for email admins

Topics in this area:

email client settings

email clients' configuration examples: Outlook - Outlook 2007 - Outlook 2013 2016 - Mac OS/X Mail - Thunderbird - Zimbra Desktop

email server settings

email servers' configuration examples: Microsoft Exchange Server - Microsoft Office 365 - Zimbra Collaboration

doublebackup app

transparently archives all the emails

spamstop app

spam filter based on email authentication and authorized senders

Subsections of for email admins

email client settings

To start using RealSender:

  1. Request a free trial account

  2. Change the settings of the outgoing mail (SMTP) within your email client:
    Outlook - Outlook 2007 - Outlook 2013 2016 - Mac OS/X Mail - Thunderbird - Zimbra Desktop

    Your’s not in the list above? Contact us!

    Visit the “Email Server” area if you use a centralized email system.
    Check our “Newsletter software” area if you plan to send mass mailings.

  3. Change your domain’s settings to authenticate the sent messages with SPF
    (this is generally done after the trial period)

  • Why? If you wish to have email from your domain sent through a third party service,
    you must configure your SPF record to permit delivery from the service provider’s IP addresses.
    If you don’t do this, then you risk having email receivers reject all email sent from your domain.

  • Setting up the RealSender SPF record is easy:
    all you have to do is add include:spf.realsender.com to your SPF record, and you’re done.

We automatically sign emails with DKIM, so you don’t need to do anything else.

Questions? Contact us!

Subsections of email client settings

Outlook

Outlook Express Outlook 2000

Tools > Options > Accounts

Outlook Express - Internet accounts - Mail

Mail > [Properties]

Outlook Express - Internet accounts - Mail - Properties

Servers

Outgoing mail (SMTP): rsxxx.realsender.com

Outgoing Mail Server

[x] My server requires authentication

[Settings…]

Outlook Express - Internet accounts - Mail - Outgoing Mail Server

Outgoing Mail Server

[x] Log on using

Account name: (the one we sent you)
Password: (the one we sent you)

[x] Remember password

[OK]

Outlook Express - Internet accounts - Mail - Properties - Advanced

Advanced

Outgoing mail (SMTP): 25
[x] This server requires a secure connection (SSL)

[OK]

Outlook 2007

Outlook 2007

Tools > Options…

Mail Setup > [E-mail Accounts…]

Outlook 2007 - Mail Setup - E-mail Accounts

[Change…]

Outlook 2007 - Mail Setup - E-mail Accounts - Change

Change E-mail Account

Outgoing mail server (SMTP): rsxxx.realsender.com

[More Settings…]

Outlook 2007 - Internet E-mail Settings - Outgoing Server

Outgoing Server

[x] My outgoing server (SMTP) requires authentication

[x] Log on using

User Name: (the one we sent you)
Password: (the one we sent you)

[x] Remember password

[OK]

Outlook 2007 - Internet E-mail Settings - Advanced

Advanced

Use the following type of encrypted connection: TLS

[OK]

Outlook 2013 2016

Outlook 2013 2016

File > [Info]

Outlook 2013 2016 - Account Information

[Account and Social Network Settings]

[Account Settings…]

Outlook 2013 2016 - Account Settings - E-mail Accounts

[Change…]

Outlook 2013 2016 - mail setup - email accounts - change

Change E-mail Account

Outgoing mail server (SMTP): rsxxx.realsender.com

[More Settings…]

Outlook 2013 2016 - internet email settings - outgoing server

Outgoing Server

[x] My outgoing server (SMTP) requires authentication

[x] Log on using

User Name: (the one we sent you)
Password: (the one we sent you)

[x] Remember password

[OK]

Outlook 2013 2016 - internet email settings - advanced

Advanced

Use the following type of encrypted connection: TLS

[OK]

Mac OS/X Mail

osx mail

Mail > Preferences… > Server Settings

osx mail - accounts - server settings - edit smtp

Outgoing Mail Server (SMTP) > Edit SMTP Server List …

osx mail - accounts - server settings - smtp server list

[+] Create an account

Description: rsxxx.realsender.com

User name: (the one we sent you)
Password: (the one we sent you)

Host Name: rsxxx.realsender.com
[  ] Automatically detect and maintain account settings

