Module 5

Module 5: Email and DNS — Delivery, Security, Authentication

6 lessons

emailmxspfdkimdmarcbimidanemta-sts

Module 5: Email and DNS

Email is the protocol everyone uses and almost nobody understands at the infrastructure level. The basics look simple: you type an address, click send, and the message arrives. What actually happens involves at least four separate DNS record types, two cryptographic systems, a policy framework, and enough failure modes to fill a weekend of debugging.

This module covers the full stack — not just "here's what SPF does" but the exact record syntax, the failure modes you'll actually hit, and the sequence of steps to go from "emails going to spam" to "DMARC p=reject with aggregate reporting."

What This Module Covers

Lesson 01 — MX Records and Mail Routing How email actually finds its destination. Priority, failover, the CNAME trap, and the Null MX you should set on every domain that doesn't send email.

Lesson 02 — DANE and MTA-STS Two approaches to verifying your mail server's TLS certificate. DANE needs DNSSEC. MTA-STS doesn't. Both solve real problems. You need to know which one your infrastructure supports.

Lesson 03 — SPF: Sender Policy Framework Which IPs are allowed to send as your domain. The +all trap that opens the door to anyone. The forwarding problem that breaks SPF even when you've done everything right. The 10-lookup limit that silently fails.

Lesson 04 — DKIM: DomainKeys Identified Mail Cryptographic signatures in email headers. Key pairs, selectors, rotation strategy, and the common failure where a 4096-bit key doesn't fit in a UDP response.

Lesson 05 — DMARC: Domain-Based Message Authentication The policy that ties SPF and DKIM together and tells receiving servers what to do with failures. The path from p=none monitoring to p=reject enforcement. How to read aggregate reports without losing your mind.

Lesson 06 — BIMI: Brand Indicators for Message Identification Show your logo in supporting email clients. The requirements are real (DMARC p=reject, a Verified Mark Certificate from Entrust or DigiCert). Whether it's worth it depends on your budget and your current DMARC state.

Prerequisites

Module 3 (DNS Record Types) covers the foundation — you should know what a TXT record is and how to query one with dig.

If you've already spent hours debugging why your emails go to spam, this module will explain exactly what went wrong and how to fix it.