Lecture
REQUIREMENTS for gmail messages sent https://support.google.com/mail/answer/81126?hl=en
Yandex requirements http://help.yandex.ru/mail/honest-mailers.xml
REQUIREMENTS mail ru https://help.mail.ru/mail-help/rules/technical
Recommendations for everyone http://www.uceprotect.net/downloads/asta.pdf
https://support.google.com/mail/answer/1366858?hl=en&expand=5
in addition to meeting the requirements and recommendations, it is advisable to add to the statistics on the reception of letters from the corresponding servers
1. always check the service logs on the server sending mail,
you most likely have one of these sendmail postfix qmail installed
2. Configure DKIM. we check in all ways (via gmail, yandex, third-party servers).
We send letters to gmail / yandex / mail in the original letter, we look at the marks of passing the test (there will be DKIP pass entries). There are special services to check the correctness of the settings, we also check there.
https://help.ubuntu.com/community/Postfix/DKIM
if shortly then you should have an additional TXT record in dns
selector ._domainkey.yourdomain.com. v = DKIM1; g = *; k = rsa; p = PpYHdE2t4c3v4db6g, ij / k0.o, mytbv5cxs4fghjPaz1IbOGs / 6bm5QIDAQAB selector you come up with any. then for him through opendkim generate public and private key
_domainkey is just a standard keyword - everyone is the same.
then you configure dkim - you specify what key and where they lie (ê and closed) what to accept files for signature from which domains and ip addresses can be sent, and if you are not satisfied either in spam or do not receive mail to a third-party service configure the mail agent in order for it to add special headers generated by dkim before sending emails to the Internet this can be done through a file or port unix socket
3. Configure SPF. check like DKIM
DNS can be checked here for example
http://dkimcore.org/tools/dkimrecordcheck.html
http://dkimcore.org/tools/keycheck.html
http://www.protodave.com/tools/dkim-key-checker/
4. Set up yandex statistics, set up feedbackup
5. Configure the same on the email ru
6. Monitor statistics
https://postmaster.mail.ru/
https://postoffice.yandex.ru/
https://gmail.com/postmaster/
7. Letters must have a link "unsubscribe " Leads to the site and turns off the mailing.
and the title in the body of the letter. thanks to him, users will have a button to unsubscribe
8. you must have a permanent ip properly configured all dns records for the domain
and for PIT the PTR record must be properly configured (most likely only the owner of the IP address can change it — that is, the provider)
HELO should match SPF right in DNS and PTR records
ptr = your domain
9. The body of the letter should not be anything else and no scripts.
10 letter should be sent with all the correct headers
in the correct order, and with the correct encoding,
must be sure to return-path
it can be added either in php settings, it will pass the correct postfix settings, or by using the fifth parameter in the mail function
"-femail@mysite.com")
11. regularly check the ip of the server so that it is not in the anti-spam blacklists
BACKSCATTERER http://www.backscatterer.org
BARRACUDA http://barracudacentral.org
CASA-CBLPLUS http://www.anti-spam.org.cn
IMP-SPAM http://antispam.imp.ch
INPS_DE http://dnsbl.inps.de
LASHBACK http://blacklist.lashback.com/
MAILSPIKE-BL http://mailspike.net/
NIXSPAM http://www.heise.de/ix/nixspam/dnsbl_en/
PSBL http://psbl.surriel.com/
RATS-ALL http://www.spamrats.com/
REDHAWK http://spameatingmonkey.com
SEM-BACKSCATTER http://spameatingmonkey.com
SEM-BLACK http://spameatingmonkey.com
SORBS-DUHL http://www.sorbs.net
SORBS-SPAM http://www.sorbs.net
SPAMCANNIBAL http://www.spamcannibal.org/
SPAMCOP http://spamcop.net
SPAMHAUS-ZEN http://www.spamhaus.org/
SWINOG http://antispam.imp.ch/
TRUNCATE http://www.gbudb.com
UCEPROTECTL http://www.uceprotect.net/
WPBL http://wpbl.pc9.org/
Checking spf ptr records
mx record for the domain v = spf1 a mx ip4: 123.123.321.321 ~ all
or v = spf1 + mx + a ~ all
ptr entry should look like this
123.123.321.321.in-addr.arpa | IN | PTR | mysite.com |
the subject must have its own encoding
$ newsubject = '=? UTF-8? B?'. base64_encode ($ subject). '? =';
there should be headers
$ headers = 'From: no-reply@mysite.com.' "\ r \ n".
