Submission and receipt of messages by e-mail (email@example.com)
In line with the NAMMDR IT&C security procedures and the European Commission’s recommendations to counter phishing attacks, message authentication, reporting and compliance will be domain-based (Domain-based Message Authentication, Reporting and Conformance – DMARC).
Security issues recommended for e-mail delivery to the anm.ro domain:
✓ DMARC (Domain-based Message Authentication, Reporting and Conformance)
✓ SPF (Sender Policy Framework)
✓ Reverse DNS
✓ No Open Relay
Recommendations for network administrators according to the National Cyber Security Directorate – https://dnsc.ro/
• Configuration of the server you manage (DNS, SPF – Sender Policy Framework and DKIM – Domain Key Identified Mail records), depending on your company’s/institution’s security policy
The SPF controls IP addresses, which are allowed to send e-mails on behalf of the domain. All e-mails are usually sent from the IP address assigned to the server. If the domain has a dedicated IP address, it must be authorised to send e-mails.
To generate the key, go to opendkim.org
It is vital to make sure that everything is fine in terms of SPF and DKIM settings! Otherwise, you may end up with legitimate e-mails being rejected by the destination server.
• We recommend using the ‘QUARANTINE’ policy for DMARC
DMARC is the e-mail protocol for authentication and reporting which protects your online digital identity from being used in illegal activities (e.g. unauthorised financial transactions).
DMARC – acronym for Domain Based Message Authentication, Reporting and Conformance.
Authentication – is based on two authentication methods, the SPF (Sender Policy Framework) and the DKIM (DomainKeys Identified Mail)
Reporting – ensures visibility of rejected e-mails
Conformance – standardizes the manner in which rejected e-mails are handled, by applying flexible policies, namely none, quarantine or reject.
There are three types of DMARC policies:
– NONE: All e-mails shall be sent. DMARC reports can be analysed to detect the sender of the e-mail on your behalf. Afterwards, you can move on to the next policy, Quarantine;
– QUARANTINE: All e-mails which do not comply with DMARC validation will be marked as spam and automatically filtered by the destination server (they will enter the SPAM / JUNK directory);
– REJECT: If this restrictive policy is employed, in the event that DMARC fails, the order to reject the e-mail will be sent to the destination server without being filtered. If this method is employed, no one will be able to send e-mails on your behalf.