Secure email

The best website provides secure e-mail and sends it via a secure connection. And protects the e-mail with anti-spam measures. Does your server send secure e-mail?

Sending secure e-mail

Do you collect data from visitors via forms on your website? Do they visit your website via a secure https connection? How does your website send notifications to your e-mail address? Are they also sent via a secure e-mail connection?

And how do you ensure that you authenticate yourself as the sender of your e-mail? And that e-mail notifications from your website are not marked as spam by the recipient's server?

Secure e-mail via secure connection

You can read and write an e-mail from an e-mail client (Outlook, Mail, Thunderbird, Gmail website, etc). When sending an e-mail, your e-mail client makes contact with a Mail Transfer Agent (MTA). This is a mail server that takes care of the e-mail processing and ensures that the e-mail arrives at the addressed recipient.

The communication between your e-mail client and the mail server (MTA) goes through the SMTP protocol. This is an agreement on how the e-mail client and MTA communicate in order to transfer the mail.

A server can support different SMTP protocols and these are offered on different ports:

SMTP (Port 25) - unsecured plain text
STARTTLS (Port 587) - if possible the mail is sent securely (also called "Opportunistic TLS")
SSL/TLS (Port 465) - the e-mail is offered to the MTA via a secure connection, secured via "SMTP secure".

You can only secure the first part of the e-mail communication. So from your e-mail client to the MTA, or from your website that sends an e-mail notification to the MTA. When communicating from the MTA to the final recipient, you have no control over the security of the connection.

Secure E-mail through anti-spam measures

More than half of all email sent worldwide is spam. More and more e-mail providers are using anti-spam software to curb this large amount of spam. If your legitimate e-mail messages no longer reach the recipients, your e-mail may be marked as spam.

E-mail providers try to curb this large flow of spam. First of all, spam costs resources. And if their customers send spam, the IP address of the e-mail provider's mail server may be blacklisted. E-mail sent via such mail servers is often blocked by receiving mail servers. The clients of an e-mail provider who are on such a blacklist cannot then send mail to recipients whose mail servers use such a blacklist.

The measures taken by e-mail providers:

You can only send mail after you have authenticated to the SMTP server with your login name and password (set in your e-mail client by default).
Rate limit - the amount of e-mail messages you can send is limited, for example 250 per hour.
Outgoing e-mail is scanned for spam
Your IP address will be sent as "X-Originating-IP".

With e-mail it is quite easy to change the sender. Compare it to an envelope on which you can write any sender on the back. Only the postmark indicates the approximate origin of the letter. A spammer can use your e-mail address as the sender of their spam messages. Only the IP address of the MTA will then be different from your e-mails.

There are some anti-spam measures with which you can authenticate your own e-mail. Some mail servers allow non-authenticated e-mails to pass through later because they are extra-checked for spam.

Sender Policy Framework (SPF)

With this protocol, the DNS of the domain name determines who is allowed to send e-mail. A Domain Name System server links domain names to services and IP addresses.

If you want to use SPF, you need to add a "TXT record" to the DNS. There you define which servers are allowed to send your e-mail. Suppose you have the domain name example.com. You send e-mail via an e-mail client and via your website. Then you enter a record in the DNS: v=spf1 a mx ip4:1.2.3.4 a:example.com -all

A receiving mail server checks with your DNS who is allowed to send mail for you. The mail server compares this with the IP address in the e-mail header. If the data is incorrect, the receiving mail server can stop the mail or insert a spam warning.

DomainKeys Identified Mail (DKIM)

DKIM works with a digital signature. If you want to use DKIM, you must add a "TXT record" to the DNS. You place a digital signature in that record. A digital signature is automatically placed in the header of every e-mail you send.

A receiving mail server checks whether the digital signature in the header of your e-mail matches the digital signature in the DNS of your domain name. If the data is incorrect, the receiving mail server can stop the e-mail or insert a spam warning.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

At DMARC you communicate your anti-spam policy via the DNS of your domain name.

A receiving mailserver checks the SPF record, the DKIM record and retrieves your DMARC record to see what to do with possible spam. If the data is not correct, the receiving mailserver can mark the mail with a spam warning, in quarantine (in spam folder) or stop it altogether. And if necessary, the receiving mail server can be instructed to send an e-mail notification to the sender so that they can take action.

Back to: A secure website