'Reply-To: no-reply@site.com ”. "\ r \ n".
List-Unsubscribe: ,
'X-Mailer: PHP /'. phpversion ();
long lines should be broken
$ message = wordwrap ($ message, 70);
$ t = mail ($ to, $ newsubject, $ message, $ headers, "- fno-reply@mysite.com)";
mail ("email@mysite.com", "subj", "message text", "From: email@mysite.com \ nContent-Type: text / plain; charset = windows-1251 \ nContent-Transfer-Encoding: 8bit" , "-femail@mysite.com");
complex you can test, for example, here http://www.mail-tester.com/
test results should be something like this
The famous spam filter SpamAssassin. Rating: -1.9.
A score below -5 is considered spam.
-0.1 | DKIM_SIGNED | Message has a DKIM or DK signature, not necessarily valid This negative rating will be positive if you confirm the signature. How to do this, see below. |
0.1 | DKIM_VALID | Message has at least one valid DKIM or DK signature Fine! Your signature is valid. |
0.1 | DKIM_VALID_AU | Message has a valid DKIM or DK signature from author's domain Fine! Your signature is valid and it belongs to your domain name. |
-0.243 | PP_MIME_FAKE_ASCII_TEXT | MIME text / plain claims to be ASCII but isn't |
-0.972 | SPF_SOFTFAIL | SPF: sender does not match SPF record (softfail) The SPF entry is not correct, you need to correct this (see below in the server authentication section) |
0.01 | T_RP_MATCHES_RCVD | Envelope sender domain matches handover relay domain |
-0.791 | UPPERCASE_50_75 | message body is 50-75% uppercase |
We verify the authenticity of the server from which the letter was sent.
It is checked whether your letter is well formatted or not.
There is no HTML version of the message in your email.
Alt attributes provide a text alternative to your images.
This is a useful workaround for people suffering from vision problems and for cases when your image cannot be displayed.
Checks for the presence of dangerous HTML elements in your letter, such as JavaScript, frames, embedded content and applets.
Check whether your letter uses a system of reducing links.
The List-Unsubscribe header is required if you are sending bulk mailings, which allows the user to easily unsubscribe from it.
Your message does not contain a header. List-Unsubscribe
This article will discuss setting up a digital signature for your domain.
DomainKeys Identified Mail (DKIM) technology is an e-mail authentication method: a DKIM-Signature header is added to the sent letter, which contains encrypted information about the sender's domain. Thus, the contents of the DKIM-Signature header confirm the sender of the letter. On the recipient's side, the signature is automatically verified, after which whitelists and blacklists are used to determine the sender's reputation. After assessing the reputation of the sender of the letter, this letter can be received, placed in the Spam folder, or sent for additional verification.
