Validating Your Email Server
Would you like to see if your email is configured correctly? Simply send an email to validate.server@synametrics.com with the word validate in the subject line.How It Works
Two types of tests are done when an email is received from your address:- Outbound Test - This test ensures the SMTP server sending outbound emails for your domain is configured
correctly. It checks the following things:
- Ensures your public IP address has a valid PTR record that matches with your host name.
- Ensures the HELO command includes the FQDN of your network
- Ensure your domain has an SPF record
- Checks if your email was signed with a valid DKIM signature
- Checks for DMARC alignment
- Inbound Test - Tests are done against your SMTP server(s) that accept inbound emails for your domain. Multiple
servers will be checked if your domain has multiple MX records. Following tests are done:
- Ensures your server uses STARTTLS
- Warns if SMTP Authentication is enabled for port 25
- Checks for open relay
- Warns if your server accepts emails for invalid users
Sample Report
The following screenshot demonstrates a sample report that you will get as a result.
Warning/Error Messages
The generated report may contain a few warning/error messages. The following section describes these messages in detail. STARTTLS
STARTTLS ensures your emails are encrypted during transit and is required to be compliant with many industry
standards.
This warning is generated if your SMTP server does not support STARTTLS option and the final grade is limited to a B.
This warning is generated if your SMTP server does not support STARTTLS option and the final grade is limited to a B.
SMTP Authentication on port 25
It is very common for your email server to come under attack from the Internet. Malicious users are always
looking to crack user ID/passwords so these credentials can be misused. Most email servers are integrated
with company's Active Directory. Cracking a user ID/password typically means the same credentials are used
for other services such as RDP, FTP and File Sharing via SMB. Therefore, it is very important you close the door
that can be used to crack password.
SMTP Authentication is not needed when emails are received for your domain from the Internet. SMTP Authentication is only required when an in-house user needs to relay a message to a foreign domain. In that case, let them connect on a different port, such as 587, 465 or better yet, on a non-standard port.
You see this warning if SMTP Authentication is enabled on your SMTP server.
SMTP Authentication is not needed when emails are received for your domain from the Internet. SMTP Authentication is only required when an in-house user needs to relay a message to a foreign domain. In that case, let them connect on a different port, such as 587, 465 or better yet, on a non-standard port.
You see this warning if SMTP Authentication is enabled on your SMTP server.
Open Relay
Relaying emails to a foreign domain should
only be allowed under two conditions:
- Sender is authenticated
- Email is being received from a trusted IP address
Accepts Invalid Users
Your email server can be misused to perform a
reverse NDR attack
on a victim's server if you accept emails for invalid users. Therefore, it is always better to reject emails
destined for invalid users. This way, the responsibility of generating an NDR is delegated to the sender's SMTP
server.
You see this warning message if your server accepts emails for invalid users.
You see this warning message if your server accepts emails for invalid users.
SPF
SPF prevents email forgery by specifying a set of servers that can generate emails belonging to your domain.
Refer
to this page for more
details.
There are several messages related to SPF, which are mentioned below:
There are several messages related to SPF, which are mentioned below:
| NONE | This means an SPF record is not specified for your domain. Follow instructions on this page for instructions. | |
|---|---|---|
| SOFTFAIL/FAIL | An SPF record is defined but the email you sent did not come from an IP address designated to send outbound emails for your domain. | |
| PERMERROR/TEMPERROR | Some error exists in your SPF record | |
| NEUTRAL | An SPF record is defined but the email you sent did not come from an IP address designated to send outbound emails for your domain. However, your SPF record is configured to ignore this problem. |
DKIM
DKIM is a mechanism that checks if an incoming email's
FROM address is forged.
You see this warning in two case:
You see this warning in two case:
- Your email did not have a DKIM signature
- An invalid signature was found
DMARC Missing/Failed
DMARC is an email authentication, policy and reporting mechanism. Refer
to this page for more
details.
You see this message if DMARC is not defined for your domain or the DMARC is not aligned for the emails you sent.
You see this message if DMARC is not defined for your domain or the DMARC is not aligned for the emails you sent.