Small Mailserver Best Current Practices

Phil Pennock is an email administrator, software engineer and one of the maintainers of the open source Exim MTA (mail transfer agent; aka mail server) and after a recent discussion on the Mailop list, he put together a good list of considerations/best practices for administrators of small mail servers wanting to maximize their chances of being able to send email messages successfully to users at Gmail (and the world).

He covers matching DNS, MX records, IP reputation, SPF, DKIM, DMARC, TLS and more. It's worth a read -- click here to check it out.

Adding in my own two cents: As mentioned by Phil, this began as a discussion initiated by an email administrator having trouble delivering mail to Gmail. The poster indicated that they hadn't implemented DKIM as they had not seen the point. But DKIM email authentication is very important here. For each domain allowed sending from your server, you should implement DKIM, using a 2048-bit RSA key pair, and be prepared to rotate that key periodically. And when that you've implemented DKIM, the concept of "domain reputation" is now in play with your email messages. Domain reputation is perhaps is not always weighted as heavily as IP address-based reputation, but the ISPs, and Gmail in particular, will definitely build a reputation view based on that DKIM domain-as-identifier. That's a positive for a good sender, even one sending not-so-much mail from a small server. 

Stable domain identifier + email authentication + good sending reputation = much better chance of delivering mail.

And finally, here's a side note on DKIM key length -- it's not clear today if DKIM keys longer than 2048 bits are widely supported. Because of that, I don't think it's wise to implement a 4096 bit DKIM key in 2020. Stick to 2048 bit. Also, you may be stumped about how to fit a 2048 bit DKIM public key into a DNS TXT record, as it can be longer than 255 characters. The answer is, you split it into pieces. If that's too hard, stick to a 1024 bit key, which is probably okay from a security perspective if you rotate the key regularly enough. But at some point in the future, I do suspect that Gmail or others may consider a key size smaller than 2048 bits to be substandard. That's tomorrow's problem, though. Do what you have to do to get through today, first.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.