Configure DKIM-signature for the following ways to send letters:
And now for more details on how to configure DKIM in Ubunutu 16
1. Install
apt install opendkim
apt install opendkim-tools
2. generate the key and copy to the settings folder
opendkim-genkey -t -s mail -d mysite.com
2 files will appear (/home/user/mail.txt hash,
and /home/user/mail.private with a private key )
you need to create folders / var / log / dkim-filter and / etc / mail / if they are not there
cp mail.private /etc/mail/dkim.key
the config file must have permissions 600 and the owner must be the opendkim user
Hash need to insert in dns TXT record
/home/user/mail.txt
sdkim ._domainkey IN TXT ( "v = DKIM1; k = rsa; t = y; p = MIGfMA0GC ... nlkgKWqM8E + kHwIDAQAB" );
----- DKIM key mail for mysite.com
To do this, we create a DNS TXT record
selector ._domainkey.yourdomain.com. check added record in Linux via DIG пример dig пример dig google._domainkey.protodave.com TXT
3. Configure 2 opendkim config files
/etc/opendkim.conf / etc / default / opendkim
selector you think up any but he should be the same as in TXT records for example, sdkim
3.1 /etc/opendkim.conf
Syslog yes
#UserID 105 # 'id postfix' in your shell
Domain mysite.com Selector sdkim
#Domain * - all domains
KeyFile /etc/mail/dkim.key # See bellow Selector mail
AutoRestart yes Background yes Canonicalization relaxed / relaxed DNSTimeout 5 Mode sv SignatureAlgorithm rsa-sha256 Subdomains no
X-Header no
Statistics / var / log / dkim-filter / dkim-stats
#RequiredHeaders yes
3.2 / etc / default / opendkim
SOCKET = "inet: 8891 @ localhost" # Ubuntu default - listen on loopback on port 8891 the rest should be commented out
4. configure the postfix configuration file
/etc/postfix/main.cf
# DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet: localhost: 8891 non_smtpd_milters = inet: localhost: 8891
if you have Postfix / DomainKeys
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet: localhost: 8891, inet: localhost: 8892 non_smtpd_milters = inet: localhost: 8891, inet: localhost: 8892
5. add a record to DNS TXT taken from the generated opendkim file
6. restart and watch the logs and the fact that opendkim is listening to the port
sudo service opendkim start
sudo service opendkim restart
sudo /etc/init.d/postfix restart
netstat -ntap | grep opendkim
grep -i dkim /var/log/mail.log
7. possible problems with the rights
the config file must be exactly 600 and created on behalf of the user opendkim
other problems are mainly due to incorrect settings
if you added the t parameter then gmail test mode DKIM will be, remove it from the dns record.
check that you generated the key with at least 1024 bit encryption
8. check headers in mail services
8. reason = pubkey_syntax-error on the recipient’s side in the headers of the received letter
X-DKIM-FAIL: DKIM test failed: invalid (address=info@site.com domain = site.com reason = pubkey_syntax). X-DMARC-Policy: no X-Magic: A2BBA6E1549E1F578244526 .... 918F9CA260D04BD65B X-Mras: PROBABLE_SPAM X-Mru-Authenticated-Sender: uid: 33@site.com X-Spam: undefined X-UBL: White Check the DNS TXT record. Perhaps there is a space or transfer in the public key 9. reason = pubkey_unavailable - error on the recipient side in the headers of the received letter
X-DKIM-FAIL: DKIM test failed: invalid (address=info@site.com domain = site.com reason = pubkey_unavailable). X-DMARC-Policy: no X-Magic: B35BD59DA489B18B ... EE438187B06E8F9CA260D04BD65B X-Mras: PROBABLE_SPAM X-Mru-Authenticated-Sender: uid: 33@site.com X-Spam: undefined X-UBL: White
Check the DNS TXT record, there may be a space or transfer in the public key, the name of the selector so that in the DKIM settings, in the letter and in the DNS records match
DKIM-Signature: v = 1; a = rsa-sha256; c = relaxed / relaxed; d = site.com; s = SELECTOR ; t = 1473841660; bh = tynu3gy6dVp9yA ..... oDMk6pM =; h = To: Subject: Message-ID: Date: From: From: Sender: To: CC: Subject: Message-ID: Date; b = TqVp3 + wapQuy ...... nrPUcNr4MI =
dig SELECTOR ._domainkey.site.com TXT
; << >> DiG 9.10.3-P4-Ubuntu << >> SELECTOR._domainkey.site.com TXT
;; global options: + cmd
;; Got answer:
;; - >> HEADER << - opcode: QUERY, status: NOERROR, id: 36811
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags :; udp: 4096
;; QUESTION SECTION:
; SELECTOR._domainkey.site.com. IN TXT
;; ANSWER SECTION:
SELECTOR
._domainkey.siter.com. 86400 IN TXT "v = DKIM1; k = rsa; p = MIGfM ... B"
;; Query time: 47 msec
;; SERVER: 11/11/11 # 53 (1.1.1.10)
;; WHEN: Wed Sep 14 10:41:32 CEST 2016
;; MSG SIZE rcvd: 307
10. “Sender:” and “Message-Id” fields not included in signature
Add to the opendkim.conf config file ...
