Enhancing email delivery with SPF, DKIM and DMARC

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] welcome to my channel in today's video I will talk about SPF dkim and Demark we will talk about the current challenges in email as a means of communication and the issues with email authenticity and delivery managing an email server can be daunting and frustrating with all the black lists and delivery issues it's not an easy task if an email does not get delivered to a user's inbox that is a big problem we will do a deep dive into what SPF DKIM and Demark are their importance and understand how they can help us enhance email delivery and also combat spoofing facing and spamming at the same time we will also discuss the process to create SPF d km and d mark entries and then finally we will jump into hands-on lab and configure SPF dkim and d mark for a demo domain and we will also validate our authenticity and email delivery today email is one of the fastest simplest and most used means of communication as email has gained popularity over time spamming spoofing and fessing has increased and poses threat to users while also increasing the challenges in email delivery for legitimate senders SPF DKIM and d mark they work together and can be used to prove and protect a sender's authentication as well as integration of the email message while also enhanced the email delivery SPF d km and d mark they work together and can be used to approve and protect the sender's authentication as well as the integrity of the email message it also helps us enhance the email delivery let's talk about SPF SPF stands for sender policy framework and it is an email validation protocol that is designed to detect and block email spoofing it is a very simple and reliable method to combat spoofing it is simply a txt record on the domains DNS entry that lists all the servers that are authorized to send email for the domain an SPF record in a top domain automatically authenticate these subdomains the receiving email server runs a DNS query against the sending domains SPF entry to verify that the email is sent from an authorized sender now let's take a look at how an SPF record can be created further to me in order to create an SPF record for a domain you need two things first you need to identify all the servers that should be authorized to send emails for your domain second you need to determine the action to be taken for the emails that do not match the SPF entry creating an actual SPF record is pretty simple you start with the version for the SPF record you list all the servers that are authorized to send emails for the domain and you end with the action for all the servers that are not listed in the policy in this example rule v equals SPF 1 means that the SPF in use is version 1 MX means that the mail server or the mail extender for the domain is an authorized sender the a-callin extra dot domain.com means that the servers that are pointed by an area called extra domain.com are also authorized to send emails on behalf of this domain finally the minus all means that all other servers that are not listed here in this SPF entry are unauthorized Sanders there are multiple keywords that can be used in an SPF record to authorize senders the MX keyword allows the domains mail extender or the mail server listed in the MX record as an authorized sender the IP for keyword allows you to list an IP address or a subnet as an authorized sender a keyword allows you to authorize the servers listed in an air record to send emails include keyword can be used when you need to authorize external domains mail servers as an authorized Sanders sometimes you might need to allow third-party mail service providers like send grid or MailChimp to send emails on your behalf even if you are not managing a mail server for your own domain you may be using third-party services for situations like that you can use the include queue which allows external domains authorized senders to also be your domains authorized sender finally the all keyword can be used to define the policy for the servers not listed in the record the - all means that all these servers not listed in the record are unauthorized the till sign in front of the all keyword means a soft fail for servers not listed in the record this means that the receiving email server may accept the email but it is likely to be sent to spam or junk folder the plus all allows any server that is not listed in the record to be an authorized sender for the domain well I don't think you would want to do that you can learn more about the SPF records syntax at this URL open SPF org slash SPF underscore record underscore syntax now let's dive into some details about DKIM dkim stands for domainkeys identified mail dkm is simply a private and a public key pair the private key is used to sign out bond emails and the public key is published into the domains DNS entry as a txt record unlike SPF DKIM requires configuration on the sending mail server for this tutorial we will configure postfix to use dkm for signing outbound emails the sending mail server checks the signing table and if the from header matches the outgoing email it signs the messes and adds a DKIM signature header using the private key once the message is signed the content of the messages cannot be modified if the message is altered in any way the DKIM header will not match and therefore failed DKIM validation this helps ensure that the message has not been altered between the sender and the receiver the receiving mail server when receives an email it looks up the sender's DKIM public key in the dns if a valid record is found it decrypts the signature using the public key and compares it against a freshly computed version if the two values match the message is then proven to be authentic and unaltered this is an example domainkeys dns entry the record type is txt there is a selector or the value in the host ville is default dot underscore domain key for this example the record the actual record starts with the V equals dkm one which simply means that the record is dkm and the version is 1 the K equals RSA means that the key in