While you are securing your domain, 3 more good ideas:
Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.
Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.
Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).
@[email protected]
While you are securing your domain, 3 more good ideas:
Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.
Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.
Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).