邮件服务器反垃圾邮件DNS配置

SuKai July 12, 2022

工作中需要为用户提供VPS服务,VPS用户要求能够简单管理和配置服务,尽量做到开箱即用,我们为客户提供cPanel管理工具,cPanel提供Apache, Let’s encrypt, powerDNS, Exim等各种服务管理。今天我们一起来看一下邮件服务器关于反垃圾邮件的DNS配置。

基本概念

FQDN

Fully Qualified Domain Name, 完全合格域名,邮件服务器的主机名要求FQDN域名,比如:srv.primebooksnepal.com

PTR记录

PTR(pointer)记录用于DNS提供IP地址关联域名的反向解析,与DNS域名A记录解析IP完全相反。

MX记录

MX是DNS一种记录类型,电子邮件路由信息,邮件服务器通过SMTP协议发送邮件时,与MX记录指定邮件服务器建立SMTP连接。MX值一般是邮件服务器的主机域名。

TXT记录

TXT是DNS一种记录类型,记录值为文本类型,通常用于域名所有者的验证信息保存。

SPF

Sender Policy Framework,电子邮件系统中发送方策略框架,为防止仿冒邮件。在DNS中添加域名TXT类型记录,TXT值为SPF记录信息,SPF信息包含了邮件发送服务器的IP地址,接出邮件服务器可以根据SPF记录进行验证是发送邮件服务IP是否一致,拒绝伪造邮箱域名。

DKIM

DomainKeys Identified Mail (DKIM) 是加密邮件验证系统,防止邮件的头和内容被篡改。DKIM密钥包含私钥和公钥,邮件发送前使用私钥进行签名,邮件到接收服务器时,查询DNS中公钥对邮件进行验证。

DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance),基于SPF和DKIM协议的可扩展电子邮件认证协议。对SPF和DKIM验证不通过的邮件,采取DMARC中指定的策略处理邮件,比如none不处理,reject拒绝邮件,quarantine标记为垃圾邮件,并发送报告给DMARC中指定的邮箱地址。

HELO

HELO是邮件服务器发送的SMTP(简单邮件传输协议)命令,命令后面紧随邮件服务器的域名,用于发送邮件时标识自己名称。

邮箱检测工具

Mxtoolbox

Mxtoolbox提供了邮箱服务器检测服务。https://mxtoolbox.com/

Postmaster tools

Google邮件管理员工具,分析统计你的邮件服务器发送邮件到Gmail邮箱的数据。https://postmaster.google.com/

Spamhaus黑名单

Spamhaus国际非营利组织,提供反垃圾邮件系统,并提供垃圾邮件实时黑名单查询,各大邮件服务提供商采用此名单阻止名单中邮箱投递。https://check.spamhaus.org/

配置示例

我的域名为primebooksnepal.com,邮件服务器主机名为srv.primebooksnepal.com。

配置MX记录

ningsuan@ubuntuserver:~/yaml/vpc$ dig MX primebooksnepal.com

; <<>> DiG 9.16.1-Ubuntu <<>> MX primebooksnepal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48404
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;primebooksnepal.com.           IN      MX

;; ANSWER SECTION:
primebooksnepal.com.    5504    IN      MX      0 srv.primebooksnepal.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:51:14 UTC 2022
;; MSG SIZE  rcvd: 68

ningsuan@ubuntuserver:~/yaml/vpc$ dig srv.primebooksnepal.com

; <<>> DiG 9.16.1-Ubuntu <<>> srv.primebooksnepal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26575
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;srv.primebooksnepal.com.       IN      A

;; ANSWER SECTION:
srv.primebooksnepal.com. 7131   IN      A       103.98.131.78

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:51:23 UTC 2022
;; MSG SIZE  rcvd: 68

配置SPF记录及google Postmaster tools认证

通过网站生成SPF记录,https://www.spf-record.com/generator 。SPF记录类似防火墙规则,每一个字段代表一条匹配规则。"+“表示通过,接受来信,”-“表示拒绝,退信,"~“表示软拒绝,接受来信,但做标记。

v=spf1 a mx ip4:103.98.131.78 -all

v=spf1,协议版本。

a,可以使用当前域名A记录IP地址发送邮件。

mx,可以通过MX记录的服务器发送邮件。

ip4,授权可以发送邮件的IP地址。

-all,拒绝所有。如果前面的规则匹配即接受,都不匹配则拒绝退信。

ningsuan@ubuntuserver:~/yaml/vpc$ dig TXT primebooksnepal.com

; <<>> DiG 9.16.1-Ubuntu <<>> TXT primebooksnepal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17528
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;primebooksnepal.com.           IN      TXT