use is RSA and in the equals actually holds the public key for that domain now let's talk about D mark D mark stands for domain based message authentication reporting and conformance it allows senders to publish disease which helps the receiving mail servers to determine if they should rely on the SPF and DKIM for the domain it also defines what actions should the receiving mail server take if the email fails SPF and DKIM tests when a destination email server receives an email it looks up these sending domains DNS entry for a Demark policy if a valid Demark policy is found then e mail server will take actions for the failed emails based on the d mark policy that is published for the domain the d mark policy contains information on where to send feedback a feedback email report is also sent to the published email address to notify of action taken by the receiving email servers therefore the marked policy ultimately helps enforce the e mail sending policy there are two types of enforcing mode for Demark policy one is the strict policy and the second is the relaxed strict policy means that the assigning domain must exactly match the domain in the from address the relaxed policy on the other hand means that it from address can be a subdomain of what is specified in the policy like I mentioned earlier de mark also has an action policy specified in the record it can be one of the three modes report only mode quarantine mode and rosette mode the report only mode is specified by the key world P equals none the email is accepted irrespective of whether or not the policy matches and a report is sent to the sender quarantine mode is specified by P equals quarantine the email is quarantine and normally sent to the spam folder of the recipient in the reset mode which is specified by P equals rosette keyword the connection is actually imported an email will not be accepted for delivery if the policy doesn't match for all three modes if have an email address published in the Demark policy a feedback email is sent back you can start with the report only mode and then slowly ramp up to quarantine and finally to reset mode after validation and confirmation here's an example of a Demark policy the record type is txt the host field has the value of underscore d mark and the actual d mark policy starts with a V keyword just like SPF and DKIM the V equals d mark 1 just signifies that the record is a d mark record and the version is 1 the P equals reject in this case specifies that the d mark policy is to be run in the rosette mode and then the ru a equals mail to report email at sender calm specifies that the feedback emails should be sent to report email at sender calm so are you a equals mail to keyword is where you specify the email address that you would like to receive the feedback now to the exciting part I know you've been bored with my talk and have been waiting for this let's jump into the actual configurations we will start by creating an SPF record for the domain here I'm logged into my DNS control panel we start by clicking on the add new record select the txt record for the host field we just put the ad which just means the entire domain for the value we are going to start with the V keyword V equals SPF 1 meaning we're using the SPF 1 person then we authorize the email extender then we authorize the mail triple com a record simply because the mail extender is pointed to male Chippewa com it is not directly pointed to an IP address based on my knowledge pointing the MX record directly to an IP address is a bad practice and some mail servers do not like that so I have my MX record pointed to an e record which in turn points to an IP address because of that we have to authorize the mail Chapa become a record into the valid list of valid senders then we end our SPF with the minus all keyword because we do not want any other servers to send mail for this domain now we select the TTL to be one minute for this example you can just leave that to default and save it and that's it for the creation of the SPF record you can actually use online tools that are available for you to generate SPF record this MX toolbox SPF record generator is an example then there is also the SPF wizard net so if we use these this wizard to create the SPF record for us allow mx-server yes and then the male dot triple com for the action well do they fail non-compliant will be rejected so that you can see that this wizard also created the exact same SPF record so let's up to you you can either manually create the SPF record if you are comfortable if not you can use any online Wizards or tools that are available to generate an SPF record for you and that's it for the SPF record now it is the time to configure DKIM on a post fixed mail server I have this mail server ready to go but if you would like to learn more about how to build an actual mail server you can watch my previous video titled build your own mail server for $5 a month as you can see here we are on a center of 7.5 release and we will be using open DKIM to configure DKIM signing on our outbound emails since we are on a center server we can simply run yum install open DKIM to install open DKIM on our server let's go ahead and accept now that the open dkim is installed we can see that there is an open D can't file in the 8c directory and it also creates open DKIM directly on the Etsy folder so the Etsy open DCAM directory has a keys folder and couple other files let's start by creating a backup of the original configuration file CP at C open D km conf and we are going to say that now we should have open dkm dot-com and the Auris file let's take a look at the default open D km configuration file the configuration file is pretty well documented and you can probably understand different configuration options just by reading this configuration file the default configuration file will mostly apply to us and we will make some changes but I'll start by emptying out the configuration so we can start fresh we'll start with a common line say DCAM configuration just like the default configuration file we are going to start with the PID file configuration PID file