Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
email_protection_resources [2018/01/14 03:05]
Stephane de Labrusse [Email Methods: Helo, DNS, Domain reputation, Blacklist SPF, DKIM, DMARC and ARC]
email_protection_resources [2018/05/26 15:24] (current)
Dan Brown [How to configure it?] remove errant italics
Line 1: Line 1:
-====== Email Methods: Helo, DNS, Domain reputation, Blacklist SPF, DKIM, DMARC and ARC ======+====== Email Methods: Helo, DNS, Domain/IP reputation, Blacklist SPF, DKIM, DMARC and ARC ======
  
 The email server is a central communication hub for your company. It needs to be protected and secured against spam, but also you must be sure that your emails are correctly delivered to your recipients and not rejected or tagged as spam by other platforms like Google Apps, Outlook 365, etc. The email server is a central communication hub for your company. It needs to be protected and secured against spam, but also you must be sure that your emails are correctly delivered to your recipients and not rejected or tagged as spam by other platforms like Google Apps, Outlook 365, etc.
  
-Around an Email Server, you have always methods to verify the emails are not sent by a spam host, like SPF, DKIM, DMARC, rDNS: This is what we will talk. In all probability if you do not configure properly all of these authentication methods your email will be refused.+Around an Email Server, you have always methods to verify the emails are not sent by a spam host, like SPF, DKIM, DMARC, rDNS: This is what we will talk. In all probability if you do not configure properly all of these authentication methods your email will be refused. For the impatient, they can check now and see what they have to configure: go to https://​www.mail-tester.com and send an email to the address given (only three free tests per day). Think to remove your smarthost sender if you have one configured.
  
-For the impatientthey can check now and see what they have to configure: go to https://www.mail-tester.com and send an email to the address given (only three free tests per day). Think to remove your smarthost sender if you have one configured.+It is easy to install and create a mail server with nethserver, but you must configure ​the DNS zone of your domain name in the settings of your public DNS providerwe want to detail all the mandatory DNS recordsThis settings are really important it is likely the phone number of your serverAs a side note, the DNS is not relevant of the email server, it is used by all services which need to be reachable on internet.
  
 <WRAP center round important 60%> <WRAP center round important 60%>
-If you plan to use a smarthost to send your email, the '​[[email_protection_resources#​i_am_not_a_spammer|I am not a spammer]]'​ chapter is not necessary because ​these security ​methods are handle by your smarthost sender. But some of smarthost are tagged as spam senders, and your email won't be delivered. It is the IP reputation of your smathost ​sender, bad or good you can do nothing hence the interest to send yourself your email.+If you plan to use a smarthost to send your email, the '​[[email_protection_resources#​i_am_not_a_spammer|I am not a spammer]]'​ chapter is not necessary because ​the authentication and reputation ​methods are handle by your smarthost sender. But some of smarthost are tagged as spam senders, and your email won't be delivered. It is the IP reputation of your smtp smarthost ​sender, bad or good you can do nothinghence the interest to send yourself your email.
 </​WRAP>​ </​WRAP>​
  
Line 15: Line 15:
  
 <WRAP center round tip 60%> <WRAP center round tip 60%>
-If your domain is registered to a public ​dns provider, you can skip this section+If the domain ​you use to send email with your nethserver ​is registered to a public ​DNS provider, you can skip this section
 </​WRAP>​ </​WRAP>​
  
Line 38: Line 38:
 The purpose of DNS is to use easy to remember domain names for websites instead of their numeric IP addresses. It also enables website owners to change their web hosts without changing domain names. Website owners can simply change the DNS entry for their domain name and point to their new web host’s name servers. The purpose of DNS is to use easy to remember domain names for websites instead of their numeric IP addresses. It also enables website owners to change their web hosts without changing domain names. Website owners can simply change the DNS entry for their domain name and point to their new web host’s name servers.
  
