Online tooling to check mail config [internet.nl etc.]
K.4.201 | Day 1 | 17:50 - 18:10 | Speakers: Benjamin W. Broersma
Abstract
This talk I will go over some FOS (online) tooling to check your mail config. Some common misconfigurations in DNS. Why you should probably want to avoid www CNAME @, and how to config other observations from the biannual measurements of scanning more than 10.000 governmental host names in The Netherlands. After this talk you'll know at least one DNS or security improvement for your own or organization domain, or something to monitor for your email.
Online tools: - the free open source Internet.nl (in the project team) [IPv6, DNSSEC, SPF, DMARC, DKIM, STARTTLS, DANE inbound] - the free open source haveDANE.net (adopted/hosted by platform behind internet.nl) [interactive DANE outbound] - the free open source zonemaster.net [DNS] - the free open source DNSViz.net [DNS]
Run yourself: - the free open source spftrace [SPF] - the free open source testssl.sh [STARTTLS]
And a split second for some links to non FOS tooling that is useful, and maybe be made open source (there is no sell of a product nor ads), or should be re-created: - https://www.email-security-scans.org - https://www.huque.com/bin/danecheck-smtp - https://dane.sys4.de
(Free but commercial that needs a FOS alternative: https://www.mail-tester.com & https://emailspooftest.com)
In 2025 I gave a 45 minute talk on WHY2025 How (not) to configure your domainname [internet.nl] (recording) about internet standards / misconfigurations in both website and email space. In this talk I want to focus on the mail part and (online) free open source tooling to check your mail config.
This presentation will touch on: - DNSSEC (RFC 4033 and many more), some common failures (e.g. CNAME's) - why not CNAME to your apex domain (if you have an Mx record) - use Null MX (RFC 7505) (if you don't use mail on a hostname) - why configuration SPF (RFC 7208) on all hostnames - why there are more reasons to avoid CNAME's - why enable DANE (RFC 6698) and TLSRPT (RFC 8460) and why it's superior to MTA-STA (RFC 8461), how to rotate DANE - why monitoring matters (IPv6, DANE, SPF, etc.)
Speakers
Hi there 👋
I'm a hacker, full stack developer, and advisor about internet standards. I like code golf.
- 🔭 I’m currently working for the Netherlands Standardisation Forum, which facilitates digital cooperation (interoperability) between government organizations and between government, businesses and citizens
- 🌱 I’m currently learning ZIP, ZLIB (RFC 1950, RFC 1951), ASN.1, ODF and OPC file formats
- 💬 Ask me anything about EML_NL¹, JQ, bash, xmlstarlet and PL/pgSQL
- 📫 How to reach me, see my email or 🐦 (@bwbroersma)
- ⚡ Fun fact: I mail and tweet too many oneliners to colleagues
¹ I used to work for the Electoral Council of the Netherlands (@kiesraad), an electoral management body
Links
External Links
Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.