point to bar run open DK I am open this simply points to the PID file for the open D key I am next we configure the mode the default open DKIM configuration file has the mode set to V which means verify but we are going to update this so we use the s and V which means sign and verify next we use the syslog configuration set it to yes syslog to yes so we can log the activities to a syslog we also want to log the success to syslog so we'll set this is log success - yes we also want to enable log Y which will give us some more details about why or why not a message was signed or verified then we specify the user ID for the open D key I am to run as which is going to be open the key I am in this case next we define this socket which is going to be the default eight nine one at localhost then we define the you mask for the socket created so the you mask is set to zero zero two so that the MTA or the postfix mail transport agent in this case is able to access the socket because the postfix runs as a non privileged user now we configure the open D km to send a report to the senders if there reporting email address is published then we set the software header to yes so this just adds the DKIM filter header field to the messages that pass through this filter it helps identify messages that it has been processed then we use the canonical ization this option is set to both the header and the body of the message separated by the slash so for example relaxed slash relaxed so one applies to the header and the other applies to the body there are two options there's the relaxed option in this simple option simple option is more strict and does not allow any changes to the header or the body of the message and can cause problems with mail relays and stuff like that so it's recommended to set this to relaxed relaxed this option allows minor changes to the header and the body of the messages then we define the selector we just set it to default we specify the minimum key bits that we want to use 1024 now we'll add the over sign over sign headers to the front field it just lets prevent the malicious signatures to the header fields in this case they from header field between a signer and the verifier then we enable the query cast to the open API M so it can cast the DNS queries and we enable auto restart just in case the open e km crashes next we define the key table 22 open the GIM key table if you remember there were some files the key table signing table and the trusted host files created by the default installation of the open dkim so we are just going to point the key table to that same file key table this simply tells the open DKIM where to find the keys to sign the messages next is the signing table signing table it's going to be our efile let's see open I'm signing table the signing table directive defines a table that is used to select one or more signatures to be applied to the messes it just tells the opening I am how to use the keys mentioned in the key table and then the re file option here means that we can use regular expressions or wildcards in the configuration file then we define the external ignore list also going to be the re file let's see open DKIM trust it so this directive identifies a set of external hosts that may send mail through this server make sure my Spelling's are correct then we want to define the internal hosts internal hosts this is also going to be the re file trusted host the internal host directive identifies a set of internal hosts whose mails should be signed rather than verifying those messages let's go ahead and save it now we need to configure the postfix to talk to open the I am for signing outbound messages those fixed main dot CF will start with the common TGIM configuration I'll type SMTP D underscore melters will point that to the socket that we created 1891 and that's the port where the open D cam will be listening on once we start the service non smtp d underscore melters going to be the same smtp d underscore melters then we see the motor underscore default underscore accent is going to be accept the end of the GIM configuration double check smtp d melters non smtp d melters it's pointed to the smtp d unders or melters in Excel so that's it for the postfix configuration we'll go ahead and restart the postfix or reload D changes reload postfix now that the postfix is configured to use open DK I am and the configuration has been reloaded into the postfix let's go ahead and join up the keys for our domain we'll go into the FC open dkim folder and the keys folder there let's create a directly to hold the keys for our domain Bob accom will go in there we will use the open D key I am - genki command to generate e keys - B so - B options we can specify the number of bits we want to use for our keys we will use 2048 - D is the directory where we want to store actually we are inside the directory so it does not even matter otherwise you can just like you know we can just go back here we can say open D key I am - Jen key - B 2048 will specify the D or the directory dot-com - s is going to be the selector we'll just use the default selector you have to remember the whatever selector you use here needs to be used everywhere including your DNS record so now if we look at the tip of an outcome folder we have two files the default dot private holds the private key and the default dot txt has the public key let's cat the default dot txt oops that's inside the Chippewa comm default dot txt so this has the actual public here or actually the DNS ante if we had a John file to update we could just simply copy and paste this but we third party Tina's provider and because we use the 2048 bits in the key this is split into two lines we have to actually merge them manually let me paste it here so this is going to be actual selector that we will put in the post Phil will put this in the host field our DNS entry is actually going to start here we need to these codes and we also need to remove this line here so this is actually our dkim public key that needs to be or the D key I'm txt record that needs to be published so I'm back to my DNS control panel click on add new