;; ANSWER SECTION:
primebooksnepal.com.    2680    IN      TXT     "google-site-verification=z0qEJnwgxS04QWO_g_jlKLQCDKeqskPgMddZ39HI8-c"
primebooksnepal.com.    2680    IN      TXT     "v=spf1 +a +mx +ip4:103.98.131.78 ~all"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:52:01 UTC 2022
;; MSG SIZE  rcvd: 179

ningsuan@ubuntuserver:~/yaml/vpc$

SPF https://mxtoolbox.com/SuperTool.aspx?action=spf%3aprimebooksnepal.com&run=toolpage

Prefix Type Value PrefixDesc Description
v spf1 The SPF record version
+ a Pass Match if IP has a DNS ‘A’ record in given domain.
+ mx Pass Match if IP is one of the MX hosts for given domain name.
+ ip4 103.98.131.78 Pass Match if IP is in the given range.
+ include _spf.google.com Pass The specified domain is searched for an ‘allow’.
~ all SoftFail Always matches. It goes at the end of your record.

配置DKIM记录

ningsuan@ubuntuserver:~/yaml/vpc$ dig TXT default._domainkey.primebooksnepal.com

; <<>> DiG 9.16.1-Ubuntu <<>> TXT default._domainkey.primebooksnepal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22318
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;default._domainkey.primebooksnepal.com.        IN TXT

;; ANSWER SECTION:
default._domainkey.primebooksnepal.com. 7193 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPore+vjp8upt8RVFImHoGKRYz2DguZMYBX9gI3fOoJ0wJRZ4YcYpQBu/7HQrno0zjSKi8mM7bQ0F/zWU0qoaeX1MVPT+TXIuDAHt82f4E92IB/m9eH2f0pTcQ6eFPb++I4zL/AcUxMfuxSdpAKHINVYm5AEFe146+mC4+eNYG3YmJUnyRHs81DQqcmvrXI2k" "Yo0v3X4pXhBXXuSTUNpyVhwQJw0/wa1HbtsxLOAoirF4IFNlrEL8Jw036d1TO7MY/fGybqqNOBNG72nJubw+/Zpl/LiMDxnAiGkZ+6Qhj8hYeBkOC5R3Q/vOrMlDwlmnM8BqrHms0Bp4aStxMACWQIDAQAB;"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:53:30 UTC 2022
;; MSG SIZE  rcvd: 492

配置DMARC记录

可以通过网站生成DMARC记录,https://dmarcly.com/tools/dmarc-generator 。

p表示策略,quarantine验证SPF, DKIM不通过的邮件处理为垃圾邮件

rua,发送聚合报告邮件地址,发送到info#primebooksnepal.com。

ruf,发送检测失败报告邮件地址。

sp,子域名采用的DMARC策略。

adkim,alignment policy for DKIM,DKIM一致性策略,s表示严格一致,r表示宽松一致。

Email Header From信息与DKIM的d字段信息比对。

From: header DKIM d=domain Strict alignment Relaxed alignment
jon@solarmora.com solarmora.com Pass Pass
jon@mail.solarmora.com solarmora.com Fail Pass
jon@solarmora.org solarmora.com Fail Fail

assf,alignment policy for SPF,SPF一致性策略,策略级别与DKIM相似。

Email Header envelope-from 与From比对。

Envelope sender address Header From: address Strict alignment Relaxed alignment
jon@solarmora.com jon@solarmora.com Pass Pass
jon@mail.solarmora.com jon@solarmora.com Fail Pass
jon@solarmora.org jon@solarmora.com Fail Fail

pct,邮件过滤比例,100%所有邮件都要进行过滤。

rf,指定检查验证失败的报告格式,afrf表示Authentication Failure Reporting Format。

ri, 聚合报告的间隔时间,86400表示每天发送聚合报告。

ningsuan@ubuntuserver:~/yaml/vpc$ dig TXT _dmarc.primebooksnepal.com.