Port: 587    [x] Use TLS/SSL
Authentication: Password

[OK]

osx mail - accounts - server settings

Outgoing Mail Server (SMTP)

Account: rsxxx.realsender.com

[Save]

Thunderbird

Thunderbird

Tools > Account Settings

Thunderbird - Outgoing Server  - Add

Outgoing Server (SMTP) > [Add…]

Thunderbird - SMTP Server

Settings

Description: RealSender
Server Name: rsxxx.realsender.com
Port: 587

Security and Authentication

Connection security: STARTTLS
Authentication method: Normal password
User Name: (the one we sent you)

[OK]

Thunderbird - Outgoing Server (SMTP) Settings

RealSender > [Set Default]

Thunderbird - Outgoing Server (SMTP)

Account settings
(select you email account on the tree at the left side)

Outgoing Server (SMTP): RealSender

[OK]

Thunderbird - Outgoing Server (SMTP) Password Required

The first time you send a message

Outgoing Server (SMTP) Password Required

Enter your password for…: (the one we sent you)

[x] Use Password Manager to remember this password

[OK]

Zimbra Desktop

zimbra

Launch Desktop > Setup (top right)

zimbra - my accounts

MY ACCOUNTS > [Edit]

zimbra - edit account

EDIT ACCOUNT

Sending Mail

SMTP Server: rsxxx.realsender.com

Security: [x] Use SSL encryption when sending mail

Authentication: [x] Username and password required to send mail

User Name: (the one we sent you)

Password: (the one we sent you)

[Validate and Save]

email server settings

To start using RealSender:

  1. Request a free trial account

  2. Change the settings of the outgoing mail (SMTP) within your email server:
    Microsoft Exchange Server - Microsoft Office 365 - Zimbra Collaboration

    Your’s not in the list above? Contact us!

    Visit the “Email Client” page if you use individually configured email clients.
    Check our “Newsletter software” area if you plan to send mass mailings.

  3. Change your domain’s settings to authenticate the sent messages with SPF
    (this is generally done after the trial period)

  • Why? If you wish to have email from your domain sent through a third party service,
    you must configure your SPF record to permit delivery from the service provider’s IP addresses.
    If you don’t do this, then you risk having email receivers reject all email sent from your domain.

  • Setting up the RealSender SPF record is easy:
    all you have to do is add include:spf.realsender.com to your SPF record, and you’re done.

We automatically sign emails with DKIM, so you don’t need to do anything else.

Questions? Contact us!

Subsections of email server settings

Exchange Server

exchange server 2013 2016 2019

EAC
(Exchange Admin Center)

exchange server 2013 2016 2019 - mailflow - send connectors

Mail Flow > Send Connectors

[+] New send connector

exchange server 2013 2016 2019 - new send connector

new send connector

*Name:
Internet Mail

Type:
[x] Internet (For example, to send internet mail)

[next]

exchange server 2013 2016 2019 - edit smart host

edit smart host

Specify a fully qualified domain name (FQDN), IPv4 address, or IPv6 address:
rsxxx.realsender.com

[save]

exchange server 2013 2016 2019 - new send connector

new send connector

*Network settings:
[x] Route mail through smart hosts
(unchanged)

[next]

exchange server 2013 2016 2019 - new send connector - authentication

new send connector - authentication

Smart host authentication:
[x] Basic authentication
[x] Offer basic authentication only after starting TLS

*User name:
(the one we sent you)

*Password:
(the one we sent you)

[next]

exchange server 2013 2016 2019 - new send connector - routing

new send connector - routing

*Address space:

TYPE: SMTP
DOMAIN: *
COST: 1

[next]

exchange server 2013 2016 2019 - new send connector - which exchange server

new send connector - which exchange server

[EXCHANGE]

[add ->] EXCHANGE

[ok]

exchange server 2013 2016 2019 - new send connector - finish

[finish]

Office 365

Office 365

office 365 - sign in

Microsoft Office 365 Admin center

office 365 - admin

Left-menu > Admin

office 365 - show all

Microsoft 365 admin center > … Show all

office 365 - admin centers - exchange

Microsoft 365 admin center > Admin centers > Exchange

office 365 - mail flow > connectors

Exchange admin center > Mail flow > Connectors

office 365 - add a connector

Connectors > Add a connector


New connector

office 365 - new connector

Connection from: [x] Office 365  
Connection to:   [x] Partner organization

[Next]


