You get a bonus - 1 coin for daily activity. Now you have 1 coin

Rules for mass mailing or how not to get into spam? PHP OpenDkim + Postfix setting

Lecture



Rules for mass mailing or how not to get into spam?  PHP OpenDkim + Postfix setting

REQUIREMENTS for gmail messages sent https://support.google.com/mail/answer/81126?hl=en

Yandex requirements http://help.yandex.ru/mail/honest-mailers.xml

REQUIREMENTS mail ru https://help.mail.ru/mail-help/rules/technical

Recommendations for everyone http://www.uceprotect.net/downloads/asta.pdf

https://support.google.com/mail/answer/1366858?hl=en&expand=5

in addition to meeting the requirements and recommendations, it is advisable to add to the statistics on the reception of letters from the corresponding servers

1. always check the service logs on the server sending mail,

you most likely have one of these sendmail postfix qmail installed

2. Configure DKIM. we check in all ways (via gmail, yandex, third-party servers).

We send letters to gmail / yandex / mail in the original letter, we look at the marks of passing the test (there will be DKIP pass entries). There are special services to check the correctness of the settings, we also check there.

https://help.ubuntu.com/community/Postfix/DKIM

if shortly then you should have an additional TXT record in dns

  selector ._domainkey.yourdomain.com. 
  v = DKIM1;  g = *;  k = rsa;  p = PpYHdE2t4c3v4db6g, ij / k0.o, mytbv5cxs4fghjPaz1IbOGs / 6bm5QIDAQAB 

  selector you come up with any.  then for him through opendkim generate public and private key 
  _domainkey is just a standard keyword - everyone is the same. 
  then you configure dkim - you specify what key and where they lie (ê and closed) 
  what to accept files for signature 
  from which domains and ip addresses can be sent, and if you are not satisfied either in spam or do not receive mail to a third-party service 



  configure the mail agent in order for it to add special headers generated by dkim before sending emails to the Internet 
  this can be done through a file or port unix socket 

3. Configure SPF. check like DKIM

DNS can be checked here for example


http://dkimcore.org/tools/dkimrecordcheck.html
http://dkimcore.org/tools/keycheck.html
http://www.protodave.com/tools/dkim-key-checker/


4. Set up yandex statistics, set up feedbackup
5. Configure the same on the email ru
6. Monitor statistics

https://postmaster.mail.ru/
https://postoffice.yandex.ru/
https://gmail.com/postmaster/


7. Letters must have a link "unsubscribe " Leads to the site and turns off the mailing.

and the title in the body of the letter. thanks to him, users will have a button to unsubscribe

8. you must have a permanent ip properly configured all dns records for the domain

and for PIT the PTR record must be properly configured (most likely only the owner of the IP address can change it — that is, the provider)

HELO should match SPF right in DNS and PTR records

ptr = your domain

9. The body of the letter should not be anything else and no scripts.

10 letter should be sent with all the correct headers

in the correct order, and with the correct encoding,

must be sure to return-path

it can be added either in php settings, it will pass the correct postfix settings, or by using the fifth parameter in the mail function

"-femail@mysite.com")

11. regularly check the ip of the server so that it is not in the anti-spam blacklists

BACKSCATTERER http://www.backscatterer.org

BARRACUDA http://barracudacentral.org

CASA-CBLPLUS http://www.anti-spam.org.cn

IMP-SPAM http://antispam.imp.ch

INPS_DE http://dnsbl.inps.de

LASHBACK http://blacklist.lashback.com/

MAILSPIKE-BL http://mailspike.net/

NIXSPAM http://www.heise.de/ix/nixspam/dnsbl_en/

PSBL http://psbl.surriel.com/

RATS-ALL http://www.spamrats.com/

REDHAWK http://spameatingmonkey.com

SEM-BACKSCATTER http://spameatingmonkey.com

SEM-BLACK http://spameatingmonkey.com

SORBS-DUHL http://www.sorbs.net

SORBS-SPAM http://www.sorbs.net

SPAMCANNIBAL http://www.spamcannibal.org/

SPAMCOP http://spamcop.net

SPAMHAUS-ZEN http://www.spamhaus.org/

SWINOG http://antispam.imp.ch/

TRUNCATE http://www.gbudb.com

UCEPROTECTL http://www.uceprotect.net/

WPBL http://wpbl.pc9.org/

Checking spf ptr records

mx record for the domain v = spf1 a mx ip4: 123.123.321.321 ~ all

or v = spf1 + mx + a ~ all

ptr entry should look like this

123.123.321.321.in-addr.arpa IN PTR mysite.com

the subject must have its own encoding

$ newsubject = '=? UTF-8? B?'. base64_encode ($ subject). '? =';

