Phase 4: DNS Records
Phase 4: DNS Records
Objective
Create MX, SPF, DKIM, and DMARC DNS records in BIND (10.50.1.90). These are the authentication foundation that Abnormal Security ingests as trust signals.
Why This Matters for Abnormal
Abnormal reads Authentication-Results headers from M365. Those headers contain SPF, DKIM, and DMARC verdicts. Understanding how these records are created and what they enforce gives you the vocabulary to evaluate Abnormal’s detection claims and diagnose false positives during the CHLA migration.
MX Record
# Before
dig @10.50.1.90 MX inside.domusdigitalis.dev +short
# Create
nsupdate -k /path/to/tsig.key <<EOF
server 10.50.1.90
zone inside.domusdigitalis.dev
update add inside.domusdigitalis.dev. 3600 MX 10 mail-01.inside.domusdigitalis.dev.
send
EOF
# After
dig @10.50.1.90 MX inside.domusdigitalis.dev +shortSPF Record
SPF tells receiving servers which IPs are authorized to send mail for your domain.
# Before
dig @10.50.1.90 TXT inside.domusdigitalis.dev +short
# Create
nsupdate -k /path/to/tsig.key <<EOF
server 10.50.1.90
zone inside.domusdigitalis.dev
update add inside.domusdigitalis.dev. 3600 TXT "v=spf1 ip4:10.50.1.91 ~all"
send
EOF
# After — verify SPF record exists
dig @10.50.1.90 TXT inside.domusdigitalis.dev +short | grep spfDKIM Record
DKIM adds a cryptographic signature to outbound mail. The public key is published in DNS so receivers can verify.
| The DKIM public key is generated in Phase 5 (OpenDKIM installation). This section creates the record after that key exists. |
# After generating key in Phase 5:
# Extract public key from /etc/opendkim/keys/default.txt
nsupdate -k /path/to/tsig.key <<EOF
server 10.50.1.90
zone inside.domusdigitalis.dev
update add default._domainkey.inside.domusdigitalis.dev. 3600 TXT "v=DKIM1; k=rsa; p=<PUBLIC_KEY_HERE>"
send
EOF
# Verify
dig @10.50.1.90 TXT default._domainkey.inside.domusdigitalis.dev +shortDMARC Record
DMARC tells receivers what to do when SPF or DKIM fails, and where to send aggregate reports.
nsupdate -k /path/to/tsig.key <<EOF
server 10.50.1.90
zone inside.domusdigitalis.dev
update add _dmarc.inside.domusdigitalis.dev. 3600 TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@inside.domusdigitalis.dev; pct=100"
send
EOF
# Verify
dig @10.50.1.90 TXT _dmarc.inside.domusdigitalis.dev +shortComplete DNS Verification
# All records at once
echo "=== MX ===" && dig @10.50.1.90 MX inside.domusdigitalis.dev +short
echo "=== A ===" && dig @10.50.1.90 mail-01.inside.domusdigitalis.dev A +short
echo "=== PTR ===" && dig @10.50.1.90 -x 10.50.1.91 +short
echo "=== SPF ===" && dig @10.50.1.90 TXT inside.domusdigitalis.dev +short | grep spf
echo "=== DMARC ===" && dig @10.50.1.90 TXT _dmarc.inside.domusdigitalis.dev +short
# DKIM verified after Phase 5Verification Checklist
-
MX record resolves to mail-01.inside.domusdigitalis.dev
-
A record resolves to 10.50.1.91
-
PTR record resolves to mail-01.inside.domusdigitalis.dev
-
SPF TXT record present with
v=spf1 -
DMARC TXT record present with
v=DMARC1 -
DKIM TXT record present (after Phase 5)