Connector name

office 365 - connector name

This connector enforces routing and security restritions for email messages sent 
from Office 365 to your partner organization or service provider.
Name: RealSender
What do you want to do after connector is saved?
[x] Turn it on

[Next]


Use of connector

office 365 - use of connector

Specify when you want to use this connector.
[x] Only when I have a transport rule set up that redirects messages to this connector

[Next]


Routing

office 365 - routing

How do you want to route email messages?
Specify one or more smart hosts to which Office 365 will deliver email messages. 
A smart host is an alternative server and can be identified by using a fully qualified domain name (FQDN) or an IP address.
[x] Route email through these smart host
    rsxxx.realsender.com   [+]

[Next]


Security restrictions

office 365 - security restrictions

How should Office 365 connect to your partner organization's email server?
[x] Always use Transport Layer Security (TLS) to secure the connection (recommended)
    Connect only if the recipient's email server certificate matches this criteria
    [x] Issued by a trusted certificate authority (CA)

[Next]


Validation email

office 365 - validation email

Specify an email address for an active mailbox that's on your partner domain. 
You can add multiple addresses if your partner organization has more than one domain.
yourname@yourdomain.com [+]
[Validate]

Validation successful

office 365 - validation successful

[Validate]
	Validation in progress...
	Validation successful
	>	Task											Status
	>	Check connectivity to 'rsxxx.realsender.com'	Succeeded
	>	Send test email									Succeeded

[Next]


Review connector

office 365 - review connector

Mail flow scenario
From: Office 365
To: Partner organization

Name
RealSender
Status
Turn it on after saving

Use of connector
Use only when I have a transport rule set up that redirects messages to this connector.

Routing
Route email messages through these smart hosts: ‎rsxxx.realsender.com‎

Security restrictions
Always use Transport Layer Security ‎(TLS)‎ and connect only if the recipient’s 
email server certificate is issued by a trusted certificate authority ‎(CA)‎.

[Create connector]

Zimbra Collaboration

zimbra admin console

Zimbra Collaboration
(network edition / open source)

> Admin Console

zimbra admin - configure - global settings - mta

Zimbra Administration

> Configure

> Global Settings

> MTA

zimbra admin - mta - relay mta for externa ldelivery

Authentication

Enable authentication [  ]
TLS authenticaton only [  ]

Network

Web mail MTA Hostnames: localhost
Web mail MTA Port: 25

Relay MTA for external delivery: rsxxx.realsender.com : 25
Relay MTA for external delivery (fallback): rsxxx.realsender.com : 25


Please [inform our support team](/we-deliver-your-emails/contacts) that you're using Zimbra Collaboration, so that we configure our servers to accept the connection without any further setup on your side (no need to make any change to the Zimbra's postfix smtp settings)

doublebackup app

archive emails

Email messages are the main channel of modern business communications.
Their accidental loss would great damage the company’s knowledge base.
Furthermore, business correspondence should generally be kept for up to ten years.

 !! if your company is using personal mailboxes
 such as name.surname@companyname.com  
 you must have informed the senders before activating this function

We provide you with a dedicated inbound email domain,
so RealSender’s “doublebackup” app archives transparently
all the emails, that you can access via:

  • a special pop3 mailbox
    configured to accept large amounts of emails in a short time

  • a secure web area
    available online through a customized version of our inxbox web interface

An automatic process archives the messages divided by recipient, month and year.

When associated with RealSender Email Gateway,
all the sent emails are duplicated and archived automatically.


Request a free trial

Subsections of doublebackup app

inxbox web interface

inxbox web monitor

Web-interface features:

  • List messages in a mailbox
  • Displays content of a particular message
  • Displays source of a message (headers + body)
  • Displays HTML version of a message (in a new window)
  • List MIME attachments with buttons to display or download
  • Delete a message
  • Monitor: a real time display of all received messages

inxbox email message

A working demo is available in our (free) postmaster tools area:
» inxbox temporary email


Request a free trial

spamstop app

spam stop

Email is the main channel for cyber attacks.

Sender address spoofing can be detected by email authentication information.

