Comment on
Important reminder, if you own a domain name and don't use it for sending email.
While you are securing your domain, 3 more good ideas:
-
Enable DNSSEC. This will sign the dns query responses to help ensure your DKIM and TLSA can be trusted.
-
Configure CAA records with only your TLS certificate issuer so any other certificates are not trusted.
-
Configure DANE TLSA records with a hash of the public keys for your email server and websites. Also be sure to configure the “mta-sts.@“ subdomain to serve the correct text file. This will provide an additional chain of trust for your email server (and websites server).