de-DEen-GB
 
rss

Granikos Technology Blog

On September 14, 2016
1167 Views
This is a translated blog post of the original post in German, which can be read here.

Different technologies are used to verify the validity of email senders. Each technolgy by itself represents only one component of an holistic solution. It is currently recommended to implemtent all three technologies.

The technologies are:

  • SPF - Sender Policy Framework
    The SPF resource record of a DNS zone defines which servers (host names or IP addresses) are allowed to send emails on behalf of the domain. Each sender domain must have it's own SPF resource record.
     
  • DKIM - Domain Keys Identified Mail
    DKIM pursues the same objective as SPF. With DKIM parts of an email message are enrypted using a provivate key. The public key is published as a DNS resource record. In the most cases the key pair ist generated by the mail servers, as these encrpyt the message anyway.
     
  • DMARC - Domain-based Message Authentication, Reporting & Conformance
    DMARC is placed on top of SPF and DKIM. DMARC executes a so called alignment for SPF and DKIM. An alignment defines a policy that describes how strict a receiving server (MTA) should validate and assess the sender address with SPF and DKIM. Stefan Cink of Net at Work has published a detailed post (DE) on this.

 

The following figure illustrates the protocol relations.

DMARC, SPC and DKIM relations

The use of SPF, DKIM and DMARC are no substitute for email message encryption itself or transport encryption. These technologies are used to identify and asses valid senders and to protect against spam messages.

Keep in mind that SPF, DKIM and DMARC are offerings for other emails servers. As a sending party you do not control if and how SPF, DKIM and DMARC are evaluated by the receiving server. But if evaluated, the configuration must be correct to avoid messages being rejected by receiving email servers.

The following sections focus on the DNS configuration for SPF, DKIM and DMARC. This post is not intended to rate the technologies, but to desribe the implementation.

 

SPF

Each domain being used for sending emails requires a SPF resource record (RR) in its DNS zone. A SPF record is always of the type TXT and does not use any host name (or resource record name, if you will). A SPF RR is always valid for the entire DNS zone.

Example

mcsmemail.de.          3600     IN      TXT     "v=spf1 mx a:mail.mcsmemail.de ?all"

The following screenshot illustrates adding a new SPF TXT record in a common DNS management interface (DE) of an internet provider. The host name textbox remains empty.

Anlegen eines SPF TXT DNS Eintrages

Example explained:

v=spf1
SPF Version

mx
MX server records defined within the DNS zone are valid senders

a:mail.mcsmemail.de
The additional DNS host name defined as a A resource record is a valid sender as well

?all
Neutral validation of non listed servers that send emails for this domain

SPF records can be created by using one of the various online resources.

 

DKIM

DKIM resource records are configured as TXT resource records as well. In contract to a SPF record a host name is mandatory. In this case its called selector.

A DKIM TXT record is always created as a record in the sub domain _domainkey.

Example

nsp._domainkey.mcsmemail.eu. 3600 IN     TXT     "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChZM8yjegaKfd0ssKyezTW/7xbDSNc0uPd50xa5/ecerv1v3mHKM+T7mClzRmIEx+Ji6AisVeo2uvjTYPemHFMBlQpuS/4zc2QxWHqp62FSQ7lASBOzDfUrIwayPVqwSPD6NrnfVSWoUNrFGGSVeU5uLASecBzTfxPukqTHgYKhQIDAQAB"

The following screenshot illustrates adding a new DKIM TXT record in a common DNS management interface (DE) of an internet provider. The host name textbox contains the selector nsp followed by the sub domain _domainkey.

Anlegen eines DKIM TXT DNS Eintrages

Example explained:

v=DKIM1
DKIM version

k=rsa
Public key encryption method

p=MIGfMA....
The DKIM public key

 

DMARC

DMARC is configured as a TXT resource record as well. The DMARC resource record uses the fixed host name _dmarc.

Example

_dmarc.mcsmemail.de.     3600    IN      TXT     "v=DMARC1\; p=none\; rua=mailto:DMARCRUA@mcsmemail.de\; ruf=mailto:DMARCRUF@mcsmemail.de\; fo=1\; adkim=s\; aspf=s\; rf=afrf\"

The following screenshot illustrates adding a new DMARC TXT record in a common DNS management interface (DE) of an internet provider. The host name textbox contains always the value _dmarc.

Anlegen eines DMARC TXT DNS Eintrages

Example explained:

v=DMARC1
DMARC version

p=none
No DMARC policy defined (You should always start with None, before switching to Quarantine or Reject)

rua=mailto:DMARCRUA@mcscmemail.de
Email address for status reports

ruf=mailto:DMARCRUF@mcscmemail.de
Email address for error reports

fo=1
Error report type

adkim=s
DKIM alignment, s = strict

aspf=s
SPF alignment, s = strict

rf=afrf
Error report message format, afrf = Abuse Report Format nach RFC 5965

The DMARC policy (p) should be raised step-by-step. The results for each policy type are:

  • none - No action, affected messages are part of the daily message report
  • quarantine - Affected messages are marked as spam
  • reject - An affected message is rejected on the SMTP layer

Recommended reading on this topic: Google Support Post.

DMARC DNS zone entries can easily be checked by using the Net at Works PowerShell tool. The PowerShell script an only be used with NoSpamProxy11+. But there are some online tools available as well.

Links

 


You need assistance with your Exchange Server setup? You have questions about your Exchange Server infrastructure and going hybrid with Office 365?

Contact us at office365@granikos.eu or visit our website http://www.granikos.eu.

Weiterlesen »