Applying DNS best security and configurations.

DNSSEC

A technology that can be added to the Domain Name System to verify the authenticity of its data. The works by adding verifiable chains of trust that can be validated to the domain name system. Link

First enable it from DNS provider (Google Cloud DNS) and then check DS records, from setup tab, than insert them in your original DNS provider (nic). Make sure first your original DNS provider supports it.

CAA

A Certification Authority Authorization (CAA) record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain. Link

CAA 0 issue "letsencrypt.org"

SPF

A Sender Policy Framework (SPF) record is a type of Domain Name Service (DNS) TXT record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to detect and prevent spammers from sending messages with forged From addresses on your domain. Link

TXT "v=spf1 include:_spf.google.com -all"

DKIM

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. Link

Create it from G Suite. choose 1024 key bit because some dns provider does not supports more than 255 charactors and seperating them some of them putting new space when joining.

DMARC

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email. Link

TXT "v=DMARC1\;" "p=reject\;" "rua=mailto:yaser@yr.sa\;" "ruf=mailto:yaser@yr.sa\;" "sp=reject\;" "ri=86400"

Links