is likely that its e-mails will be rejected by recipient servers.<\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-content-justification-left is-layout-flex wp-container-core-group-is-layout-69824cbe wp-block-group-is-layout-flex\" style=\"margin-top:var(--wp--preset--spacing--40);margin-bottom:var(--wp--preset--spacing--40)\">\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-default\" style=\"margin-top:var(--wp--preset--spacing--40);margin-bottom:var(--wp--preset--spacing--40)\"\/>\n\n\n\n<p>Related pages :<\/p>\n\n\n<ul class=\"wp-block-page-list\"><li class=\"wp-block-pages-list__item\"><a class=\"wp-block-pages-list__item__link\" href=\"https:\/\/www.lrob.fr\/en\/doc\/e-mail\/connexion-aux-adresses-email\/\">Connecting to email addresses<\/a><\/li><li class=\"wp-block-pages-list__item\"><a class=\"wp-block-pages-list__item__link\" href=\"https:\/\/www.lrob.fr\/en\/doc\/e-mail\/envoyer-recevoir-depuis-gmail\/\">Send\/Receive from Gmail<\/a><\/li><li class=\"wp-block-pages-list__item\"><a class=\"wp-block-pages-list__item__link\" href=\"https:\/\/www.lrob.fr\/en\/doc\/e-mail\/gestion-des-adresses-email\/\">Email address management<\/a><\/li><li class=\"wp-block-pages-list__item\"><a class=\"wp-block-pages-list__item__link\" href=\"https:\/\/www.lrob.fr\/en\/doc\/e-mail\/securisations-et-normes-email\/\">Email security and standards<\/a><\/li><\/ul><\/div>","protected":false},"excerpt":{"rendered":"<p>La s\u00e9curit\u00e9 et la r\u00e9ception des emails sont principalement assur\u00e9es par des r\u00e8gles DNS sp\u00e9cifiques \u00e0 votre domaine. Ces r\u00e8gles garantissent non seulement la bonne r\u00e9ception des emails, mais elles prot\u00e8gent \u00e9galement contre les spams et l&rsquo;usurpation d&rsquo;identit\u00e9. MX : Serveur de r\u00e9ception des emails Pour que votre domaine puisse recevoir des emails, une entr\u00e9e [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":5512,"parent":5392,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-5407","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/5407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=5407"}],"version-history":[{"count":6,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/5407\/revisions"}],"predecessor-version":[{"id":7488,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/5407\/revisions\/7488"}],"up":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/5392"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/5512"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=5407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}