SignHeaders From, Sender, To, CC, Subject, Message-ID, Date, Content-Type, MIME-Version
OversignHeaders From, Sender, To, CC, Subject, Message-ID, Date, Content-Type, MIME-Version
....
there are also ready-made verification services in the black addresses of your ip
http://xseo.in/dnsbl
the result will be something like this
NSBL server | Availability in DNSBL | Server Response Code (s) * | Add. information** |
all.s5h.net | Not | ||
b.barracudacentral.org | Not | ||
bl.emailbasura.org | Not | ||
bl.spamcannibal.org | Not | ||
bl.spamcop.net | Not | ||
blackholes.five-ten-sg.com | Not | ||
blacklist.woody.ch | Not | ||
bogons.cymru.com | Not | ||
cbl.abuseat.org | Not | ||
cdl.anti-spam.org.cn | Not | ||
combined.abuse.ch | Not | ||
db.wpbl.info | Not | ||
dnsbl-1.uceprotect.net | Not | ||
dnsbl-2.uceprotect.net | Not | ||
dnsbl-3.uceprotect.net | Not | ||
dnsbl.anticaptcha.net | Not | ||
dnsbl.cyberlogic.net | Not | ||
dnsbl.dronebl.org | Not | ||
dnsbl.inps.de | Not | ||
dnsbl.sorbs.net | Not | ||
drone.abuse.ch | Not | ||
duinv.aupads.org | Not | ||
dul.dnsbl.sorbs.net | Not | ||
dyna.spamrats.com | Yes | ||
dynip.rothen.com | Not | ||
exitnodes.tor.dnsbl.sectoor.de | Not | ||
http.dnsbl.sorbs.net | Not | ||
ips.backscatterer.org | Not | ||
ix.dnsbl.manitu.net | Not | ||
korea.services.net | Not | ||
misc.dnsbl.sorbs.net | Not | ||
noptr.spamrats.com | Not | ||
orvedb.aupads.org | Not | ||
pbl.spamhaus.org | Yes | ||
proxy.bl.gweep.ca | Not | ||
psbl.surriel.com | Not | ||
rbl.interserver.net | Not | ||
rbl.megarbl.net | Not | ||
relays.bl.gweep.ca | Not | ||
relays.bl.kundenserver.de | Not | ||
relays.nether.net | Not | ||
sbl.spamhaus.org | Not | ||
service.mailblacklist.com | Not | ||
short.rbl.jp | Not | ||
singular.ttk.pte.hu | Not | ||
smtp.dnsbl.sorbs.net | Not | ||
socks.dnsbl.sorbs.net | Not | ||
spam.abuse.ch | Not | ||
spam.dnsbl.sorbs.net | Not | ||
spam.spamrats.com | Not | ||
spambot.bls.digibase.ca | Not | ||
spamrbl.imp.ch | Not | ||
spamsources.fabel.dk | Not | ||
ubl.lashback.com | Not | ||
ubl.unsubscore.com | Not | ||
virbl.bit.nl | Not | ||
virus.rbl.jp | Not | ||
web.dnsbl.sorbs.net | Not | ||
wormrbl.imp.ch | Not | ||
xbl.spamhaus.org | Not | ||
zen.spamhaus.org | Yes | ||
zombie.dnsbl.sorbs.net | Not |
Comments
To leave a comment
Information security, Malicious, and information security
Terms: Information security, Malicious, and information security