由 SuKai July 12, 2022
工作中需要为用户提供VPS服务,VPS用户要求能够简单管理和配置服务,尽量做到开箱即用,我们为客户提供cPanel管理工具,cPanel提供Apache, Let’s encrypt, powerDNS, Exim等各种服务管理。今天我们一起来看一下邮件服务器关于反垃圾邮件的DNS配置。
基本概念
FQDN
Fully Qualified Domain Name, 完全合格域名,邮件服务器的主机名要求FQDN域名,比如:srv.primebooksnepal.com
PTR记录
PTR(pointer)记录用于DNS提供IP地址关联域名的反向解析,与DNS域名A记录解析IP完全相反。
MX记录
MX是DNS一种记录类型,电子邮件路由信息,邮件服务器通过SMTP协议发送邮件时,与MX记录指定邮件服务器建立SMTP连接。MX值一般是邮件服务器的主机域名。
TXT记录
TXT是DNS一种记录类型,记录值为文本类型,通常用于域名所有者的验证信息保存。
SPF
Sender Policy Framework,电子邮件系统中发送方策略框架,为防止仿冒邮件。在DNS中添加域名TXT类型记录,TXT值为SPF记录信息,SPF信息包含了邮件发送服务器的IP地址,接出邮件服务器可以根据SPF记录进行验证是发送邮件服务IP是否一致,拒绝伪造邮箱域名。
DKIM
DomainKeys Identified Mail (DKIM) 是加密邮件验证系统,防止邮件的头和内容被篡改。DKIM密钥包含私钥和公钥,邮件发送前使用私钥进行签名,邮件到接收服务器时,查询DNS中公钥对邮件进行验证。
DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance),基于SPF和DKIM协议的可扩展电子邮件认证协议。对SPF和DKIM验证不通过的邮件,采取DMARC中指定的策略处理邮件,比如none不处理,reject拒绝邮件,quarantine标记为垃圾邮件,并发送报告给DMARC中指定的邮箱地址。
HELO
HELO是邮件服务器发送的SMTP(简单邮件传输协议)命令,命令后面紧随邮件服务器的域名,用于发送邮件时标识自己名称。
邮箱检测工具
Mxtoolbox
Mxtoolbox提供了邮箱服务器检测服务。https://mxtoolbox.com/
Postmaster tools
Google邮件管理员工具,分析统计你的邮件服务器发送邮件到Gmail邮箱的数据。https://postmaster.google.com/
Spamhaus黑名单
Spamhaus国际非营利组织,提供反垃圾邮件系统,并提供垃圾邮件实时黑名单查询,各大邮件服务提供商采用此名单阻止名单中邮箱投递。https://check.spamhaus.org/
配置示例
我的域名为primebooksnepal.com,邮件服务器主机名为srv.primebooksnepal.com。
配置MX记录
ningsuan@ubuntuserver:~/yaml/vpc$ dig MX primebooksnepal.com
; <<>> DiG 9.16.1-Ubuntu <<>> MX primebooksnepal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48404
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;primebooksnepal.com. IN MX
;; ANSWER SECTION:
primebooksnepal.com. 5504 IN MX 0 srv.primebooksnepal.com.
