Holy Trinity of e-mail delivery - SPF, DKIM and DMARC explained

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody thank you for coming for this bourbon my name is Robert Hooper and today I would talk about deliverability of your emails something which I call alternative of email delivery and we will talk about the principles of SPF and the policy framework domainkeys and as a roof on the top of those two technologies about the d mark so of on the agenda the aim of this webinar is to discuss what effects effects email deliverability meaning what to do to have my messages delivered so technically we will not speak about how to block any kind of messages that won't match any of those technologies a spear to make you so so but how to do the things right to be able to receive a high percentage of deliverability for example when you are sending to Google or Yahoo or something like this so first we will discuss what is and what is not important in ddns because DNS is to glue which holds hold email delivery among the other things it is the second topic we'll discuss sender policy framework which basically tells which server can deliver emails from my domain second topic would be or sir topic would be domain keys which basically things say it's about ft female it's coming from my domain and as I told before on the top of it there is a technology which is Cody mark now which basically says what should happen if any of my record sounds much so if somebody receives an email and either SPF or domainkeys won't match after this first part we will have some live demo so first we will look at how is seen by Google so technically Google is receiving the emails and is using those technologies to make some points to your emails and say if it would be there we'll deliver it or not I mean when we are discussing the original emails not the content it's a different story the second thing would be basically show setting how to set the SPF records in the DNS so I will show you on live example how and why it could be set maxing could be setting your domain keys in the Lotus gate which is mail filtering solution my company provides and also how to set the domain key signatures in carrier Connect and for fix so for example if you are using Carioca next to Carioca next you will see how to do it if you are using postage if your mail relay you will see how to do it and if you are using exchange Moodle get is one of the one of the software solutions which can help you to sign the outbound messages because exchange itself is to keep able to do it and the last but not least I will show you just the bonus how the incoming SPF and domain keys is handled by mass email max mail which is a solution cloud hosted solution for mail filtering from logic now now for a mess of be for our range and will n put the wrap-up what we learned today so what effect email deliverability they are basically a few things first from where the message came from meaning machine or the server which originated a message second thing who send it meaning some person or company owner of the domain next what should happen to it if the owner of the domain claims that this machine can send and all my messages for example has to be digitally signed what would leave they art and out of the scope of this webinar next think which will be taken into consideration it's a format of the messages to comply to the RFC or so if the others are not not misaligned or something like this if it is not spam based on the content so it's a few of the agar I'll row like so something like this and of course it is doesn't contain come over this is something which will not discuss today because it is about looking into the content of the message and this is not the aim of today's organized so from where the message came from definitely if you look any kind of email server or mail filtering solution you will found the one thing the IP address which originated email or which transfer the email to you first thing which is parting which has to be checked and the usual is if if this IP address has a reverse DNS record basically if you are sending from the IPL s 1.2.3 for for the receiving server will probably doesn't necessary have to up to the administrator of the server but it probably will check if this IP address have the river TNS the reverse DNS record is something which usually is not in your hand because the IP address is probably owned by your by your ISP I'm not discussing this dual situation when you have your own IP range so usually your IP address belongs to your ISP and your ISP is kind of responsible of having their beers two ns and you are kinda responsible for telling him how to set it if you don't there is a chance that the IP address will still have some reverse DNS record something like IP - number - number for example point is PMS or something like this and you can let this but if you tell for example hey set the reverse DNS record for this IP address to say male dot domain calm you will probably succeed second thing if question and usually the receiving mail server look if this reverse DNS record match the hello or a hole command of your mail server and it starts communication this is the first thing you have to do is to say hello and the send the name the DNS name and the the receiving mail server will probably check if this provided DNS name of sqdm food fully qualified domain name if this name is the same there are very dns for your IP this is the first thing and this is a thing which is defined in the RFC so probably if you don't have this okay it means that you are probably not able to deliver quite a big percentage of your messages second and it is not a question about some RFC you but it's question of filtering because today's world is full of spam it probably will look if your IP address is from some kind of blacklist or a reputation list or something like this and probably the receiving server can check if there is an SPF record published which is not mandatory but if it is it will look if this particular IP LS which is communicating with you receiving server if on the allowed list of the SPF record SPF record basically means something like big quotation marks reverse a mix so it is something like those IP addresses can send emails on behalf of my domain so this is the