Topics in this area:
email clients' configuration examples: Outlook - Outlook 2007 - Outlook 2013 2016 - Mac OS/X Mail - Thunderbird - Zimbra Desktop
email servers' configuration examples: Microsoft Exchange Server - Microsoft Office 365 - Zimbra Collaboration
transparently archives all the emails
anti-spam filter based on authorized senders
To start using RealSender:
We automatically sign emails with DKIM, so you don’t need to do anything else.
Questions? Contact us!
Tools > Options > Accounts
Mail > [Properties]
Servers
Outgoing mail (SMTP): rsxxx.realsender.com
Outgoing Mail Server
[x] My server requires authentication
[Settings…]
Outgoing Mail Server
[x] Log on using
Account name: (the one we sent you)
Password: (the one we sent you)[x] Remember password
[OK]
Advanced
Outgoing mail (SMTP): 25
[x] This server requires a secure connection (SSL)
[OK]
Tools > Options…
Mail Setup > [E-mail Accounts…]
[Change…]
Change E-mail Account
Outgoing mail server (SMTP): rsxxx.realsender.com
[More Settings…]
Outgoing Server
[x] My outgoing server (SMTP) requires authentication
[x] Log on using
User Name: (the one we sent you)
Password: (the one we sent you)[x] Remember password
[OK]
Advanced
Use the following type of encrypted connection: TLS
[OK]
File > [Info]
[Account and Social Network Settings]
[Account Settings…]
[Change…]
Change E-mail Account
Outgoing mail server (SMTP): rsxxx.realsender.com
[More Settings…]
Outgoing Server
[x] My outgoing server (SMTP) requires authentication
[x] Log on using
User Name: (the one we sent you)
Password: (the one we sent you)[x] Remember password
[OK]
Advanced
Use the following type of encrypted connection: TLS
[OK]
Mail > Preferences… > Server Settings
Outgoing Mail Server (SMTP) > Edit SMTP Server List …
[+] Create an account
Description: rsxxx.realsender.com
User name: (the one we sent you)
Password: (the one we sent you)
Host Name: rsxxx.realsender.com
[ ] Automatically detect and maintain account settings
Port: 587 [x] Use TLS/SSL
Authentication: Password
[OK]
Outgoing Mail Server (SMTP)
Account: rsxxx.realsender.com
[Save]
Tools > Account Settings
Outgoing Server (SMTP) > [Add…]
Settings
Description: RealSender
Server Name: rsxxx.realsender.com
Port: 587
Security and Authentication
Connection security: STARTTLS
Authentication method: Normal password
User Name: (the one we sent you)
[OK]
RealSender > [Set Default]
Account settings
(select you email account on the tree at the left side)
Outgoing Server (SMTP): RealSender
[OK]
The first time you send a message
Outgoing Server (SMTP) Password Required
Enter your password for…: (the one we sent you)
[x] Use Password Manager to remember this password
[OK]
Launch Desktop > Setup (top right)
MY ACCOUNTS > [Edit]
EDIT ACCOUNT
Sending Mail
SMTP Server: rsxxx.realsender.com
Security: [x] Use SSL encryption when sending mail
Authentication: [x] Username and password required to send mail
User Name: (the one we sent you)
Password: (the one we sent you)
[Validate and Save]
To start using RealSender:
We automatically sign emails with DKIM, so you don’t need to do anything else.
Questions? Contact us!
EAC
(Exchange Admin Center)
Mail Flow > Send Connectors
[+] New send connector
new send connector
*Name:
Internet Mail
Type:
[x] Internet (For example, to send internet mail)
[next]
edit smart host
Specify a fully qualified domain name (FQDN), IPv4 address, or IPv6 address:
rsxxx.realsender.com
[save]
new send connector
*Network settings:
[x] Route mail through smart hosts
(unchanged)
[next]
new send connector - authentication
Smart host authentication:
[x] Basic authentication
[x] Offer basic authentication only after starting TLS*User name:
(the one we sent you)*Password:
(the one we sent you)
[next]
new send connector - routing
*Address space:
TYPE: SMTP
DOMAIN: *
COST: 1
[next]
new send connector - which exchange server
[EXCHANGE]
[add ->] EXCHANGE
[ok]
[finish]
Microsoft Office 365 Admin center
Left-menu > Admin
Microsoft 365 admin center > … Show all
Microsoft 365 admin center > Admin centers > Exchange
Exchange admin center > Mail flow > Connectors
Connectors > Add a connector
Connection from: [x] Office 365
Connection to: [x] Partner organization[Next]
This connector enforces routing and security restritions for email messages sent
from Office 365 to your partner organization or service provider.
Name: RealSender
What do you want to do after connector is saved?
[x] Turn it on[Next]
Specify when you want to use this connector.
[x] Only when I have a transport rule set up that redirects messages to this connector[Next]
How do you want to route email messages?