RealSender’s “spamstop” app shows the results of authenticity checks
directly in the subject of received messages.

This also allows you to continuously check
the correct email settings of your company, customers and partners.

It is an efficient anti-spam solution when combined with a filter
that splits messages according to senders that are NOT in your address book.


Topics in this area:

1 - spf check

spf-based email sender check

2 - dkim check

dkim-based sender and email seal check

3 - dmarc alignment

at least one of the domains must align with the sending From domain

4 - double spam tags

two SPAM tags added to the subject to highlight fraud

client side sender filter

to receive in your inbox only the senders you have previously authorized

server side sender filter

to receive email messages only from the senders that you have previously authorized

security settings

to protect your email boxes from unwanted senders and dangerous attachments

Subsections of spamstop app

1 - spf check

spf logo


We want to make sure that the sender address has not been forged/spoofed*.
* = make the message appear from someone other than the actual source

SPF authentication helps us identifying if the message has been sent through an authorized smtp server.
This information is stored in the domain’s dns, that is a safe place, outside the email message.

Only if the message has NOT been authenticated correctly:
the !! (attention) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header, line “X-RealSender”:

:: spf-none ::       the sender domain contains no information to authenticate the email  
:: spf-softfail ::   the smtp server is not listed among the authorized ones but this case should be treated as a "softfail"  
:: spf-fail ::       the smtp server is not listed among the authorized ones and the email should be rejected or discarded

Sometimes the information recorded at domain level is not correct/understandable.

:: spf-permerror ::  a permanent error has occured (eg. badly formatted SPF record)

SPF check is made against the “Mail From” email address, that is hidden in the email headers.
Only the “From” email address is visible. If their root domains are different, this warning is displayed:

:: spf-diff ::       the "Mail From" and the "From" root domains are different

Tell me more

2 - dkim check

dkim logo


DKIM (DomainKeys Identified Mail) allows senders to prove that the email was actually sent by them and has not been modified after being sent.
It achieves this by affixing a digital signature (seal), linked to a domain name, to each outgoing email message.

Only if the message has NOT been signed correctly:
the !! (attention) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header, line “X-RealSender”:

:: dkim-none ::      no DKIM-Signature headers (valid or invalid) were found  
:: dkim-fail ::      a valid DKIM-Signature header was found, but the signature does not contain a correct value for the message  

Sometimes it’s not possible to execute the check:

:: dkim-invalid ::   there is a problem in the signature itself or the public key record. I.e. the signature could not be processed
:: dkim-temperror :: some error was found which is likely transient in nature, such as a temporary inability to retrieve a public key

When the message has been signed using a different domain, a “diff” notice is added:
This warning will NOT appear if the sender passes the SPF check:

:: dkim-diff ::      the message has NOT been signed by the sender's domain

Tell me more

3 - dmarc alignment

dmarc logo


DMARC (Domain-based Message Authentication, Reporting and Conformance),
is an email authentication standard, developed to combat spoofed domain mail.

In the chapter “3.1. Identifier Alignment” it says:

   Email authentication technologies authenticate various (and
   disparate) aspects of an individual message.  For example, [DKIM]
   authenticates the domain that affixed a signature to the message,
   while [SPF] can authenticate either the domain that appears in the
   RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
   HELO domain, or both.  These may be different domains, and they are
   typically not visible to the end user.

   DMARC authenticates use of the RFC5322.From domain by requiring that
   it match (be aligned with) an Authenticated Identifier.
   
   -- https://tools.ietf.org/html/rfc7489#section-3.1

It simply means:

   when a sender authenticates their email using SPF and/or DKIM,  
   at least one of the domains must align with the sending From domain

This approach is widely accepted and generally considered
a good practice to identify trusted sender domains.


**RealSender MX Protect checks the dmarc-default "relaxed" alignment:**
  • For SPF authentication
    the root domain of the Mail From address must match the root domain of the From address.
    Relaxed alignment allows any subdomain to be used and still meet the domain alignment requirement.

  • For DKIM authentication
    the root of the dkim signing domain must match the From domain.
    Relaxed alignment allows any subdomain to be used and still meet the domain alignment requirement.