record txt record host is going to be the default underscore the main key that's it there for the value we're just going to put this guy here and inside the TTL to one so that's it for the publishing the D key I am DNS record next we also create the T mark policy so let's go ahead and do that as well for the D mark we are going to do underscore D mark and actual value is going to start with v equals d mark one just like the SPF and DKIM we specify the d mark and the version number p equals it's a policy we wanted we can define either none quarantine or reject so we're going to do the reject in this case then you specify the are you a where you specify the email address for the for receiving the feedback so we'll do the demo at you papa calm actually created that email and that's it for the d mark record so let's go ahead and publish it so we have the SPF record created we publish the dkm dns record with the public key and we have the d mark policy published as well all we have left to do is configure open D km to actually sign the outbound messages for the topo become the main back to the configuration file let's see open D km calm we already have everything configured and ready to go for the open D key area but we still need to configure this key table signing table external ignore host list and all that so let's go ahead and do that so open up the key table where we will specify what key to use just like we see in the example we'll just do default dot underscore domain key dot dot three papa calm and then trip over comm default selector is going to Betsy open Nick I am keys to Papa comms last default dot private so that's the location of the private key save it next we configure this signing table so if you remember we configure this as our efile so we can use the wild-card so we can say star at trip Abba comm default default dot underscore the main key dot Ripa become so so this tells the open D cam to sign all emails on top of a dot-com domain so we'll save that now let's take a look at the trusted host so we just need to make sure that the local host is fair and we also want to include our table accom in there so that's it for the open dkim configuration let's go ahead and start open DKIM it's not a service sent us 7.5 I mean service would still work but openly come and let's verify that the open D cam is working we can see that the open D cam is listening on a tee at 9:00 one where we configured our post fix to communicate with the open D km for signing the Advan messages now that we have finished the configuration of the open D key I am and the postfix mail server now let's do some tests and validations so I've got some online tools here so I've got the SPF query tool where we can query our domain to see if we have a valid SPF record let's go ahead and do that we can see that the SPF record validation passed let's check the t mark we can see that our d mark record is valid as well and now let's see if we can validate by actually sending an email to this email address pose send an email to this email address Vicki I am SPF deaky I am and T mark for Chippewa comm checking SPF DCAM and t mark for Chippewa let's go ahead and send this email looks like the SMTP service unavailable we are unable to send her email check what could be wrong okay looks like we did not change permission for the keys let's go ahead and fix that real quick open D km of the keys folder if you remember we configured the open D km to run as open D km user when we created the tupa become folder inside the keys director we did not assign the permission so let's go ahead and fix that so we'll make it owned by open dkim actually do it recursive come let's make sure okay so the open DCAM should now be able to read let's go ahead and try to send that email again send it and now the message was successfully sent let's view the result email validation solved we can see the dkim signature we can see that the dkim result is passed SPF is pass message is not marked as spam so we can see that you know we configured DKIM Demark and SPF for our mail server and then we can see that we passed everything so this this actually validates the authenticity meaning that the email was sent by the authorized mail server for the Chippewa dot-com domain so with the proper deacon IMD mark and SPF configuration it is more likely that the email gets delivered to a user's inbox there are other factors that affect the delivery to the inbox versus the spam folder but this should help quite a bit now let's see if we can check our score as well this is a male - tester com I kind of use this to check how my email deliverability looks like go ahead and compose compose to that email address checking the daily variability for Chippewa calm testing now I didn't send it and let's check our score and you can see that we got ten out of ten for our deliverability so you can check it also displays all the you know we can see our messes spam accession likes us and then we're properly authenticated it past the DKIM signature is valid the SPF is past messes past the d mark test we are not blacklisted missus could be improved of course because there is no HTML version of the messes so there are other additional factors that will cause or contribute to your email deliverability but this is a good start and can greatly enhance or improve your deliverability it will also protect your identity once you have the DKIM d mark and SPF published into the dns records then anyone else sending an email claiming to be you that's invalidated and you are actually protecting your identity so that's how you configure Demark dkim and SPF for your domain if you have any questions leave a comment if you like this video please like share and subscribe and I will see you in the next video thank you for watching [Music]
Info
Channel: Amit Nepal
Views: 28,887
Rating: 4.9475656 out of 5
Keywords: dkim, dmarc, spf, postfix, mail server, linux tutorial, postfix delivery, email delivery, deliver email to inbox, linux, email
Id: 3Pld4ZQf9s4
Channel Id: undefined
Length: 34min 46sec (2086 seconds)
Published: Sat Feb 23 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.