Specify one or more smart hosts to which Office 365 will deliver email messages.
A smart host is an alternative server and can be identified by using a fully qualified domain name (FQDN) or an IP address.
[x] Route email through these smart host
rsxxx.realsender.com [+][Next]
How should Office 365 connect to your partner organization's email server?
[x] Always use Transport Layer Security (TLS) to secure the connection (recommended)
Connect only if the recipient's email server certificate matches this criteria
[x] Issued by a trusted certificate authority (CA)[Next]
Specify an email address for an active mailbox that's on your partner domain.
You can add multiple addresses if your partner organization has more than one domain.
yourname@yourdomain.com [+]
[Validate]
[Validate]
Validation in progress...
Validation successful
> Task Status
> Check connectivity to 'rsxxx.realsender.com' Succeeded
> Send test email Succeeded[Next]
Mail flow scenario
From: Office 365
To: Partner organization
Name
RealSender
Status
Turn it on after saving
Use of connector
Use only when I have a transport rule set up that redirects messages to this connector.
Routing
Route email messages through these smart hosts: rsxxx.realsender.com
Security restrictions
Always use Transport Layer Security (TLS) and connect only if the recipient’s
email server certificate is issued by a trusted certificate authority (CA).[Create connector]
Zimbra Collaboration
(network edition / open source)
> Admin Console
Zimbra Administration
> Configure
> Global Settings
> MTA
Authentication
Enable authentication [ ]
TLS authenticaton only [ ]
Network
Web mail MTA Hostnames: localhost
Web mail MTA Port: 25Relay MTA for external delivery: rsxxx.realsender.com : 25
Relay MTA for external delivery (fallback): rsxxx.realsender.com : 25
Email messages are the main channel of modern business communications.
Their accidental loss would great damage the company’s knowledge base.
Furthermore, business correspondence should generally be kept for up to ten years.
!! if your company is using personal mailboxes
such as name.surname@companyname.com
you must have informed the senders before activating this functionWe provide you with a dedicated inbound email domain,
so RealSender’s “doublebackup” app archives transparently
all the emails, that you can access via:
An automatic process archives the messages divided by recipient, month and year.
When associated with RealSender Email Gateway,
all the sent emails are duplicated and archived automatically.
Web-interface features:
A working demo is available in our (free) postmaster tools area:
» inxbox temporary email
85% of all email traffic is spam: reduce the noise,
Immediately stop the flood of emails !
RealSender’s “spamstop” app is an anti-spam filter that does not require any installation
because it is based on a service that makes use of the domain’s MX record.
It only accepts messages from your pre-approved contacts:
just the emails coming from the authorized senders will reach your mailbox.
Other solutions usually filter the received messages
by a score assigned on the reputation and the contents.
Only emails from senders that the recipient has authorized will reach the inbox.
This means: you will receive only messages from the known senders
avoiding system overloads, loss of time and scams. To find out more:
Email is the main channel for cyber attacks.
Sender address spoofing can be easily detected by email authentication information.
RealSender’s “spamstop” app shows it directly in the email subject of the messages you receive.
This also allows you to continuously check the correct email settings of your company, customers and partners.
It is an efficient anti-spam solution when combined with a filter
that splits messages according to senders that are NOT in your address book.
Topics in this area:
spf-based email sender check
dkim-based sender and email seal check
at least one of the domains must align with the sending From domain
two SPAM tags added to the subject to highlight fraud
an example of how to configure the spam filter on your email clients
We want to make sure that the sender address has not been forged/spoofed*.
* = make the message appear from someone other than the actual source
SPF authentication helps us identifying if the message has been sent through an authorized smtp server.
This information is stored in the domain’s dns, that is a safe place, outside the email message.
Only if the message has NOT been authenticated correctly:
the !! (attention) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header, line “X-RealSender”:
:: spf-none :: the sender domain contains no information to authenticate the email
:: spf-softfail :: the smtp server is not listed among the authorized ones but this case should be treated as a "softfail"
:: spf-fail :: the smtp server is not listed among the authorized ones and the email should be rejected or discardedSometimes the information recorded at domain level is not correct/understandable.
:: spf-permerror :: a permanent error has occured (eg. badly formatted SPF record)SPF check is made against the “Mail From” email address, that is hidden in the email headers.
Only the “From” email address is visible. If their root domains are different, this warning is displayed:
:: spf-diff :: the "Mail From" and the "From" root domains are differentDKIM (DomainKeys Identified Mail) allows senders to prove that the email was actually sent by them and has not been modified after being sent.
It achieves this by affixing a digital signature (seal), linked to a domain name, to each outgoing email message.