first and really important thing if you want to get your email delivered second who send it it is quite difficult to distinguish who send it and the quite common technology which we'll discuss later called domain key DKIM and you may be questioned who has timed the message if anybody of course so if there is a domain key record in your DNS and txt record for your domain the opposite side the receiving side can check the message if it has been signed and if you have been signed if now it could be deciphered with the public key which is in ddns so basically it means that the owner of the domain is telling this email has been sent from my domain so it is not a fake not spoof the last thing what affects the email delivery is what should happen to it if there is a Demark record the receiving server can decide according to it what to do if there is an FPS PS and or domain key mismatch meaning that you can publish a recommendation in your DNS what should happen if somebody receives email which is claimed to be from your domain and the either the SPF for the domain piece will not comply so this is the basics what affects the email deliverability another topic is what is and what is not important in DDS as I told already mandatory is a reverse DNS record if you don't have reverse DNS record and which and if this DNS record is not the same as the hello or Everall send from your emails or so probably so with something which is called in your mail system fully qualified domain name of the server the email would highly provable would highly probably not being direct what is optional is SPF record which is telling which I pls consent on behalf of my domain domain key which sells based on the digital signature of the messages that those messages are coming from your domain and the d mark psidog which makes some recommendation what to do with those two SPF or domain keys will not comply it is optional so if it is not there it doesn't mean that your message has to be rejected no way but definitely it can help in some ways a plus point for some email system and it can harm if you will publish those records and your own servers will not comply it can definitely mean that you make your deliverability worse but if it fit correctly it can help and it can help calculate the email infrastructure all over the world so I highly recommend it and this is the aim of the serving of course what is totally important if if the message came from an mail exchanger from your MX I put it into this slice because I've seen recently quite a lot of administrators who really believe that if they send some email from some IP address which is not published as an annex record it could mean that the IP LS will get blacklisted or something like this and it's not true simply not true it's normal when you are sending the emails from other machines than your MX of course quite often it is your emic but if you are sending emails for example from some specific applications for example which are hosted somewhere else or something like this no email from your domain has necessarily came from your MX so it is unimportant so let's started cutting a sender policy framework Pembroke's sender policy framework if my to recognize spoofed emails the nice thing is that it recognized spoofed email from own domain you probably know something from spam like this that you are receiving the emails from your colleagues or even from you and obviously you didn't send it this is the way how the spinners are trying to obfuscate the mail filtering systems or so and the sender policy framework is able because it's published so which IP addresses are allowed to sent from my domain it can help you and it will recognize poofed emails from your own domain definitely if you have corrected PF record you know your IP addresses and you will receive an email from different than your IP address you can easily consider it as a spool question if that is prevent sending unsolicited emails under my name sure no because anybody can do everything I can send an email put into this header your domain your name and send anything I would like to do but what you can do is to publish the information for the receiving site to be able to recognize that this is the aim of this and the policy framework how does it work technically it's very easy it's only a txt record for your domain in this example the domain is company com there are a couple of examples with some explanation the first one and you can see on all the yellow lines the text is starting V equals SPF 1 which is the identity of the sender policy framework record because you can have as many 60 records in your domain as you wish so if it start with the V equals SPF 1 means that this is an SPF record and the rest if the true content of the SPF record all SPF record are ending with - - all or tilde all in this example there is always - all I will discuss a tilde original blade and what is in between in the first example is it's towards MX - the letters M X it means the content the IP address is the specification of who can send the email so if there is a word MX or whether some X it means that from idle domain only my mail each channel only my mail exchangers in Indiana crackles in my DNS which are pointing to my mail server can send out emails those by those are my mail servers and no others so if you have for example small alteration with small business server for example and you are pointing your Amex just one Amex this machine this is how to declare that this is the only machine which can send emails from my own domain the second example with a and M X means that the from my own domain only my annexes and the main and there is a mistake sorry look mail a record main a record of my domain can send out emails so this is basically the IP address now which resolves the name company.com for example if you have if you have male hooks or emails the web holster and the Webster can send the server where you are hosting your web pages so web site can send some notifications or something like this so this is the case when this could do it the third example is a big small bit more complex like again DMX record which is quite usual quite awful and the other thing is a colon or semicolon double colon has recalled and mailers company comm that means that the my