Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
tools:emailsec [2023/04/21 11:39] – [DMARC] darrontools:emailsec [2023/05/18 21:05] (current) – [DKIM] darron
Line 15: Line 15:
 __Zone__ __Zone__
 <code> <code>
-1H IN TXT "v=spf1 a:hostname -all"+1H IN TXT "v=spf1 a:HOSTNAME -all"
 </code> </code>
  
Line 26: Line 26:
 ===DKIM=== ===DKIM===
  
-[[https://www.dkim.org/|DomainKeys Identified Mail]] is signing process used when sending email to determine authenticity and detect tampering on the receiving server.+[[https://www.dkim.org/|DomainKeys Identified Mail]] is signing process used when sending email to determine authenticity and detect tampering on the receiving server.
  
 ==OPENSSL== ==OPENSSL==
Line 106: Line 106:
 remote_smtp_dkim_DOMAIN: remote_smtp_dkim_DOMAIN:
  driver           = smtp  driver           = smtp
 + helo_data        = HOSTNAME
 + interface        = <;IPV4;IPV6
  dkim_domain      = DOMAIN  dkim_domain      = DOMAIN
  dkim_selector    = dkim  dkim_selector    = dkim
  dkim_private_key = /etc/exim4/private.pem  dkim_private_key = /etc/exim4/private.pem
 </code> </code>
 +
 +For SPF the HOSTNAME must resolve to the specified IP address(es).
  
 The DKIM domain needn't be the same as the sender domain. The DKIM domain needn't be the same as the sender domain.
 ===DMARC=== ===DMARC===
  
-[[https://dmarc.org/|DMARC]] defines a policy used for e-mails that fail SPF and DKIM tests.+[[https://dmarc.org/|DMARC]] defines a policy and reporting facility for e-mails.
  
-Providers such as google send report of emails that arrive at their user mailboxes detailing +E-mails that fail SPF and DKIM tests may be processed according to this table. 
-those that pass and fail. In google's case, the reports originate from noreply-dmarc-support@google.com.+ 
 +^Policy^Effect^ 
 +|none|Mail delivered normally| 
 +|quarantine|Mail delivered to spam folder| 
 +|reject|Mail rejected and not delivered| 
 + 
 +For reporting, providers such as google send details of e-mails that pass and fail. For google the reports originate from noreply-dmarc-support@google.com.
  
 ==BIND== ==BIND==
Line 129: Line 139:
 _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN" _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN"
 </code> </code>
 +
 +Once you are confident that you are sending e-mail from the correct server(s) in with the correct signature(s) then the policy can be made more strict.
  
 __Test__ __Test__
Line 136: Line 148:
  
 See [[https://www.rfc-editor.org/rfc/rfc7489.html|RFC 7489]] for more information. See [[https://www.rfc-editor.org/rfc/rfc7489.html|RFC 7489]] for more information.
 +
 +
 +
 +===Resources===
 +
 +[[https://dkimvalidator.com/|DKIM validator]]
 +
 +=== Export ===
 +
 +[[:tools:emailsec?do=export_pdf|PDF]]