Validating Your Email Server

Would you like to see if your email is configured correctly? Simply send an email to validate.server@synametrics.com with the word validate in the subject line.

How It Works

Two types of tests are done when an email is received from your address:

  1. Outbound Test - This test ensures the SMTP server sending outbound emails for your domain is configured correctly. It checks the following things:
    • Ensures your public IP address has a valid PTR record that matches with your host name.
    • Ensures the HELO command includes the FQDN of your network
    • Ensure your domain has an SPF record
    • Checks if your email was signed with a valid DKIM signature
    • Checks for DMARC alignment
  2. Inbound Test - Tests are done against your SMTP server(s) that accept inbound emails for your domain. Multiple servers will be checked if your domain has multiple MX records. Following tests are done:
    • Ensures your server uses STARTTLS
    • Warns if SMTP Authentication is enabled for port 25
    • Checks for open relay
    • Warns if your server accepts emails for invalid users

Sample Report

The following screenshot demonstrates a sample report that you will get as a result.

Warning/Error Messages

The generated report may contain a few warning/error messages. The following section describes these messages in detail.
STARTTLS
STARTTLS ensures your emails are encrypted during transit and is required to be compliant with many industry standards.

This warning is generated if your SMTP server does not support STARTTLS option and the final grade is limited to a B.
SMTP Authentication on port 25
It is very common for your email server to come under attack from the Internet. Malicious users are always looking to crack user ID/passwords so these credentials can be misused. Most email servers are integrated with company's Active Directory. Cracking a user ID/password typically means the same credentials are used for other services such as RDP, FTP and File Sharing via SMB. Therefore, it is very important you close the door that can be used to crack password.

SMTP Authentication is not needed when emails are received for your domain from the Internet. SMTP Authentication is only required when an in-house user needs to relay a message to a foreign domain. In that case, let them connect on a different port, such as 587, 465 or better yet, on a non-standard port.

You see this warning if SMTP Authentication is enabled on your SMTP server.
Open Relay
Relaying emails to a foreign domain should only be allowed under two conditions:

  1. Sender is authenticated
  2. Email is being received from a trusted IP address
You see this warning if your SMTP server accepts emails where recipients belong to foreign domain.
Accepts Invalid Users
Your email server can be misused to perform a reverse NDR attack on a victim's server if you accept emails for invalid users. Therefore, it is always better to reject emails destined for invalid users. This way, the responsibility of generating an NDR is delegated to the sender's SMTP server.

You see this warning message if your server accepts emails for invalid users.
SPF
SPF prevents email forgery by specifying a set of servers that can generate emails belonging to your domain. Refer to this page for more details.

There are several messages related to SPF, which are mentioned below:

NONEThis means an SPF record is not specified for your domain. Follow instructions on this page for instructions.
SOFTFAIL/FAILAn SPF record is defined but the email you sent did not come from an IP address designated to send outbound emails for your domain.
PERMERROR/TEMPERRORSome error exists in your SPF record
NEUTRALAn SPF record is defined but the email you sent did not come from an IP address designated to send outbound emails for your domain. However, your SPF record is configured to ignore this problem.
DKIM
DKIM is a mechanism that checks if an incoming email's FROM address is forged.

You see this warning in two case:
  • Your email did not have a DKIM signature
  • An invalid signature was found
DMARC Missing/Failed
DMARC is an email authentication, policy and reporting mechanism. Refer to this page for more details.

You see this message if DMARC is not defined for your domain or the DMARC is not aligned for the emails you sent.