MX again and all IP addresses with a record of mailers company comm can send out emails technically you can may make as many a recalls with name mailer company comm company comm as you wish and this means that any any IP which match the place will be allowed to send the emails there is a smoke heavy in this I have seen the implementation of the mail filters which were not able to handle this even it is quite common but they were not able to handle this correctly meaning that they simply made that unit resolve query to their units to mailers to company comm and simply receive the list but they checked only the first one and it has been all it has been everything so if you are sending the email from different first one or completely different than they chose because it could be based on the round robin simply pick one of five for example mailers this had some issues so be aware with this and if you need to publish more IP addresses or more a record probably the good thing is to list them next if something different no 1x or no explicitly define the mix but probably the MX's in this PID our network this is telling the IP address which can send emails and if you are using the CIDR notation so the flash 24 for example so this is the network with starting with one at the end and ending two five four at the end you have 254 IP address official send on your behalf if you are using only one IP address set there without the slash it's okay so you can say okay IP 4 and IP address when the last if something which is quite common particularly today if you are sending your email from a mix for example and also are sending the mail blast for example with MailChimp or that's any other vendor who is sending email on your behalf you can do it this way that you can include different domain this case is vendor calm and so in this case email can came from annex or from anything which will match the SPF record of Wendel calm so it expects that when the.com has its own SPF record and he's responsible for maintaining it so in this case so you don't have to take care about the changes in his infrastructure is there ads or remove or slap or anything changed on their IP addresses which are sending their emails this is their own problem and they probably know about it but you don't have to so in this game my Amex and anything which is allowed by SPF record of wane.com can send the email from Idaho there is another example if you look back the same what is using the character the tilde and it means something like from my domain only my mail exchangers can send out emails those are my mail service so far so good maybe some others that I forget out the thing is that if you are not using the - oh but I've filled out all it means that from your perspective an administrator of the domain you are telling this there might be any other IP addresses for which you probably forget about or something like this so you want to tell to the administrator this I'm testing this technology so if it's won't match it doesn't necessarily mean that the email expand but it's up to the other side how it will handle this this is called soft fail so if you receive an email from IP address which is not listed and company.com takes their record and there is a children of - it's called soft fail hard fail means that you received in the email from IPS which is not listed and there is mindful and technically it means that's uh the administrator of the receiving site might probably not reject this but maybe can put it into quarantine or add some smaller amount of minus points not to expand score something like this but it's totally up to him and today I've seen a really lot of permanent uses of this tilde that I'm afraid there's everybody handling software's and half phase two the same way so personally I don't recommend it for permanent use and much better is to avoid it completely because it will know it will not do any good for you believe me right so it's a way how it works so another technology to me domainkeys recognized poofed emails the other thing by the other way note by the IP addresses but by the digital signature course it can recognize two females from own domain and Harris again the same question of it prevents and encompasses emails under my name the answer is again no because this is only the next technology which can help you to publish information for the receiving site to be able to recognize your email is coming from you or from somebody else but there is no way how to how to prevent somebody to send your domain in its mix so this is something which probably with the current implementation of SMTP protocol could not be achieved so don't put too much effort to do it so believe that you can block sending somebody in your own no but you can do what you can do is to tell the others this is a spoofer because the email is not coming from me and this is the aim of the domain how does it work if you use this metric cryptography and the basic operation of this is the sending server on some of the servers which are on your thighs is finding your messages exactly the part which is not dependent on the SMTP envelope so the content with this private key and because you publish the public key in and the other supporting interactions in your txt record which name is in the form like select or dot underscore domain key dot your company comm and the selector is a name doesn't be the word selector to be male or it could be male 2016 or anything to like because this is something which is part of the signature so the receiver can find the proper selector and find the proper public key which should match with the email server which offended technically there can be more selective and probably you will have more selectors and as I told the reason would be that you have for example two different mail servers each is signing with different private key so you have to have one selector for one server a second selector for a second server with the the content with different appropriate public key and the another reason for having more than one selector if that it is a good practice to change the selectors or the t's after some time question powers one years six months from what in three months or something like it and there is always a possibility that you will send the email