0
In DNS we can setup an IP for mx.example.com in A-record, after we can setup @ for domain controlled by mx.example.com in MX-record.
Since this moment everyone know, what when you want to sent mail to admin@example.com you should connect mx.example.com what on IP adress from A record.
Next situation: someone installed new server on same IP (i.e. new VPS/DS on same IP in datacenter) with mailserver what accept connections on port 25.
In such case when someone will send mail to admin@example.com his mailserver will connect 'mx.example.com', but its NOT the same server anymore. Message will be sent, to someone.
Is it possible to add kind of digest in DNS records to protect against siatuation when someone changed your server?
DKIM - work for outgoing mails. But how sender (=server) can check what recipient is on valid server?
nikitasius
Posted 2016-12-24T16:08:31.810
Reputation: 41
DNS isn't designed to address this kind of issue. half the point of DNS is to abstract away the physical identity of a box so that it can be more dynamically mapped to names. – Frank Thomas – 2016-12-24T18:29:29.803
Finally, yes, designed. TLSA records. DNSSEC -> TLSA -> server connection and if fingerprint different with data from TLSA, client should to close connection. – nikitasius – 2016-12-26T11:27:29.340