|The British Caving Association
|Email reputation on BCA's servers – SPF, DKIM and DMARC
|Page 1 of 1|
|Author:||David Gibson [ Wed 19 Apr 2017 12:46 ]|
|Post subject:||Email reputation on BCA's servers – SPF, DKIM and DMARC|
BCA's IT team has recently implemented several features to enhance the reputation of email passing through its servers. This was done to reduce the amount of spam which, in turn, enhances the reputation of the servers and prevents large ISPs from periodically blocking BCA email. These measures, known as SPF, DKIM and DMARC, were put in place primarily for BCA's own domain name but they also affect everyone who buys web services from BCA and uses BCA's servers to send or receive email.
This posting is not an official message from the IT team, rather it is a list of my own observations, compiled whilst I was making the necessary changes to my own mail system in order to catch up with BCA's swiftly implemented policy. I may have got some things wrong, but this is a forum and you can correct me.
A good starting point would be to read Matt Wire's blog. You can also run a web search for spf syntax, dkim syntax and dmarc syntax.
Thanks to Matt Wire and Dave Cooke for various discussions.
SPF, DKIM and DMARC
There are three processes that BCA now applies to email - SPF, DKIM and DMARC. For each process there are three scenarios to consider - incoming mail, outgoing mail, and remote mail (i.e. what happens to your outgoing mail when it reaches a remote mail server). These notes are written from the point-of-view of domains hosted on the BCA server(s).
An SPF record is a public record, stored with your DNS settings, that says which mail servers are allowed to send email on your behalf. You can enable SPF in your cpanel. If your DNS is external to BCA then you will need to edit your DNS entries manually. The precise details will depend on your DNS hosting company. In my case, I would create a DNS ENTRY called @ with TYPE = "TXT/SPF" and DESTINATION/TARGET = something like
v=spf1 +a +mx +ip4:126.96.36.199 +ip4:188.8.131.52 -allwhich describes britiac2 and britiac3 as designated senders for your domain. You may wish or need to add other domains.
i) Incoming mail: If you have enabled SPF and an incoming message fails your SPF test then your mail will be rejected to the sender
ii) Outgoing mail: SPF is not applicable to outgoing email
iii) Remote mail: If your DNS contains an SPF record and this is tested by a remote server then your email might be rejected, or it may be lost or it may be passed on, but perhaps with an additional header warning of the test failure.
A DKIM record is a public record, stored with your DNS settings, and is the public-key part of a cryptographic signature. Your outgoing emails are signed using the corresponding private-key. If, when tested, the signature (contained in one of the email headers) is incompatible with the email body and certain (specified) headers then the email must have been tampered with.
You can enable DKIM in your cpanel. If your DNS is external to BCA then you will need to edit your DNS entries manually. The precise details will depend on your DNS hosting company. In my case, I would create a DNS ENTRY called default._domainkey with TYPE = "TXT" and DESTINATION/TARGET beginning something like
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8olo6Pbut see below for more information on setting DKIM records.
i) Incoming mail: All incoming mail, regardless of your cpanel setting, is tested for a valid DKIM signature; but it is currently accepted anyway, regardless of the test result (but is subject to DMARC testing later). This BCA policy may change, so please check here or ask the IT team if you are in any doubt. One reason for accepting signature failures is that Mailman notoriously breaks DKIM signatures.
ii) Outgoing mail: if you have enabled DKIM then a signature is added to your outgoing mail.
iii) Remote mail: If your outgoing mail has a DKIM signature it is likely to be tested by a mail server somewhere along the route to its destination. If your DNS contains a DKIM record then your mail should pass the test. If your DKIM record is missing, or the mail is a forgery then the test will fail and your email might be rejected, or it might be lost or it might be passed on, but perhaps with an additional header warning of the test failure.
A DMARC record is a public record, stored with your DNS settings, which tells a mail server what to do if your email fails an SPF or DKIM test. DMARC is not yet supported by cpanel servers (Jan 2017, version 60). For now, you have to use the zone edit tools to create your DNS entry. If your DNS is external to BCA then you will need to edit your DNS entries manually. The precise details will depend on your DNS hosting company. In my case, I would create a DNS ENTRY called _dmarc.caves.org.uk and with TYPE = "TXT". Matt Wire suggests a DESTINATION/TARGET something like
v=DMARC1; p=reject; sp=reject; adkim=r; aspf=r; fo=1; rf=afrf; pct=100; ruf=mailto:firstname.lastname@example.org; ri=86400where email@example.com is your reporting address. The above setting will send a forensic report when either SPF or DKIM checks fail. Alternatively, you may wish to implement a less stringent setting to begin with. See the advice "Deploy Slowly" at https://support.google.com/a/answer/2466563?hl=en
i) Incoming mail: Your DMARC settings explain what to do if an email fails an SPF or DKIM test. This may include notifying the sender of the test failure.
ii) Outgoing mail: Your DMARC setting is not applicable to outgoing email
iii) Remote mail: Your DMARC settings explain what to do if an email fails an SPF or DKIM test. This may include notifying the sender of the test failure.
Generating DKIM signatures
If your DNS is hosted at BCA you just need to enable DKIM in your cpanel. If your DNS is external to BCA then you will need to paste the public key, displayed to you in cpanel, into the DNS settings at your DNS hosting company. However, there are a number of things that can go wrong.
|Page 1 of 1||All times are UTC [ DST ]|
|Powered by phpBB® Forum Software © phpBB Group