signed by one selector by one private key and the receiving server would check the key after you change it so it would not match so always for some time if you change the keys you should have two selector the old one and the new one just to be sure that the emails which are traveling across the internet will we will be received and would be able the receiving part will be able to find the proper key to distinguish if they are correct or wrong there is an example if you can see it if something which is weird because it is - yes the certificate is a puppy so most important thing is that the in this example you can see that the selector name is male the domain Tito speedy come to see that this is surreal domain key of my company and the text is starting with three equal D K I am one and with some other characters of P equals something of this just key and this something which has been generated by the software which is sending the email so this is not something to you has to create just like the for example like the SPS the SPF has some it's own syntax and it's probably expected that it has been crafted by you but this is something which you simply copy from your software we will see it on the on the practical example if we should come they're SPS and domainkeys there are some differences and what it exactly does and each of them has its pros and cons sender policy framework allows you to recognize if sending server is known to the admin extending domain because if you know it is your server you will include it into your SPF record to prove SPF it is very easy to deploy because there is nothing to configure on the email server in case this V are discussing sending emails not filtering bail based on the SPF it's different story and not what we are discussing today we are discussing how to send the emails for the others to be able to recognize that emails are valid and for the administrator it is enough to know which servers are ours this is my server this is my server this is my server so I put those IP addresses into my SPS record and I'm done cons issue is that it depends on the transit service it means that the if your server is sending the email to the MX record of the other machine it's probably okay if it is the receiver but if there is some smart host you have to include your smart host and the smartest does not necessary be yours it could be your your ISP for example what if your ISP changes something for example you send it to the smart house photos but the IC is so big that if the will it will decide to travel through four other mail servers and you don't know about it it is one issue you have to know everything from your site up to the MX MX it's over the receiver is another issue but it has to be forced by the by the receiver nor you but all servers which are which are or your smart off chain has to be known to you another thing is whenever message is for valdek SP a break so if I received an email on my free mail for example and I decide just to forward everything quite often it is done just forward and it relieves the SMTP envelope as it was so some other server is sending email to the mail server I want to forward my messages to and the leave the original domain company comm in math in our example we don't know about it you don't do anything about it simple send the email to other company comm and the other companies come forward in the email and say hey this is email from company comm technically means that if the other final recipient received the email and checks the SPF it has information that the domain was company comm but it came from the IP addresses of the different company which were not in my SPF record so it breaks this is something which is partially solved by APs and rewriting scheme but [Music] again it means that every server is set up correctly and you don't have it always in your hand so those are cons of the SPF but generally it works domainkeys allows you to recognize if the message itself comes from a server which is managed by the admin of ascending domain so it doesn't care about the machines which were in transit but if the message itself is content of the which has been fine and have not been tampered it means that it's okay to believe that the email is coming from the originating domain the probe as I told it's from its transit server independent so if you forward it doesn't break anything because the content is not changed and it's basically impossible to spoof because it's using optimal cryptography which is which is probably a standard for some time I hope the cons with every server or at least one in a chain my servers which is sending messages have to be able to find the messages because the digital signature is put into the headers of the mail itself so it has to be properly configured and has to run software this support to me if it doesn't support the main key there is no way how to make the signature and there is no way and no system how to publish some public key in your DNS ecology doesn't make sense because if the messages would not be fine it would mean for the recipient that's the message messages are spooked so you have to you have to configure your mail server to digitally signed messages where the domain key system and that means that you have to have the software which is able to do it as I totally change is not able to do it and the mark team our extent for domain based message authentication reporting performance as if some combination or combines the sender policy framework in to make from the sending perspective as if good to know that there is nothing to configure on the server it's a similar situation as we DSPs because it's just a DNS record which is telling how should receiving server handle message which would not or would comply to the SPF and or domain key so basically what to do if I receive the email from the domain which is publishing SPF record and domain t3 course and some of them will not some of them will not comply and the Demark is as you can see just a Demark topi become deceivers in my particular case like the underscore important starts with v equal d Marquand and the other things could be corrupted by you but i will show you in the demonstration the web software how to how to create it for you and telling that in this particular case