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:51:14 UTC 2022
;; MSG SIZE rcvd: 68
ningsuan@ubuntuserver:~/yaml/vpc$ dig srv.primebooksnepal.com
; <<>> DiG 9.16.1-Ubuntu <<>> srv.primebooksnepal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26575
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;srv.primebooksnepal.com. IN A
;; ANSWER SECTION:
srv.primebooksnepal.com. 7131 IN A 103.98.131.78
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:51:23 UTC 2022
;; MSG SIZE rcvd: 68
配置SPF记录及google Postmaster tools认证
通过网站生成SPF记录,https://www.spf-record.com/generator 。SPF记录类似防火墙规则,每一个字段代表一条匹配规则。"+“表示通过,接受来信,”-“表示拒绝,退信,"~“表示软拒绝,接受来信,但做标记。
v=spf1 a mx ip4:103.98.131.78 -all
v=spf1,协议版本。
a,可以使用当前域名A记录IP地址发送邮件。
mx,可以通过MX记录的服务器发送邮件。
ip4,授权可以发送邮件的IP地址。
-all,拒绝所有。如果前面的规则匹配即接受,都不匹配则拒绝退信。
ningsuan@ubuntuserver:~/yaml/vpc$ dig TXT primebooksnepal.com
; <<>> DiG 9.16.1-Ubuntu <<>> TXT primebooksnepal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17528
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;primebooksnepal.com. IN TXT
;; ANSWER SECTION:
primebooksnepal.com. 2680 IN TXT "google-site-verification=z0qEJnwgxS04QWO_g_jlKLQCDKeqskPgMddZ39HI8-c"
primebooksnepal.com. 2680 IN TXT "v=spf1 +a +mx +ip4:103.98.131.78 ~all"
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:52:01 UTC 2022
;; MSG SIZE rcvd: 179
ningsuan@ubuntuserver:~/yaml/vpc$
SPF https://mxtoolbox.com/SuperTool.aspx?action=spf%3aprimebooksnepal.com&run=toolpage
Prefix | Type | Value | PrefixDesc | Description |
---|---|---|---|---|
v | spf1 | The SPF record version | ||
+ | a | Pass | Match if IP has a DNS ‘A’ record in given domain. | |
+ | mx | Pass | Match if IP is one of the MX hosts for given domain name. | |
+ | ip4 | 103.98.131.78 | Pass | Match if IP is in the given range. |
+ | include | _spf.google.com | Pass | The specified domain is searched for an ‘allow’. |
~ | all | SoftFail | Always matches. It goes at the end of your record. |
配置DKIM记录
ningsuan@ubuntuserver:~/yaml/vpc$ dig TXT default._domainkey.primebooksnepal.com
; <<>> DiG 9.16.1-Ubuntu <<>> TXT default._domainkey.primebooksnepal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22318
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;default._domainkey.primebooksnepal.com. IN TXT
;; ANSWER SECTION:
default._domainkey.primebooksnepal.com. 7193 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPore+vjp8upt8RVFImHoGKRYz2DguZMYBX9gI3fOoJ0wJRZ4YcYpQBu/7HQrno0zjSKi8mM7bQ0F/zWU0qoaeX1MVPT+TXIuDAHt82f4E92IB/m9eH2f0pTcQ6eFPb++I4zL/AcUxMfuxSdpAKHINVYm5AEFe146+mC4+eNYG3YmJUnyRHs81DQqcmvrXI2k" "Yo0v3X4pXhBXXuSTUNpyVhwQJw0/wa1HbtsxLOAoirF4IFNlrEL8Jw036d1TO7MY/fGybqqNOBNG72nJubw+/Zpl/LiMDxnAiGkZ+6Qhj8hYeBkOC5R3Q/vOrMlDwlmnM8BqrHms0Bp4aStxMACWQIDAQAB;"
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:53:30 UTC 2022
;; MSG SIZE rcvd: 492
配置DMARC记录
可以通过网站生成DMARC记录,https://dmarcly.com/tools/dmarc-generator 。
p表示策略,quarantine验证SPF, DKIM不通过的邮件处理为垃圾邮件
rua,发送聚合报告邮件地址,发送到info#primebooksnepal.com。
ruf,发送检测失败报告邮件地址。
sp,子域名采用的DMARC策略。
adkim,alignment policy for DKIM,DKIM一致性策略,s表示严格一致,r表示宽松一致。
Email Header From信息与DKIM的d字段信息比对。
From: header | DKIM d=domain | Strict alignment | Relaxed alignment |
---|---|---|---|
jon@solarmora.com |
solarmora.com |
Pass | Pass |
jon@mail.solarmora.com |
solarmora.com |
Fail | Pass |
jon@solarmora.org |
solarmora.com |
Fail | Fail |
assf,alignment policy for SPF,SPF一致性策略,策略级别与DKIM相似。
Email Header envelope-from 与From比对。
Envelope sender address | Header From: address | Strict alignment | Relaxed alignment |
---|---|---|---|
jon@solarmora.com |
jon@solarmora.com |
Pass | Pass |
jon@mail.solarmora.com |
jon@solarmora.com |
Fail | Pass |
jon@solarmora.org |
jon@solarmora.com |
Fail | Fail |
pct,邮件过滤比例,100%所有邮件都要进行过滤。
rf,指定检查验证失败的报告格式,afrf表示Authentication Failure Reporting Format。
ri, 聚合报告的间隔时间,86400表示每天发送聚合报告。
ningsuan@ubuntuserver:~/yaml/vpc$ dig TXT _dmarc.primebooksnepal.com.
