The client workstation will ask its DNS resolver for the address of the mail servers managing the “example.fr” domain. The resolver, which is set to check for DNSSEC availability, queries the DNS chain to determine the domain’s authoritative server: ns1.example.fr (DNS tree explanations and demonstrations).
The MX request is then sent to the DNS server “ns.example.fr”, which replies :
- The MX fields (as it would without DNSSEC),
- The corresponding RRSIG field,
- The DNSKEY field, which decrypts the RRSIG field.
It also queries the DNS server of the parent zone, in this case “fr”, which responds with :
- The DS field, which validates that the DNSKEY is not forged.
With this information, the resolver can now :
- Validate the DNSKEY using the DS fingerprint,
- Decrypt the RRSIG using the DNSKEY fingerprint,
- Compare the decrypted RRSIG with the MX field supplied.
If everything is valid, the response is accepted. If the response has been modified by a “man-in-the-middle” attack, the RRSIG will not match the DNSKEY. If the DNS server is compromised or hacked, the DNSKEY would not match the DS fingerprint.
Why activate DNSSEC?
Activating DNSSEC in email security is also important to guarantee the authenticity and integrity of DNS resolutions used in email communication processes. Indeed, many stages of email transmission involve the use of domain names and DNS resolutions to verify sender authenticity, avoid phishing and prevent spam.
Without DNSSEC enabled, DNS resolutions can be falsified or manipulated, enabling attackers to redirect email traffic to malicious servers, carry out phishing attacks, propagate malware, or even block email delivery.
By enabling DNSSEC, domain owners can protect email communication processes against man-in-the-middle attacks, boost recipients’ confidence in received emails, and improve quality of service by avoiding disruptions due to attacks on DNS resolutions.
The “altospam.com” domain and all its sub-domains are protected by DNSSEC. So when a message is delivered to one of our customers, the name resolution of our servers is secured against any form of modification or usurpation.