that if any of the SPF or domainkeys would fail you can quarantine the message and send the [Music] forensic forensic reports to some mail address or so so this is the d mark tell the recipe and what to do if something fails because we bias here or we my domain key how does it work as you can see on the picture you can see the normal way how everything works so also compose email sending mail server has to insert the main key header and the email sent to the receiver here you can see that the mail server to the standard validation test so vital DNS IP block with reputation and so on and after it originally received the email it will retrieve the domain key from the dns if we retrieve the envelope from the re SPF system and looks into the d mark policy what to do with it if it's everything okay is part of standard process if it's not particle quarantine or failure report to the sender and it also updated federally aggregate reports to be sent to the sender so this is a nice thing on Demark then I as as the owner of the domain can receive from the receiver some kind of forensic and aggregate report which tell me that what happened so I can see that sir there has been some mail which came from for example this IP and if it's not in my SPF and I can do something out it I know this IP because I forget it at some point so this is very very nice - very nice to have so right now let's go for some live demo this is the real situation on my P become the fifth domain just for description you have an OPC male on Carioca next server which is sending the emails - max mail server from logic now which is our cloud filtering solutions and the afterwards which is send via the Internet to the recipient so this is one chain if I use my Outlook or web client to send an email it will go to the Carioca next and it will put it to the max mail and it will put it to the Internet and deliver to the intended recipient other thing is that we are occasionally sending newsletters so we are using PHP list which is software running on specific Debian server and this machine is sending the emails of the members of the list to the postfix which team is SMTP pp common line of seizes and this machine is sending the email for internet to disappear and there is another thing which you probably can use in your own company there are some notifications for example from ups or routers or ms sorry MFPs or scanners or something like this which can send the email not from the traditional client log from Outlook but they are sending email so I'm sending you through the smtp become online to see that this is the posting server i'm running and it is sending we're internet to disappear so this is the situation and right now let's take a look going on first first think if how Google sees the thing if you send the email and you are not using any any of those technologies you added copy you can see that Google simply tells ok email from so that over FC become diseases subject that's all this is my email address my that's the Gmail so Google is telling this is being happy if you are using sender policy framework this is another example did email have been sent from the mail server which has set this and the policy framework record so if you look into this information there is another thing which is mailed by P beacon diseases so this means that Google is recognized that the SPF record accept and it match if you look into the division here sure in here if you look there you can see the appear path we write the address this IP this is the Maxima of protection I will say and if you look into the headers you can see the receipt that be a part adder which is we have been put into this message by the Google itself basically this domain we become the Caesars the various resonates this IP addresses public defenders so this is good do not be now if you are using sender policy framework and domain key and you can look to the details of the message you can see that the message has been mailed by to become the success that technically means that 30 SPF ricotta and the message has been signed by P become the feeder and if you look into the original to complete the information that the SPF pass with MIT and the domain key pass with the with the domain t become diseases and if you look into d if you look into the headers you can see again we SPF ass and domain key path and if you look further you can see the domain key signature has been have been signature sorry signed by the key and its invalid so it means that we are happy because we send the email from the correct IP address and the content of emails is fine correctly the domain key so Google recognized it and I believed it it has some plot points to their email filtering the other thing if that's the if you also using the d mark those are the texts for me to recognize it this is not the way how Google is telling you this deadliness be able to maintain records yes this is my own tagging just for the sake of this webinar so if I look into this machine very into this mail message which has been sent with the d'marco corset you can see that the details are the same but if you look into the into the original you can see this sender policy framework pass the main key part and the demise remark file and you can see in the in the headers not only the domain key signature but you can see also that the Demark pass so basically it means that if the SPL part and the domain D pop there should be a path on the demarcus it has been a success as being set and it has been set there is one thing if he if you remember I told you that I'm using the carrier mail server and KML server is using if you think selector which which name is mail conceal be here so the Google server has been able to look into the correct into the correct selectors so correct key and the message path very another there is another mail server which is called SMTP to see become online.com and I will show you later that there is different selectors so if you look into the maintenance loose cop saw him and let's look up - q CX T so txt record and I will look into the mail top domain the silicon diseases this is one key and if I use the different selector smtp there is a difference there is a different key so this is telling the the mail selector complies because it has been