-<WRAP center round todo 60%> +
-It is easy to install and create a mail server with nethserver, but you need to configure the dns zone of your domain in the settings of your public dns provider, we want to explain all the mandatory dns records. ​  +
-</​WRAP>​ +
- +
 ===== DNS ===== ===== DNS =====
  
-All settings must propagated to all DNS server of the world, it needs time to be known by all. So be patient and wait 24 hours after each change. By experience we know that the google ​dns are really quick to be updated, then you can check after them what are the saved records (wait some minutes)+All settings must propagated to all DNS server of the world, it needs time to be known by all. So be patient and wait 24 hours after you have changed your records. By experience we know that the google ​DNS are really quick to be updated, then you can check after them what are the saved records (wait some minutes)
 ==== A record ==== ==== A record ====
  
Line 58: Line 55:
 This is an example at 1&1 {{::​screenshot-2018-1-13_1_1_gestion_des_domaines.png?​400|}} This is an example at 1&1 {{::​screenshot-2018-1-13_1_1_gestion_des_domaines.png?​400|}}
  
-===How to check it===+===How to configure it ?=== 
 +ask to google 
 +<​file>​ 
 +set A record YourDnsProvider 
 +</​file>​ 
 + 
 +===How to check it ?===
  
 The domain must be tested The domain must be tested
Line 74: Line 77:
 164.132.xxx.xxx 164.132.xxx.xxx
 </​file>​ </​file>​
 +
 === sub.domain.com === === sub.domain.com ===
  
-Nethserver creates several sub domain by default to be reached from outside or internally (check /​etc/​hosts),​ you have to declare them to your (external) public ​dns provider and creates for each one a '​A'​ record with the internet IP of your server+Nethserver creates several sub domain by default to be reached from outside or internally (check /​etc/​hosts),​ you have to declare them to your (external) public ​DNS provider and creates for each one a '​A'​ record with the internet IP of your server. This is not relevant to your email server, but generally for all services running on your server and needing to be reachable on the internet.
  
 **At minimal you must create these sub.domains and set the '​A'​ records to the internet IP of your server** **At minimal you must create these sub.domains and set the '​A'​ records to the internet IP of your server**
Line 99: Line 103:
  
 <​file>​ <​file>​
-mail.domain.com ​      ​A ​      ​12.34.56.78+prometheus.domain.com ​      A       ​12.34.56.78 
 +smtp.domain.com ​            ​A ​      ​12.34.56.78 
 +mail.domain.com ​            A       ​12.34.56.78
 </​file>​ </​file>​
  
-===How to check it===+===How to configure it ?=== 
 +ask to google 
 +<​file>​ 
 +set A record YourDnsProvider 
 +</​file>​ 
 + 
 +===How to check it ?===
  
 Each subdomain must be tested Each subdomain must be tested
Line 122: Line 134:
 MX record is abbreviation for Mail Exchanger record. It is a type of DNS resource record that defines a mail server to handle email for a particular domain name. For example, by adding an MX recorded to mail.domain.com for your domain.com, any email received by your domain.com will be handled through your mail servers. MX record is abbreviation for Mail Exchanger record. It is a type of DNS resource record that defines a mail server to handle email for a particular domain name. For example, by adding an MX recorded to mail.domain.com for your domain.com, any email received by your domain.com will be handled through your mail servers.
  
-The MX record is checked if there is a mail server (MX Record) behind your domain name, often spam sender do not have it properly configured. The MX record(s) must be added to your public ​dns provider.+The MX record is checked if there is a mail server (MX Record) behind your domain name, often spam sender do not have it properly configured. The MX record(s) must be added to your public ​DNS provider.
  
