Thursday, September 11, 2014

If you have trouble with SMTP delivery check PTR, SPF , DKIM and DMARC record of your domain

In last days I've worked on some customer SMTP delivery issue and i like to make a recap on settings I've check and modified..

PTR Record

The PRT record of  the SMTP internet relay is fundamental ! A lot of SMTP server who work as e-mail receiver first check if exist the reverse configuration of the ip address and if not drop the SMTP connection instantly without make any other check! This is because the PTR record isn't usually set on every IP and rarely is set on spammer SMTP servers.

SPF Record

The SPF (sender policy framework) record is a TXT record who declare the allowed IP addres sender by domain. If this record exist the SMTP receiver could check it and drop the e-mail received from others IP address.

For example if you like to set a SPF record who allow all your MX server to send internet mail you could set a SPF like this:
"v=spf1 mx -all"

On other environment if you like to set a IP range of SMTP server from 192.168.0.1 to 192.168.255.255 you could set a SPF like this:

"v=spf1 ip4:192.168.0.1/16 -all"



On this page you could find protocol directive and some examples and  on this page you could find online tool to check your record.


DKIM

Having a validated source of SMTP IP address could not be enough in case of IP spoofing so we could use a DomainKeys Identified Mail (DKIM) record.
To use Dkim your SMTP relay have to digitally sign the headed of every e-mail sent.and the corrisponded public key have to put on internet DNS on a TXT record.

For example on my msbiro.net domain I've created a TXT record named


msbiro._domainkey

with following value :

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4HaRa97JsN7F9Np8bHhmBj06tCiwTucGPiPG5C4bZLmbCu1P5P12fExGzEkmZUy6hd4KwVPQVWgbcFvxZTOs5iA6TzxtQe6QCr2l0EX9AYtP5ykkA3HLlRmhAkmCJTsEh/kEEdLbP3LQ78RVk+E1ZLA//BPrDikRym3/EFvfhKwIDAQAB

v= is protocol version ,
k= is the encription algorithm used
p= is the public key associated on my domain

At this address you could find all info and  on this site you could find a test application to verify your TXT record.

NOTE: the use of DKIM is restricted to the use of an SMTP server that supports this technology. In this case I've used as SMTP gateway Scrollout F1, who is a SMTP appliance released on iso format available though GNU GPL licence.

DMARC

Dmarc (Domain-based Message Authentication, Reporting and Conformance) is another TXT record who could extend the possibility of SPF and DKIM record.
Through the record DMARC you can set a threshold percentage of messages that can fail the checking SPF or DKIM and tell the SMTP server if have to mark the failed e-mail as Junk  (entrusted) or if have to discard them.

The really handy feature of this record is that you set up a mailbox to which the SMTP server that receive messages, send a daily report in XML format containing the violations received on the policy DMARC of your domain.

An example of record DMARC coud be the following,

host :
_dmarc 
valore:
v=DMARC1; p=quarantine; pct=1; rua=mailto:[email protected]

v= is protocol version ,
p= represent the policy is to be applied 
pct=1 represents the percentage of messages subject to filtering and 1 says to monitor all the messages without imposing junk or drop 
rua= tells what address to send the report XML messages that fail the check.


The activation record dle DMARC it is advisable to increase, starting from the monitoring arriving up to 100% of the messages in the drop.

The advantage about implementation of  this record on  monitoring status is that that you can get the record with the sources of e-mails that violate the policy SPF or DKIM and thus be able to know whether to make adjustments to the routing of our e-mails.

On this page you could find the DMARC directive and on here you could find a tool to verify that  .

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.