Your email infrastructure is hardened against the same standards used to protect government and defense systems. Not as a marketing claim — as an engineering practice.
Public key + TOTP multi-factor authentication. Strict cipher suites, disabled root login, verbose logging, and idle timeouts. Every session is audited.
ASLR, restricted ptrace, disabled core dumps, SYN cookies, martian logging, and source route rejection. The kernel itself is your first line of defense.
Auditd with immutable rules, AIDE filesystem integrity monitoring with daily email alerts, and centralized sudo logging. Every change is tracked.
UFW with default-deny policy, SSH rate limiting, and Fail2ban with active jails across SSH, Postfix, Dovecot, and Apache. Brute force doesn't get far.
AppArmor enforcing, restrictive UMASK, disabled USB storage, password quality enforcement, and automatic security updates. The attack surface is minimal.
Every service — web, mail, IMAP — enforces TLS 1.2+ with modern cipher suites. OCSP stapling and HSTS preload ensure connections are never downgraded.
Our TLS certificates are pinned directly to DNS via DANE/TLSA records, secured by DNSSEC. Even if a Certificate Authority is compromised, attackers cannot impersonate our mail servers. Fewer than 0.1% of domains deploy this.
Every outbound email is signed with Edwards-curve cryptography (ED25519) — faster, smaller, and mathematically stronger than RSA. We maintain RSA fallback for compatibility with older servers.
Mail Transfer Agent Strict Transport Security prevents TLS downgrade attacks on inbound mail. Our policy is set to enforce mode — not testing, not optional. Encrypted or rejected.
Strict SPF with hard fail (-all) and DMARC with strict alignment on both SPF and DKIM. Spoofed emails are rejected, not just flagged. Zero ambiguity about who sent it.
Every DNS response is cryptographically signed. Cache poisoning and man-in-the-middle attacks against our DNS records are not possible.
Certificate Authority Authorization records restrict which CAs can issue certificates for our domains. Unauthorized certificate issuance is blocked at the DNS level.
Properly configured reverse DNS ensures our mail server identity is verifiable in both directions. Forward and reverse lookups match — a requirement for trusted mail delivery.
Ingest and analyze DMARC aggregate reports per RFC 7489. See which IPs are sending as your domain, whether they pass SPF/DKIM, and where unauthorized usage originates.
Track your authentication pass rates over time. Spot regressions in SPF alignment, DKIM signing, or DMARC compliance before they impact deliverability.
A single A-F grade combining bounce rate, spam complaints, rejection rate, and blacklist status. Know your sender reputation at a glance.
Continuous checks against major DNS blacklists. Get alerted when your IPs are listed and track delisting progress automatically.
Guided DMARC policy upgrades from none to quarantine to reject. The advisor analyzes your report data and recommends when it is safe to tighten enforcement.
Track your security posture score, authentication rates, and deliverability grade over a rolling 90-day window. See the trajectory, not just the snapshot.
These aren't badges we bought. They're frameworks we measure ourselves against — continuously. Our server hardening follows DISA STIG and CIS Level 2 profiles. Our controls map to NIST 800-53, ISO 27001 Annex A, PCI DSS v4, and the Australian Essential Eight maturity model.
Join the users who trust RacterMX to keep their email private, authenticated, and secure.