 <WRAP center round tip 60%> <WRAP center round tip 60%>
Line 140: Line 152:
 This is an example at 1&1 This is an example at 1&1
 {{::​screenshot-2018-1-13_1_1_gestion_des_domaines_1_.png?​400|}} {{::​screenshot-2018-1-13_1_1_gestion_des_domaines_1_.png?​400|}}
-===How to check it===+===How to configure it ?=== 
 +ask to google 
 +<​file>​ 
 +set MX record YourDnsProvider 
 +</​file>​ 
 + 
 +===How to check it ?===
  
   * Web tools   * Web tools
Line 165: Line 183:
 For instance, it’s important how old is the domain. In fact, for the first 5 days after a new domain was registered, it is by default considered as suspicious. After all, reputation is something you can only earn over time. So it’s good to warm up all the emails on such a fresh domain by sending just a few emails per day during the first 2-3 weeks after the registration. For instance, it’s important how old is the domain. In fact, for the first 5 days after a new domain was registered, it is by default considered as suspicious. After all, reputation is something you can only earn over time. So it’s good to warm up all the emails on such a fresh domain by sending just a few emails per day during the first 2-3 weeks after the registration.
  
-Good reputation of your domain increases the deliverability of your emails. That’s why it’s important to have it checked through blacklists and fix all the dns records you will read below, then test your domain score by http://​mail-tester.com/​ (3 free tests per day)+Good reputation of your domain increases the deliverability of your emails. That’s why it’s important to have it checked through blacklists and fix all the DNS records you will read below, then test your domain score by http://​mail-tester.com/​ (3 free tests per day)
  
 {{::​mailtester.png?​400|}} ​ {{::​mailtester.png?​400|}} ​
Line 186: Line 204:
  
  
-====How to check it====+====How to check it ?====
  
   * Web tools   * Web tools
Line 206: Line 224:
 ==== How to configure it ?==== ==== How to configure it ?====
  
-In the Public ​dns of the ISP provider or in the setting of your server hosting provider. It is different for each case. A tip, it is close where you bought the IP. You need to create a PTR record and to assign the valid FQDN of your server+In the Public ​DNS of the ISP provider or in the setting of your server hosting provider. It is different for each case. A tip, it is close where you bought the IP. You need to create a PTR record and to assign the valid FQDN of your server
  
 This is what it looks at soyoustart This is what it looks at soyoustart
Line 216: Line 234:
  
  
-====Examples of configuration====+====How to configure it ?====
 Ask to google Ask to google
  
 <​file>​ <​file>​
-PTR record YourIpProvider+set PTR record YourIpProvider
 </​file>​ </​file>​
  
-====How to check it====+====How to check it ?====
  
   * Web tools   * Web tools
  
  
-You can check if your reverse ​dns is well configured with the https://​mxtoolbox.com/​ReverseLookup.aspx by filling the IP of your server.+You can check if your reverse ​DNS is well configured with the https://​mxtoolbox.com/​ReverseLookup.aspx by filling the IP of your server.
  
   * In the terminal   * In the terminal
Line 249: Line 267:
 ====How to configure it?==== ====How to configure it?====
  
-All you have to do is in the dns zone of your domain name. This is a list of [[https://​www.mail-tester.com/​spf/​|examples]] following your dns provider.+All you have to do is in the DNS zone of your domain name. This is a list of [[https://​www.mail-tester.com/​spf/​|examples]] following your DNS provider.
  
-add a record '​TXT'​ to the dns zone of your domain name with +add a record '​TXT'​ to the DNS zone of your domain name with 
  
 <​file>​ <​file>​
Line 280: Line 298:
 If your domain is under an SPAM attack trying to spoofing your domain, try to change the SPF to -all for a while, and reset to ~all when the attack ends. Keep selected the -all if you want to be strict with the SPF entry and you are sure that your DNS entry is correct. ​ If your domain is under an SPAM attack trying to spoofing your domain, try to change the SPF to -all for a while, and reset to ~all when the attack ends. Keep selected the -all if you want to be strict with the SPF entry and you are sure that your DNS entry is correct. ​
  