there should be headers

$ headers = 'From: no-reply@mysite.com.' "\ r \ n".
'Reply-To: no-reply@site.com ”. "\ r \ n".

List-Unsubscribe: ,  


'X-Mailer: PHP /'. phpversion ();

long lines should be broken

$ message = wordwrap ($ message, 70);
$ t = mail ($ to, $ newsubject, $ message, $ headers, "- fno-reply@mysite.com)";

mail ("email@mysite.com", "subj", "message text", "From: email@mysite.com \ nContent-Type: text / plain; charset = windows-1251 \ nContent-Transfer-Encoding: 8bit" , "-femail@mysite.com");

complex you can test, for example, here http://www.mail-tester.com/

test results should be something like this

SpamAssassin believes that you can improve the rating of your letters.

The famous spam filter SpamAssassin. Rating: -1.9.
A score below -5 is considered spam.

-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
This negative rating will be positive if you confirm the signature. How to do this, see below.
0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Fine! Your signature is valid.
0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
Fine! Your signature is valid and it belongs to your domain name.
-0.243 PP_MIME_FAKE_ASCII_TEXT MIME text / plain claims to be ASCII but isn't
-0.972 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
The SPF entry is not correct, you need to correct this (see below in the server authentication section)
0.01 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-0.791 UPPERCASE_50_75 message body is 50-75% uppercase

You are not fully authenticated

We verify the authenticity of the server from which the letter was sent.

[SPF] Your server

12.345.678.109

has the right to use noreply@site.com

[Sender ID] Your server 12.345.678.109 has the right to use noreply@site.com

Your DKIM signature is valid.

You do not have a DMARC entry

The domain from the reverse DNS zone does not match the sender's domain.

Your domain name website.com is assigned to a mail server.

Your host.com site has a mail server.

Your message may be improved.

It is checked whether your letter is well formatted or not.

There is no HTML version of the message in your email.

You have no images in your letter.

Alt attributes provide a text alternative to your images.
This is a useful workaround for people suffering from vision problems and for cases when your image cannot be displayed.

Your materials are safe.

Checks for the presence of dangerous HTML elements in your letter, such as JavaScript, frames, embedded content and applets.

We will check if you used the link shortening system.

Check whether your letter uses a system of reducing links.

Your message does not contain a header. List-Unsubscribe

The List-Unsubscribe header is required if you are sending bulk mailings, which allows the user to easily unsubscribe from it.

Your message does not contain a header. List-Unsubscribe

You are not blacklisted

DKIM Setup

This article will discuss setting up a digital signature for your domain.

DomainKeys Identified Mail (DKIM) technology is an e-mail authentication method: a DKIM-Signature header is added to the sent letter, which contains encrypted information about the sender's domain. Thus, the contents of the DKIM-Signature header confirm the sender of the letter. On the recipient's side, the signature is automatically verified, after which whitelists and blacklists are used to determine the sender's reputation. After assessing the reputation of the sender of the letter, this letter can be received, placed in the Spam folder, or sent for additional verification.

Configure DKIM-signature for the following ways to send letters:

  • via SMTP server ;
  • through the PHP mail () function, it is sendmail

And now for more details on how to configure DKIM in Ubunutu 16

1. Install

apt install opendkim
apt install opendkim-tools

2. generate the key and copy to the settings folder

opendkim-genkey -t -s mail -d mysite.com

2 files will appear (/home/user/mail.txt hash,

and /home/user/mail.private with a private key )

you need to create folders / var / log / dkim-filter and / etc / mail / if they are not there

cp mail.private /etc/mail/dkim.key

the config file must have permissions 600 and the owner must be the opendkim user

