- IP -> PTR lookup -> that hostname lookup, and match to IP again
- SPF
- DKIM - one possible implementation: OpenDKIM - opendkim is an excellent tool, which helped find the real problem with a simple "Diagnostics yes" in the config file.
- DMARC
- ARC (for mailinglists)
- SRS (When forwarding, rewrite the From and resign DKIM, and then ARC-sign that)
- Decent TLS
- MTA-STS
- DANE
Use a site like internet.nl for testing mail server configuration and capabilities
Follow up comment: Google at least adds ARC headers in Gmail, and did the editing of RFC8617. ARC – Authenticated Received Chain
Follow up comment: Bimi Group - is snakeoil, or well, a scam is more like it: if you can pay and they like you, you get a logo, anybody else is out... marketing companies of the world (and the once earning money for bits ala domains and worse EV SSL certs... rejoice)
Follow up link: mailing lists are the ugly stepchild
Settings for mailing list:
We have SPF, DKIM signing, and a DMARC policy that sets p=none.
We're not setting p=reject, considering the number of mailing lists our users are on that are outdated or based on EOL software (including this one which depends on python 2.7, and including our own which have the same problem). It's impossible to know, from the outside, how mailing lists are configured. Mailman3 is...special. That's a rant for another time.
We get about an email a week from someone emailing security-officer@ trying to get a bug bounty telling us we should set p=reject. There's an ecosystem for this stuff.
Note: Yup. Gmail has made it quite clear that they will not accept v6 mail that isn't SPF or DKIM authenticated. DKIM is more work but works more reliably.
ARC: It's certainly not a magic ticket into an inbox but it is slowly helping undo DMARC mailing list damage. It's not important unless you forward mail like a mailing list does.
What ARC does:
ARC addreses the problem that mailing lists do a lousy job of spam filtering, A list that usually sends lovely clean mail sometimes doesn't, since a typical list forwards anything with a subscriber's address on the From line including spam from cleverish spammers who take pairs of from/to addresses from stolen mailboxes.
ARC lets the recipient system look back and do what we might call retroactive filtering, using info about messages as they arrived at the previous forwarder. While it would be nice if lists did a better job of spam filtering, they don't, and ARC is a reasonable remedy for that.
Additional protection settings:
I run my own mail server and have no trouble at all delivering mail to Gmail over IPv6. I do have SPF, DKIM, DNSSEC and DANE on my mail servers. My DMARC policy is p=none. If it matters, the MTA is a heavily hacked version of qmail.
Someone mentioned nullmailer as a small mail program that allows you (or your system) to send mails through an existing email account (using an SMTP server).
In response to "Clearly, someone used the reputation of ImprovMX.com to deliver emails by forging them before delivery., "DKIM replay attacks preventative measures
2022/04/24 added - DMARC Domain Checker
2022/06/12 added - Email Audit - Check the DNA of your email against important best practices.