You are here: start » tools » emailsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
tools:emailsec [2023/04/21 17:17]
darron [Resources] 		tools:emailsec [2023/05/18 21:05] (current)
darron [DKIM]
Line 15: Line 15:
 __Zone__ __Zone__
 <code> <code>
-1H IN TXT "v=spf1 a:hostname -all"+1H IN TXT "v=spf1 a:HOSTNAME -all"
 </code> </code>
  
Line 26: Line 26:
 ===DKIM=== ===DKIM===
  
-[[https://www.dkim.org/|DomainKeys Identified Mail]] is signing process used when sending email to determine authenticity and detect tampering on the receiving server.+[[https://www.dkim.org/|DomainKeys Identified Mail]] is signing process used when sending email to determine authenticity and detect tampering on the receiving server.
  
 ==OPENSSL== ==OPENSSL==
Line 106: Line 106:
 remote_smtp_dkim_DOMAIN: remote_smtp_dkim_DOMAIN:
  driver           = smtp  driver           = smtp
 + helo_data        = HOSTNAME
 + interface        = <;IPV4;IPV6
  dkim_domain      = DOMAIN  dkim_domain      = DOMAIN
  dkim_selector    = dkim  dkim_selector    = dkim
  dkim_private_key = /etc/exim4/private.pem  dkim_private_key = /etc/exim4/private.pem
 </code> </code>
 +
 +For SPF the HOSTNAME must resolve to the specified IP address(es).
  
 The DKIM domain needn't be the same as the sender domain. The DKIM domain needn't be the same as the sender domain.
 ===DMARC=== ===DMARC===
  
-[[https://dmarc.org/|DMARC]] defines a policy used for e-mails that fail SPF and DKIM tests.+[[https://dmarc.org/|DMARC]] defines a policy and reporting facility for e-mails.
  
-Providers such as google send report of emails that arrive at their user mailboxes detailing +E-mails that fail SPF and DKIM tests may be processed according to this table. 
-those that pass and fail. In google's case, the reports originate from noreply-dmarc-support@google.com.+ 
 +^Policy^Effect^ 
 +|none|Mail delivered normally| 
 +|quarantine|Mail delivered to spam folder| 
 +|reject|Mail rejected and not delivered| 
 + 
 +For reporting, providers such as google send details of e-mails that pass and fail. For google the reports originate from noreply-dmarc-support@google.com.
  
 ==BIND== ==BIND==
Line 129: Line 139:
 _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN" _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN"
 </code> </code>
 +
 +Once you are confident that you are sending e-mail from the correct server(s) in with the correct signature(s) then the policy can be made more strict.
  
 __Test__ __Test__