Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
tools:emailsec [2023/04/21 10:27] – [DKIM] darrontools:emailsec [2023/05/18 21:05] (current) – [DKIM] darron
Line 1: Line 1:
 ==== E-mail security==== ==== E-mail security====
 +<wrap right> 
 +{{tools:emailsec.jpg?200}} 
 +</wrap>
 How to use e-mail security features in EXIM SMTP with BIND DNS. How to use e-mail security features in EXIM SMTP with BIND DNS.
  
Line 13: Line 15:
 __Zone__ __Zone__
 <code> <code>
-1H IN TXT "v=spf1 a:hostname -all"+1H IN TXT "v=spf1 a:HOSTNAME -all"
 </code> </code>
  
Line 24: Line 26:
 ===DKIM=== ===DKIM===
  
-[[https://www.dkim.org/|DomainKeys Identified Mail]] is signing process used when sending email to determine authenticity and detect tampering on the receiving server.+[[https://www.dkim.org/|DomainKeys Identified Mail]] is signing process used when sending email to determine authenticity and detect tampering on the receiving server.
  
 ==OPENSSL== ==OPENSSL==
Line 104: Line 106:
 remote_smtp_dkim_DOMAIN: remote_smtp_dkim_DOMAIN:
  driver           = smtp  driver           = smtp
 + helo_data        = HOSTNAME
 + interface        = <;IPV4;IPV6
  dkim_domain      = DOMAIN  dkim_domain      = DOMAIN
  dkim_selector    = dkim  dkim_selector    = dkim
  dkim_private_key = /etc/exim4/private.pem  dkim_private_key = /etc/exim4/private.pem
 </code> </code>
 +
 +For SPF the HOSTNAME must resolve to the specified IP address(es).
  
 The DKIM domain needn't be the same as the sender domain. The DKIM domain needn't be the same as the sender domain.
 ===DMARC=== ===DMARC===
  
-[[https://dmarc.org/|DMARC]] defines a policy used for e-mails that fail SPF and DKIM tests.+[[https://dmarc.org/|DMARC]] defines a policy and reporting facility for e-mails. 
 + 
 +E-mails that fail SPF and DKIM tests may be processed according to this table. 
 + 
 +^Policy^Effect^ 
 +|none|Mail delivered normally| 
 +|quarantine|Mail delivered to spam folder| 
 +|reject|Mail rejected and not delivered| 
 + 
 +For reporting, providers such as google send details of e-mails that pass and fail. For google the reports originate from noreply-dmarc-support@google.com.
  
 ==BIND== ==BIND==
Line 120: Line 135:
 to reject or quarantine. to reject or quarantine.
  
 +__Zone__
 <code> <code>
 _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN" _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN"
 +</code>
 +
 +Once you are confident that you are sending e-mail from the correct server(s) in with the correct signature(s) then the policy can be made more strict.
 +
 +__Test__
 +<code>
 +dig in txt _dmarc.DOMAIN
 </code> </code>
  
 See [[https://www.rfc-editor.org/rfc/rfc7489.html|RFC 7489]] for more information. See [[https://www.rfc-editor.org/rfc/rfc7489.html|RFC 7489]] for more information.
 +
 +
 +
 +===Resources===
 +
 +[[https://dkimvalidator.com/|DKIM validator]]
 +
 +=== Export ===
 +
 +[[:tools:emailsec?do=export_pdf|PDF]]