; <<>> DiG 9.16.1-Ubuntu <<>> TXT _dmarc.primebooksnepal.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_dmarc.primebooksnepal.com.    IN      TXT

;; ANSWER SECTION:
_dmarc.primebooksnepal.com. 3600 IN     TXT     "v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=s;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:info@primebooksnepal.com;ruf=mailto:info@primebooksnepal.com"

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 11 09:54:03 UTC 2022
;; MSG SIZE  rcvd: 214

ningsuan@ubuntuserver:~/yaml/vpc$

APNIC申请反向DNS解析授权

image-20220712094247795

image-20220712094256850

Spamhaus申请移除黑名单

Spamhaus发送移除确认连接,点击后检测合格就可以移除了。

----------------------------------------------------------------------
The Spamhaus Project - Policy Block List (PBL) - Email Policy System
----------------------------------------------------------------------
Verification/Confirmation Code: 17203
----------------------------------------------------------------------

Someone claiming to be info@primebooksnepal.com has submitted a request to
remove the IP Address 103.98.131.78 from the Spamhaus PBL database. This
request was received from [180.111.26.126] at 2022-07-09 12:59:26 UTC.

If this was you, you can now activate your request by entering the
code '17203' at the Spamhaus PBL Removals page or by clicking
on the following link:

https://www.spamhaus.org/pbl/removal/verify/7386767_17203

  Spamhaus PBL Robot
  The Spamhaus Project
https://www.spamhaus.org/pbl/

----------------------------------------------------------------------
NOT YOU? If you did not make this request, simply do nothing. You do
not need to respond. The request will auto-expire unless activated.
This message is sent by a robot, please do not reply to this email.
----------------------------------------------------------------------

image-20220712094747221

查看发送邮件头信息

可以看到Authentication-Results,身份检测结果,spf=pass, dkim=pass, dmarc=pass

Header Received记录了邮件发送的行踪。


Authentication-Results: spf=pass (sender IP is 103.98.131.78)
 smtp.mailfrom=primebooksnepal.com; dkim=pass (signature was verified)
 header.d=primebooksnepal.com;dmarc=pass action=none
 header.from=primebooksnepal.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of primebooksnepal.com
 designates 103.98.131.78 as permitted sender)
 receiver=protection.outlook.com; client-ip=103.98.131.78;
 helo=mail.primebooksnepal.com; pr=C
Received: from mail.primebooksnepal.com (103.98.131.78) by
 CO1NAM11FT006.mail.protection.outlook.com (10.13.174.246) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5417.15 via Frontend Transport; Mon, 11 Jul 2022 04:15:33 +0000
X-IncomingTopHeaderMarker:
 OriginalChecksum:C416B2F70907B1E66922F445426DB588209DB72329C7A33E02EB0C73398D180C;UpperCasedChecksum:900347A96EE6ECCD4D74C791D8F4F303B277F774E9704C56CD2486C4054ACBE9;SizeAsReceived:2048;Count:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=primebooksnepal.com; s=default; h=Content-Type:Message-ID:Mime-Version:
	Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=0p+q1pSwnzwSm6INLK/1nMvjJQj21EcC8yyW4OHB55U=; b=Yw+UmGonPw/cC34P9Z0zqazUke
	ZD5vb6VDxFvjt+kJjvGjuU57MUq/5Gl+wUyX2nbZW8viL+Jl4aLU9mdHJ+by+lJ68qaa7qv/uRPvy
	dsmo+kdvK4NUo2c+izWKOh1wiLRKtDME2qma7aG+/JhxdTYbnXkEYIzr6awet/Lvfy3e38R4QM7mK
	ty/JeXjVEV2OXA1SX8znyf106GTn1onm0Ye52GP4WAN/OmkoaDDsMZQt3BSuZ+dXg1TcTo0bFRPEh
	xsE49oUxZlvcjyxKIgm3d2ZQ703Miz5te/dSH1rMazG4H3lgQl30hpiV44ZrBRG5v4rNFzW10Ug3Z
	ae2GbiRA==;
Received: from [172.16.3.2] (port=37178 helo=sukai)
	by srv.primebooksnepal.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.95)
	(envelope-from <info@primebooksnepal.com>)
	id 1oAkpX-0005Am-5t
	for ycsk02@hotmail.com;
	Mon, 11 Jul 2022 04:15:31 +0000
Date: Mon, 11 Jul 2022 12:15:30 +0800
From: "info@primebooksnepal.com" <info@primebooksnepal.com>
To: ycsk02 <ycsk02@hotmail.com>
Subject: add dmarc
X-Has-Attach: no
X-Mailer: Foxmail 7.2.20.273[cn]
Message-ID: <202207111215285084213@primebooksnepal.com>