UNX.SE

Outbound mail

Did you receive mail from @unx.se or any subdomain of unx.se? Well, most likely you did not.

Faking the from-address in unsolicited email messages is the common rule of all spammers and botnets.

DKIM

All outbound mail that truly originates from @unx.se or any subdomain of unx.se are DKIM signed.

SPF

These domains are set up with a strict SPF policies indicating that only a very limited set of hosts may send mail on behalf of these domains.

SPF record of @unx.se:

v=spf1 a:mars.unx.se a:deimos.unx.se a:phobos.unx.se include:_spf.google.com -all

SPF record of @mars.unx.se:

v=spf1 a:mars.unx.se a:deimos.unx.se a:phobos.unx.se -all

Allowed MX IPs:

94.254.0.247
2001:9b0:10:2104:216:3eff:fe79:b884
172.105.87.94
2a01:7e01::f03c:91ff:feea:d4
172.105.18.78
2600:3c04::f03c:91ff:feea:d4d

The domain @unx.se is also set up to permit Google's MX servers.

Note the -all part at the end indicating that no other mailhosts are allowed to send mail for these domains. The receiving mail server should discard or mark such messages as spam.

DMARC

Besides the protection of DKIM and SPF, these domains utilize the DMARC authentication protocol. Basically, the DMARC records of @mars.unx.se and @unx.se tells any receiving mail server to reject messages not passing DKIM and SPF checks.

DMARC record:

v=DMARC1; p=reject; rua=mailto:[hidden]; ruf=mailto:[hidden]; fo=1;

The important part is p=reject indicating that only fully aligned messages should be accepted for this domain.

Inbound mail

This server enforces a strict inbound mail policy.

Connecting hosts with broken, forged or missing reverse DNS are rejected immediately. Any host found in DNS blacklists are rejected. Host sending invalid HELO/EHLO commands or start talking before the 200 SMTP greeting are rejected. Additionally, domain names with a bad reputation are rejected immediately. These rules alone cuts off the vast majority of spam before the content even reaches the mail server.

The surviving messages are later checked against RBL, SPF records and DKIM signatures and filtered accordingly.