e-securemail Deployment Procedure

    1. Define the Destination Mail Server :

    To deliver the filtered (valid) messages to the mailbox of the concerned domain, enter the destination hostname or IP address.

    For example: votredomaine.fr, 11.111.111.11, or -mail.protection.outlook.com.

    1. Log in to the domain management interface at https://www.security-mail.net/.

    2. Enter your username and password.

    3. Navigate to Configuration => Domain Settings => Delivery/SMTP and update the destination mail server of your domain.

    This screenshot illustrates a destination mail server hosted on Microsoft 365.


     ⚠️ To ensure proper configuration and avoid any loss of emails, it is essential to follow the procedure in the specified order. Please note that the configuration of MX records must be done last.  

    2. Modifying DNS Records (SPF, DKIM and DMARC) :

    To legitimize sending emails via e-securemail servers, nous need to add :


    Adding the SPF Record

    The SPF record is a line you must add to your DNS server to prevent email spoofing on your domain. This helps reduce the risk of your domain being used for SPAM.

    Here is the information you need to add via your registrar (e.g., Gandi, 1&1, OVH…) to create the TXT record for the domain "your-domain-name.com".

    (Note: "your-domain-name.com" is used as an example.)

    your-domain-name.com 10800 IN TXT "v=spf1 include:includespf.security-mail.net -all"

     

    Adding the DKIM Record

    The DKIM record ensures that your domain has not been spoofed and that the message has not been altered during transmission.

    1. Generate your DKIM key:

      • Log in to the e-securemail interface.
      • Navigate to Configuration > Domain Settings > DKIM.

    2. Add the DKIM key to your domain’s DNS records:

      • Name: sec-sig-email._domainkey
      • TTL: 3600
      • Format: TXT


    Adding the DMARC Record

    The DMARC record specifies how a domain should handle emails failing SPF and DKIM checks, providing protection against spoofing and phishing by indicating whether messages should be accepted, quarantined, or rejected.

    1. Generate a DMARC record:

    2. Example DMARC Record:
      Below is an example of a DMARC record for the domain example.com that uses the policy "none" and sends reports to the email address dmarc@secuserve.com:

    _dmarc.example.com 10800 IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@secuserve.com"

    This ensures proper email authentication and reporting while protecting your domain from abuse.


     

    Adding a DMARC Record to Your DNS Zone

    Once you have generated your DMARC record, you need to add it to your DNS zone.

    You can do this by logging into your hosting provider's control panel and accessing the DNS settings for your domain.

    These records can be configured after deployment, even if you do not yet have a DKIM entry.


    Video demonstration



    3. Modifying DNS Records (MX) :

    Once the destination mail server is updated, configure the MX records to redirect traffic to our gateways.

    This helps reduce the attack surface for your email service (e.g., Google, Microsoft 365, Exchange, etc.).


    Update the MX Records with the Following Information:

    Priority Mail Server
    10 france.security-mail.net.
    20 europe.security-mail.net.
    Note: For some registrars, it is necessary to add a period (.) at the end of .net to properly close the record.  


    For Google Workspace and Microsoft 365 mailboxes :

    Google :

    For Google Workspace mailboxes, it is necessary to verify that the MX update has been correctly replicated in your Google Admin Portal.

    Microsoft 365 :

    For Microsoft 365 mailboxes, you can follow either the manuel or automated deployment process.


    4. Limiting Connections to your mail Server :

    To ensure that only secure messages are received, it is recommended to restrict incoming emails to those originating exclusively from the Email Filtering Service servers. This operation further enhances the security of your mail server by making it invisible to the outside world.

    You can implement this restriction at the level of your corporate firewall by establishing security rules that allow only the Email Filtering Service servers to communicate with your server using the SMTP protocol.


    Mail Server Configuration:

    Configure your mail server to route outgoing traffic through the filtering/relay gateway.

    This may involve modifying routing rules or setting up a specific connector for outbound filtering.


    See the IP range to authorize


    To identify the host you need to connect to, please refer to the provisioning documentation provided to you upon registration.

    If not, you can also contact the support team at support@secuserve.com.


    ESM for Microsoft 365 MX version with outbound message filtering

    Tags
    ESM PRO changement MX Information MX MX SPF DKIM Configuration DNS
    Published