**Possible results:**
  1. both the rules are respected
    the sender domain is fully trusted,
    the message arrives unchanged

  2. only one of the two rules is met
    the ~ (tilde) symbol is added to the subject,
    one of the following explanatory notes is inserted in the message header

~ ... subject ...
X-RealSender: ~ | spf=pass (domain NOT aligned) | dkim=pass | ~
~ ... subject ...
X-RealSender: ~ | spf=pass | dkim=pass (domain NOT aligned) | ~
  1. no alignment at all
    the “:: spf-diff ::” and “:: dkim-diff ::” warnings
    are displayed in the subject

Tell me more

4 - double spam tags

spam tag

DMARC is being used by more and more companies to protect their senders from spoofing.
Its use requires proper authentication with SPF or DKIM and alignment of From / Mail-From domains.

For more information:
<dmarc> act on fraudulent email

Messages from senders with the _dmarc record,
if they are NOT authenticated, they are highlighted with two [ SPAM ] tags in the subject:

[ SPAM ] ... message subject ... [ SPAM ]

Messages without the _dmarc record, when both SPF and DKIM authentication fail,
are reported with a [suspicious] tag in the subject:

[suspicious] ... message subject ... 

Request a free trial

client side sender filter

email sender filter

RealSender’s “spamstop” app is an efficient anti-spam solution
when combined with a filter that splits messages
according to senders that are NOT in your address book.

Most modern email clients offer this feature.
Here are some configuration examples:

Microsoft 365 Outlook

in outlook settings enable: trust email from my contacts

Mozilla Thunderbird

in Thunderbird create a filter with rules 'From isn't in my address book'

Subsections of client side sender filter

Microsoft 365 Outlook

Outlook


Below is the “Settings” screen in Outlook.

In “Junk email”, check “Trust email from my contacts”.
Press [Save] to record the changes.


settings

junk email

trust email from my contacts


Request a free trial

Mozilla Thunderbird

Thunderbird


Below is a screenshot of the “Message filter” tool in Thunderbird.

Add conditions with the “Match ALL of the following” option:

  • From isn’t in my address book, Personal Address Book
  • From isn’t in my address book, Collected Addresses

Perform these actions: Move Message to: Spam.


anti-spam filter


Request a free trial

server side sender filter

email server senders filter

Not all email clients provide sophisticated ways to filter emails.
In these cases it is possible to act upstream.

The “Authorized senders” feature allows you to receive messages
only from the senders you have previously authorized:

Authorized senders

All the regular messages will arrive as usual in your inbox.
All the spam messages will go to a different mailbox.

No emails will be lost.
You may read the discarded messages mailbox once or more a day.
You will save so much precious time.


Request a free trial

security settings

protected area

They add an extra layer of security to your emails.

To protect your email inboxes
from unwanted senders and dangerous attachments.


Topics in this area:

authorized senders only

security option to accept emails from authorized and authenticated senders only

remove dangerous attachments

security option to remove all potentially harmful attachments from emails

Subsections of security settings

authorized senders only

authorized senders only

It is useful when you want to receive emails from one sender only,
and all messages that fail the checks must be discarded.

In this case you need to be sure that the sender’s email address has not been spoofed.
This control can be done putting together SPF and DKIM authentication.

SPF confirms the sender’s address and its relationship with the server that sent out the message.
DKIM guarantees that the email (including the attachments) has not been modified since the “signature” was affixed.

In theory it’s that easy, in practice both SPF and DKIM can refer to a different domain than the from address.

We check that SPF authentication and DKIM signature are related to the domain in the from address.
In this way no other than the original sender can authenticate the email. This guarantees its origin.


Request a free trial

remove dangerous attachments

remove dangerous attachments

The “remove dangerous attachments” option blocks all potentially harmful attachments
except some safe extensions as pdf, txt, gif, jpg and png.

The recipient receives the message without the attachment.
A warning is added to the beginning of the content, like this:

WARNING: This email violated Your Company's email security policy and
has been modified. For more information, contact your IT Administrator.

An attachment named "example.zip" was removed from this document as it
constituted a security hazard. If you require this document, please contact
the sender and arrange an alternate means of receiving it.

On the internet there is an interesting case study, that ends with this sentence:
“For us, attachment filtering has been very successful”
web.mit.edu/net-security/Camp/2004/presentations/reillyb-mit2004.ppt (PowerPoint presentation)


Request a free trial