Only if the message has NOT been signed correctly:
the !! (attention) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header, line “X-RealSender”:
:: dkim-none :: no DKIM-Signature headers (valid or invalid) were found
:: dkim-fail :: a valid DKIM-Signature header was found, but the signature does not contain a correct value for the message Sometimes it’s not possible to execute the check:
:: dkim-invalid :: there is a problem in the signature itself or the public key record. I.e. the signature could not be processed
:: dkim-temperror :: some error was found which is likely transient in nature, such as a temporary inability to retrieve a public keyWhen the message has been signed using a different domain, a “diff” notice is added:
This warning will NOT appear if the sender passes the SPF check:
:: dkim-diff :: the message has NOT been signed by the sender's domainDMARC (Domain-based Message Authentication, Reporting and Conformance),
is an email authentication standard, developed to combat spoofed domain mail.
In the chapter “3.1. Identifier Alignment” it says:
Email authentication technologies authenticate various (and
disparate) aspects of an individual message. For example, [DKIM]
authenticates the domain that affixed a signature to the message,
while [SPF] can authenticate either the domain that appears in the
RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
HELO domain, or both. These may be different domains, and they are
typically not visible to the end user.
DMARC authenticates use of the RFC5322.From domain by requiring that
it match (be aligned with) an Authenticated Identifier.
-- https://tools.ietf.org/html/rfc7489#section-3.1It simply means:
when a sender authenticates their email using SPF and/or DKIM,
at least one of the domains must align with the sending From domainThis approach is widely accepted and generally considered
a good practice to identify trusted sender domains.
For SPF authentication
the root domain of the Mail From address must match the root domain of the From address.
Relaxed alignment allows any subdomain to be used and still meet the domain alignment requirement.
For DKIM authentication
the root of the dkim signing domain must match the From domain.
Relaxed alignment allows any subdomain to be used and still meet the domain alignment requirement.
both the rules are respected
the sender domain is fully trusted,
the message arrives unchanged
only one of the two rules is met
the ~ (tilde) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header
~ ... subject ...
X-RealSender: ~ | spf=pass (domain NOT aligned) | dkim=pass | ~~ ... subject ...
X-RealSender: ~ | spf=pass | dkim=pass (domain NOT aligned) | ~DMARC is being used by more and more companies to protect their senders from spoofing.
Its use requires proper authentication with SPF or DKIM and alignment of From / Mail-From domains.
For more information:
<dmarc> act on fraudulent email
Messages from senders with the _dmarc record,
if they are NOT authenticated, they are highlighted with two [ SPAM ] tags in the subject:
[ SPAM ] ... message subject ... [ SPAM ]Messages without the _dmarc record, when both SPF and DKIM authentication fail,
are reported with a [suspicious] tag in the subject:
[suspicious] ... message subject ... RealSender’s “spamstop” app is an efficient anti-spam solution when combined with a filter
that splits messages according to senders that are NOT in your address book.
Most email clients offer this feature.
Below is a screenshot of the “Message filter” tool in Thunderbird.
Add an extra security layer to your inboxes.
RealSender’s “spamstop” app protects your inboxes
from unwanted senders and dangerous attachments.
Topics in this area:
security option to accept emails from authorized and authenticated senders only
security option to remove all potentially harmful attachments from emails
receive email messages only from the senders that you have previously authorized
It is useful when you want to receive emails from one sender only,
and all messages that fail the checks must be discarded.
In this case you need to be sure that the sender’s email address has not been spoofed.
This control can be done putting together SPF and DKIM authentication.
SPF confirms the sender’s address and its relationship with the server that sent out the message.
DKIM guarantees that the email (including the attachments) has not been modified since the “signature” was affixed.
In theory it’s that easy, in practice both SPF and DKIM can refer to a different domain than the from address.
We check that SPF authentication and DKIM signature are related to the domain in the from address.
In this way no other than the original sender can authenticate the email. This guarantees its origin.
The “remove dangerous attachments” option blocks all potentially harmful attachments
except some safe extensions as pdf, txt, gif, jpg and png.
The recipient receives the message without the attachment.
A warning is added to the beginning of the content, like this:
WARNING: This email violated Your Company's email security policy and
has been modified. For more information, contact your IT Administrator.
An attachment named "example.zip" was removed from this document as it
constituted a security hazard. If you require this document, please contact
the sender and arrange an alternate means of receiving it.On the internet there is an interesting case study, that ends with this sentence:
“For us, attachment filtering has been very successful”
– web.mit.edu/net-security/Camp/2004/presentations/reillyb-mit2004.ppt (PowerPoint presentation)
Not all email clients provide sophisticated ways to filter emails.
In these cases it is possible to act upstream.
The “Authorized senders” feature allows you to receive messages
only from the senders you have previously authorized:
All the regular messages will arrive as usual in your inbox.
All the spam messages will go to a different mailbox.
No emails will be lost.
You may read the discarded messages mailbox once a day.
You will save so much precious time.