This is an old revision of the document!
E-mail security
SPF
Sender policy framework uses a DNS text entry within a domain detailing the authorised IP addresses and hosts that can send email for that domain.
BIND
Using the “a” directive, a receiving server will look up the IP4 or IPV6 address of the hostname and match it to the origin for validation.
Zone
1H IN TXT "v=spf1 a:hostname -all"
Test
dig in txt DOMAIN
If more than one source needs to be authorised the “include” directive can be used (refer to RFC 7208).
DKIM
DomainKeys Identified Mail is a signing process used when sending email to determine authenticity and detect tampering on the receiving server.
OPENSSL
Openssl can be used to generate the private signing key and public key published in DNS.
#! /bin/bash rm -f private.pem public.pem public.der # PEM printable encoding, RFC 7468 openssl genrsa -out private.pem 2048 1>/dev/null 2>&1 openssl rsa -in private.pem -pubout -out public.pem 1>/dev/null 2>&1 # Distinguished Encoding Rules, OPENSSL-FORMAT-OPTIONS(1SSL) openssl rsa -in private.pem -pubout -outform der -out public.der 1>/dev/null 2>&1 # DKIM base64 -w 0 public.der | awk ' { print "dkim._domainkey IN TXT (\"v=DKIM1; k=rsa; p=\"" do { printf "\t\"" substr($0, 1, 64) "\"" $0 = substr($0, 65) if (length) printf "\n" else print ")" } while (length) }'
BIND
The sub-domain “_domainkey” is used to provide a “selector” to use with DKIM. In this example the selector is simply “dkim”.
Zone
dkim._domainkey IN TXT ("v=DKIM1; k=rsa; p=" "use output from above")
The “p” directive contains a base64 encoded public key which can be created by openssl in the previous section.
Test
dig in txt dkim._domainkey.DOMAIN
The text record format for BIND is explained in RFC 6376.
EXIM
Exim can provide transports which support DKIM selectively. This example will use DKIM signing for a specific domain.
routers
dnslookup_dkim_DOMAIN: driver = dnslookup domains = !+local_domains condition = ${if eq{$sender_address_domain}{DOMAIN}} transport = remote_smtp_dkim_DOMAIN ignore_target_hosts = 0.0.0.0:127.0.0.0/8 no_more
transports
This transport signs the message using the private key and indicates which selector should be examined on delivery in DNS.
remote_smtp_dkim_DOMAIN: driver = smtp dkim_domain = DOMAIN dkim_selector = dkim dkim_private_key = /etc/exim4/private.pem
The DKIM domain needn't be the same as the sender domain.
DMARC
DMARC defines a policy used for e-mails that fail SPF and DKIM tests.
Providers such as google send report of emails that arrive at their user mailboxes detailing those that pass and fail. In google's case, the reports originate from noreply-dmarc-support@google.com.
BIND
The simplest policy is to do nothing with failed e-mails, this can be used to determine if the feature is working before applying stricter rules which can tell a receiver to reject or quarantine.
Zone
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN"
Test
dig in txt _dmarc.DOMAIN
See RFC 7489 for more information.