Hash need to insert in dns TXT record

/home/user/mail.txt

  sdkim ._domainkey IN TXT ( "v = DKIM1; k = rsa; t = y; p = MIGfMA0GC ... nlkgKWqM8E + kHwIDAQAB" ); 

----- DKIM key mail for mysite.com

To do this, we create a DNS TXT record

  selector ._domainkey.yourdomain.com. 

  check added record in Linux via DIG 
 пример 
 dig  пример 
 dig google._domainkey.protodave.com TXT 

3. Configure 2 opendkim config files

  /etc/opendkim.conf
 / etc / default / opendkim 
  selector you think up any but he should be the same as in TXT records for example, sdkim 

  3.1 /etc/opendkim.conf 
  Syslog yes 
  #UserID 105 # 'id postfix' in your shell 
  Domain mysite.com 
  Selector sdkim 
 
  #Domain * - all domains 
  KeyFile /etc/mail/dkim.key # See bellow Selector mail 
  AutoRestart yes
 Background yes
 Canonicalization relaxed / relaxed
 DNSTimeout 5
 Mode sv
 SignatureAlgorithm rsa-sha256
 Subdomains no 
  X-Header no 
  Statistics / var / log / dkim-filter / dkim-stats 
  #RequiredHeaders yes 

 
  3.2 / etc / default / opendkim 

 
  SOCKET = "inet: 8891 @ localhost" # Ubuntu default - listen on loopback on port 8891 
  the rest should be commented out 

 

4. configure the postfix configuration file

/etc/postfix/main.cf

  # DKIM
 milter_default_action = accept
 milter_protocol = 2
 smtpd_milters = inet: localhost: 8891
 non_smtpd_milters = inet: localhost: 8891 

if you have Postfix / DomainKeys

  milter_default_action = accept
 milter_protocol = 2
 smtpd_milters = inet: localhost: 8891, inet: localhost: 8892
 non_smtpd_milters = inet: localhost: 8891, inet: localhost: 8892 

5. add a record to DNS TXT taken from the generated opendkim file

Rules for mass mailing or how not to get into spam?  PHP OpenDkim + Postfix setting

6. restart and watch the logs and the fact that opendkim is listening to the port

sudo service opendkim start

sudo service opendkim restart

sudo /etc/init.d/postfix restart

netstat -ntap | grep opendkim

grep -i dkim /var/log/mail.log

7. possible problems with the rights

the config file must be exactly 600 and created on behalf of the user opendkim

other problems are mainly due to incorrect settings

if you added the t parameter then gmail test mode DKIM will be, remove it from the dns record.

check that you generated the key with at least 1024 bit encryption

8. check headers in mail services

Rules for mass mailing or how not to get into spam?  PHP OpenDkim + Postfix setting

Rules for mass mailing or how not to get into spam?  PHP OpenDkim + Postfix setting

8. reason = pubkey_syntax-error on the recipient’s side in the headers of the received letter

  X-DKIM-FAIL: DKIM test failed: invalid (address=info@site.com domain = site.com reason = pubkey_syntax).
 X-DMARC-Policy: no
 X-Magic: A2BBA6E1549E1F578244526 .... 918F9CA260D04BD65B
 X-Mras: PROBABLE_SPAM
 X-Mru-Authenticated-Sender: uid: 33@site.com
 X-Spam: undefined
 X-UBL: White 


  Check the DNS TXT record. Perhaps there is a space or transfer in the public key 

  9. reason = pubkey_unavailable - error on the recipient side in the headers of the received letter 
  X-DKIM-FAIL: DKIM test failed: invalid (address=info@site.com domain = site.com reason = pubkey_unavailable).
 X-DMARC-Policy: no
 X-Magic: B35BD59DA489B18B ... EE438187B06E8F9CA260D04BD65B
 X-Mras: PROBABLE_SPAM
 X-Mru-Authenticated-Sender: uid: 33@site.com
 X-Spam: undefined
 X-UBL: White 

 
  Check the DNS TXT record, there may be a space or transfer in the public key, the name of the selector so that in the DKIM settings, in the letter and in the DNS records match 