-====Examples of configuration====+====How to configure it ?====
   * [[https://​www.mail-tester.com/​spf/​|mail-tester.com]]   * [[https://​www.mail-tester.com/​spf/​|mail-tester.com]]
   * [[https://​support.smtp2go.com/​hc/​en-gb/​sections/​205104687-SPF-DKIM-Setup-Guides|smtp2go.com]]   * [[https://​support.smtp2go.com/​hc/​en-gb/​sections/​205104687-SPF-DKIM-Setup-Guides|smtp2go.com]]
  
-====How to check it====+====How to check it ?====
   * Web tools   * Web tools
 https://​mxtoolbox.com/​spf.aspx https://​mxtoolbox.com/​spf.aspx
Line 308: Line 326:
 In technical terms, DKIM lets a domain associate its name with an email message by affixing a digital signature to it. Verification is carried out using the signer'​s public key published in the DNS. A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed. Usually, DKIM signatures are not visible to end-users, and are affixed or verified by the infrastructure rather than message'​s authors and recipients. In that respect, DKIM differs from end-to-end digital signatures. In technical terms, DKIM lets a domain associate its name with an email message by affixing a digital signature to it. Verification is carried out using the signer'​s public key published in the DNS. A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed. Usually, DKIM signatures are not visible to end-users, and are affixed or verified by the infrastructure rather than message'​s authors and recipients. In that respect, DKIM differs from end-to-end digital signatures.
 ====How to configure it?==== ====How to configure it?====
-Dkim is really simple with NethServer, go to the email panel and allow DKIM in the setting of your domain, then retrieve the digital key of this domain. Then this key must be saved in a **TXT record** in your (external) public ​dns provider.+Dkim is really simple with NethServer, go to the email panel and allow DKIM in the setting of your domain, then retrieve the digital key of this domain. Then this key must be saved in a **TXT record** in your (external) public ​DNS provider.
  
-DKIM needs to be configured in the public DNS. You must create a **TXT** record '​default._domainkey'​ or '​default._domainkey.domain.com'​ in the DNS zone of your provider. **Your DKIM selector is default**+DKIM needs to be configured in the public DNS. You must create a **TXT** record '%%default._domainkey%%' or '%%default._domainkey.domain.com%%' in the DNS zone of your provider. **Your DKIM selector is default**
  
 <​file>​ <​file>​
Line 319: Line 337:
 {{::​screenshot-2017-12-30_1_1_gestion_des_domaines_1_.png?​900|}} {{::​screenshot-2017-12-30_1_1_gestion_des_domaines_1_.png?​900|}}
  
-====Examples of configuration====+====How to configure it ?====
   * [[https://​support.smtp2go.com/​hc/​en-gb/​sections/​205104687-SPF-DKIM-Setup-Guides|smtp2go.com]]   * [[https://​support.smtp2go.com/​hc/​en-gb/​sections/​205104687-SPF-DKIM-Setup-Guides|smtp2go.com]]
-====How to check it====+====How to check it ?====
   * Web tools   * Web tools
 https://​mxtoolbox.com/​dkim.aspx https://​mxtoolbox.com/​dkim.aspx
Line 359: Line 377:
 </​file>​ </​file>​
  
-==== How to check it ====+Here's a more complex DMARC entry for the test domain DMARC site: 
 + 
 +<​file>​ 
 +v=DMARC1; p=quarantine;​ rua=mailto:​reports@dmarc.site;​ ruf=mailto:​reports@dmarc.site;​ adkim=r; aspf=r; rf=afrf 
 +</​file>​ 
 + 
 +  * The "​p"​ option has three options: none, quarantine, or reject, for how email that violates policies should be handled 
 +  * The adkim and aspf options define how strictly DKIM and SPF policy should be applied, with '​s'​ indicating strict and '​r'​ indicating relaxed 
 +  * The RUA provides an address for aggregate data reports, while the RUF provides an address for forensic reports 
 +==== How to check it ?====
   * Web tools   * Web tools