; <<>> DiG 9.16.1-Ubuntu <<>> TXT _dmarc.primebooksnepal.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_dmarc.primebooksnepal.com. IN TXT
;; ANSWER SECTION:
_dmarc.primebooksnepal.com. 3600 IN TXT "v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=s;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:info@primebooksnepal.com;ruf=mailto:info@primebooksnepal.com"
;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:54:03 UTC 2022
;; MSG SIZE rcvd: 214
ningsuan@ubuntuserver:~/yaml/vpc$
APNIC申请反向DNS解析授权
Spamhaus申请移除黑名单
Spamhaus发送移除确认连接,点击后检测合格就可以移除了。
----------------------------------------------------------------------
The Spamhaus Project - Policy Block List (PBL) - Email Policy System
----------------------------------------------------------------------
Verification/Confirmation Code: 17203
----------------------------------------------------------------------
Someone claiming to be info@primebooksnepal.com has submitted a request to
remove the IP Address 103.98.131.78 from the Spamhaus PBL database. This
request was received from [180.111.26.126] at 2022-07-09 12:59:26 UTC.
If this was you, you can now activate your request by entering the
code '17203' at the Spamhaus PBL Removals page or by clicking
on the following link:
https://www.spamhaus.org/pbl/removal/verify/7386767_17203
Spamhaus PBL Robot
The Spamhaus Project
https://www.spamhaus.org/pbl/
----------------------------------------------------------------------
NOT YOU? If you did not make this request, simply do nothing. You do
not need to respond. The request will auto-expire unless activated.
This message is sent by a robot, please do not reply to this email.
----------------------------------------------------------------------
查看发送邮件头信息
可以看到Authentication-Results,身份检测结果,spf=pass, dkim=pass, dmarc=pass
Header Received记录了邮件发送的行踪。
Authentication-Results: spf=pass (sender IP is 103.98.131.78)
smtp.mailfrom=primebooksnepal.com; dkim=pass (signature was verified)
header.d=primebooksnepal.com;dmarc=pass action=none
header.from=primebooksnepal.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of primebooksnepal.com
designates 103.98.131.78 as permitted sender)
receiver=protection.outlook.com; client-ip=103.98.131.78;
helo=mail.primebooksnepal.com; pr=C
Received: from mail.primebooksnepal.com (103.98.131.78) by
CO1NAM11FT006.mail.protection.outlook.com (10.13.174.246) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.5417.15 via Frontend Transport; Mon, 11 Jul 2022 04:15:33 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:C416B2F70907B1E66922F445426DB588209DB72329C7A33E02EB0C73398D180C;UpperCasedChecksum:900347A96EE6ECCD4D74C791D8F4F303B277F774E9704C56CD2486C4054ACBE9;SizeAsReceived:2048;Count:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=primebooksnepal.com; s=default; h=Content-Type:Message-ID:Mime-Version:
Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=0p+q1pSwnzwSm6INLK/1nMvjJQj21EcC8yyW4OHB55U=; b=Yw+UmGonPw/cC34P9Z0zqazUke
ZD5vb6VDxFvjt+kJjvGjuU57MUq/5Gl+wUyX2nbZW8viL+Jl4aLU9mdHJ+by+lJ68qaa7qv/uRPvy
dsmo+kdvK4NUo2c+izWKOh1wiLRKtDME2qma7aG+/JhxdTYbnXkEYIzr6awet/Lvfy3e38R4QM7mK
ty/JeXjVEV2OXA1SX8znyf106GTn1onm0Ye52GP4WAN/OmkoaDDsMZQt3BSuZ+dXg1TcTo0bFRPEh
xsE49oUxZlvcjyxKIgm3d2ZQ703Miz5te/dSH1rMazG4H3lgQl30hpiV44ZrBRG5v4rNFzW10Ug3Z
ae2GbiRA==;
Received: from [172.16.3.2] (port=37178 helo=sukai)
by srv.primebooksnepal.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from <info@primebooksnepal.com>)
id 1oAkpX-0005Am-5t
for ycsk02@hotmail.com;
Mon, 11 Jul 2022 04:15:31 +0000
Date: Mon, 11 Jul 2022 12:15:30 +0800
From: "info@primebooksnepal.com" <info@primebooksnepal.com>
To: ycsk02 <ycsk02@hotmail.com>
Subject: add dmarc
X-Has-Attach: no
X-Mailer: Foxmail 7.2.20.273[cn]
Message-ID: <202207111215285084213@primebooksnepal.com>