  DKIM-Signature: v = 1;  a = rsa-sha256;  c = relaxed / relaxed;  d = site.com;
	 s = SELECTOR ;  t = 1473841660;
	 bh = tynu3gy6dVp9yA ..... oDMk6pM =;
	 h = To: Subject: Message-ID: Date: From: From: Sender: To: CC: Subject:
	  Message-ID: Date;
	 b = TqVp3 + wapQuy ...... nrPUcNr4MI = 

 

dig SELECTOR ._domainkey.site.com TXT

; << >> DiG 9.10.3-P4-Ubuntu << >> SELECTOR._domainkey.site.com TXT
;; global options: + cmd
;; Got answer:
;; - >> HEADER << - opcode: QUERY, status: NOERROR, id: 36811
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags :; udp: 4096
;; QUESTION SECTION:
; SELECTOR._domainkey.site.com. IN TXT

;; ANSWER SECTION:

  SELECTOR 

._domainkey.siter.com. 86400 IN TXT "v = DKIM1; k = rsa; p = MIGfM ... B"

;; Query time: 47 msec
;; SERVER: 11/11/11 # 53 (1.1.1.10)
;; WHEN: Wed Sep 14 10:41:32 CEST 2016
;; MSG SIZE rcvd: 307

  10. “Sender:” and “Message-Id” fields not included in signature 
  Add to the opendkim.conf config file 
  ... 

SignHeaders From, Sender, To, CC, Subject, Message-ID, Date, Content-Type, MIME-Version
OversignHeaders From, Sender, To, CC, Subject, Message-ID, Date, Content-Type, MIME-Version

....


 

there are also ready-made verification services in the black addresses of your ip

http://xseo.in/dnsbl

the result will be something like this

NSBL server Availability in DNSBL Server Response Code (s) * Add. information**
all.s5h.net Not
b.barracudacentral.org Not
bl.emailbasura.org Not
bl.spamcannibal.org Not
bl.spamcop.net Not
blackholes.five-ten-sg.com Not
blacklist.woody.ch Not
bogons.cymru.com Not
cbl.abuseat.org Not
cdl.anti-spam.org.cn Not
combined.abuse.ch Not
db.wpbl.info Not
dnsbl-1.uceprotect.net Not
dnsbl-2.uceprotect.net Not
dnsbl-3.uceprotect.net Not
dnsbl.anticaptcha.net Not
dnsbl.cyberlogic.net Not
dnsbl.dronebl.org Not
dnsbl.inps.de Not
dnsbl.sorbs.net Not
drone.abuse.ch Not
duinv.aupads.org Not
dul.dnsbl.sorbs.net Not
dyna.spamrats.com Yes
dynip.rothen.com Not
exitnodes.tor.dnsbl.sectoor.de Not
http.dnsbl.sorbs.net Not
ips.backscatterer.org Not
ix.dnsbl.manitu.net Not
korea.services.net Not
misc.dnsbl.sorbs.net Not
noptr.spamrats.com Not
orvedb.aupads.org Not
pbl.spamhaus.org Yes
proxy.bl.gweep.ca Not
psbl.surriel.com Not
rbl.interserver.net Not
rbl.megarbl.net Not
relays.bl.gweep.ca Not
relays.bl.kundenserver.de Not
relays.nether.net Not
sbl.spamhaus.org Not
service.mailblacklist.com Not
short.rbl.jp Not
singular.ttk.pte.hu Not
smtp.dnsbl.sorbs.net Not
socks.dnsbl.sorbs.net Not
spam.abuse.ch Not
spam.dnsbl.sorbs.net Not
spam.spamrats.com Not
spambot.bls.digibase.ca Not
spamrbl.imp.ch Not
spamsources.fabel.dk Not
ubl.lashback.com Not
ubl.unsubscore.com Not
virbl.bit.nl Not
virus.rbl.jp Not
web.dnsbl.sorbs.net Not
wormrbl.imp.ch Not
xbl.spamhaus.org Not
zen.spamhaus.org Yes
zombie.dnsbl.sorbs.net Not
created: 2014-11-23
updated: 2021-07-14
134964



Rating 4 of 10. count vote: 7
Are you satisfied?:



Comments


To leave a comment
If you have any suggestion, idea, thanks or comment, feel free to write. We really value feedback and are glad to hear your opinion.
To reply

Malicious, and information security

Terms: Malicious, and information security