Recommendations

1. 1Add a DMARC record: _dmarc.yourdomain TXT "v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc@yourdomain"▾

   Without DMARC, receiving mail servers have no way to know what to do when SPF or DKIM checks fail. Anyone can send emails pretending to be from your domain, and most servers will deliver them. DMARC with p=reject tells receivers to block unauthorized emails entirely.

2. 2Enable DKIM in your email provider and add the public key to your DNS zone▾

   DKIM adds a cryptographic signature to your emails, proving they haven't been tampered with in transit and genuinely originated from your domain. Without it, attackers can forge emails that pass basic checks, and your legitimate emails are more likely to land in spam.

3. 3Add MTA-STS to enforce TLS encryption for incoming emails▾

   Without MTA-STS, an attacker performing a man-in-the-middle attack can downgrade the connection between mail servers to plaintext, intercepting emails in transit. MTA-STS tells sending servers to only deliver via TLS with a valid certificate, preventing downgrade attacks.