AGIX Discussion All HowTo's Cyber-Security

Inbound and Outbound SMTP Design for No Spam

Spam starts and ends with us technicians. It’s our servers that get compromised and it’s our servers that receive it at the other end. With this in mind, we need to ensure only “good” email is going out to the Internet and only “good” email coming in from the Internet.

Let’s deal with the outbound email solution first. Then we’ll look at inbound email. Outbound email has this configuration: a) Email leaving the business must originate from ‘only’ the internal email server and this should be enforced in the network firewall’s ACL configuration. b) Subscribe to an SMTP relay such as Amazon’s SES service and configure your internal email server to that service as the relay (smart host). These SaaS’s don’t get labeled as spammers and they’ll let you know pretty quickly if you have spam originating from your network. Again, use your firewall’s ACL configuration to enforce this policy. c) Check your internal email server’s logs and ensure that everything is working as you’d expect. A final note on this is to test this configuration before moving into production.

The second part to this is the inbound configuration. Again we can use an SMTP hosted solution where the anti-spam and anti-virus will happen. We can do it also at the internal email server for good measure. This configuration looks like this: a) Configure the email server to only accept email from the inbound relay and/or do this in the network firewall ACLs. You will likely need to get a list of IP addresses from the service provider to ensure you permit all legitimate servers to forward you email. b) Make sure the inbound service provider does anti-virus, anti-spam and offers multiple MX records which you’ll need when making changes to your DNS zone. Also make sure that, if necessary, the service provider will hold and retry mail that cannot get through to your internal email server the first time. You’ll also want see reports about the effectiveness of the service periodically – perhaps monthly. c) As mentioned in point ‘b’, make sure you update your DNS zone’s MX records to forward to the service provider. Once done, all new email bound for your internal email server will go to the service provider and then to your internal email server.


  • Investigate both inbound and outbound SMTP relay service providers. There are plenty to choose from. Compare them.
  • Configure your network firewall and internal email server’s settings to only allow sending and receiving email to and from the SMTP relay service providers.
  • Make sure you have a back-out plan. If something goes wrong and you stop sending email or stop receiving email, you’ll need another way to allow the business to continue functioning in this regard.

Leave a Reply

Your email address will not be published. Required fields are marked *