sent from the KO mail server there is another message which the same little here but this has been sent through the SMTP server with the postfix as I told you and if you look into the message original again everything fast but what you can see is that right now the selector used has been the SMTP so this is the way how the receive recipient can find 3x2 messages okay even though it's using different price and political detection because you can have as many collectors a Jewish in the domain just for your information if you look into the into the SPF record go jump the pxq record for the domain to become the see that you can see that we are allowing sending emails from this subnet this fix the IP addresses where I am connected technically really I have to be honest this is not necessary to have this this is just for me if I would like to send something directly outside from my own server but usually it is not necessary the second IP range is the range which belongs to me at the holster side basic for example the machine where SMD video CD come online of seizes the results and if you look there there are three includes SMTP router comb SMTP outcome it is the logic now logical max mail servers and another thing is mail photos cloud which is my my own mail filter in the the Internet and if you look into the for example SMTP l.com there is other list of IP addresses which can send the email via but if is something which is not maintained by myself this is maintained by this is maintained by logic nowadays some of my progress so this is how Google is seeing this and what if what if set in my DNS wire fit exactly this in DNS because this is the domain T of my carrier mail server so I will briefly show you how is it's done with caramel so because it's really really easy if you are using carrier mail servers you simply say ok there are some domains so if I look into D 20 become to see that there is I'm sorry maybe this would be better ah so if I look into the domain my domain C becomes of Caesar it's a public key and the old setting is just check that final going messages and care your mail further will create the selector mails predefined you cannot do anything about it and so it does you basically create this in your DNS mail the domain key to see become the Caesars you can see this is this one and put this value as well txt value of the domain all of the beads txt record will appear just exactly this that's all then I think on the on the carrier mail server is that if you check this and will not set the public key correctly or almost obsessive or you set it but it would take some time when it propagates to the internet or something like this caramel para will not sign the messages unless it is able to see in the during the DNS that your public key is set correctly it's very nice that's all on the caramel sacrifice now if you remember I have if you remember you should remember I have another think newsletters and other notifications and through about six so the pasta configuration here is quite easy if you look into the ECC there is a very good how is the call for service called open domain keys over the key key I am so it has been installed by this install open that way ah I will not install it again because it's already there so if everything you have to do to get it installed on your boon to or Debian like systems if you look into the configuration of the open domain TV you can oh sorry so the awesome you can see that there is some practical signing table and key table if you look into this ended directory which is called key this directory cookies contains the subfolders with the with the private and public keys we have been generated for sake of the signing of the of the email and if you look into the key table you can see that the goal domain and those selectors can be found in those files of your cell will not show you the private keys here another thing is the signing table so if you look into the signing table there is sold it if there is anything which came from domain after its PB cannot see that it should use this key SMTP domain to Descamps the class and if you look into the trustable it means that those those IP addresses are trusted so if the message came from this domain and it is from this IP address or defi PSS that means that it is okay to fine it is because it would not be fine if it would not be set there anybody from the outside could send to your mail server and the message would be fine if you would be mail realized another question so this is the configuration of open domain key to put it into the into the operation you have to do it you have to ready you have to put it into your post fix it's quite easy there is another thing it's running like a motor under user ID domain open domain keys open domain key to open in open the him on this pocket and if you look into the posted configuration you can simple see that there is another protocol access than this is to forget you have seen over there before and that's all that's all so you think domainkeys on papac's very very easy and it took me some I would say 15 minutes with zero knowledge how to do it so I believe that you can do it too so Exeter I think I prove it to you now laughing is just for information that the other side receiving side can handle the FPS domain key resource and because the domain keys are new in handling in maximum protection I will show you briefly how easy it is on the other side to cut the things up so if I want to filter based on domain keys and SPF and if I'm using Mac's mail from logic now now allowing I can do it as wave moment I will select the domain I loaded you so I'm in domain typical deceiver the destination ourselves so we are selling emails there this is not important but what is important is simple filtering for the purpose of our demo and if you look advanced option surgery for a difficulty working is advanced options no additional blocking rules so that's it there is an SP an anti-smoking domainkeys and if you look this this is how you should treat heart failure for sales standard filtering official this is the default setting what I do is that if anything fails I should read suspend maybe I can say three dis efficient so it is setting for blocking SPF or validation or the emails which fail SPF validation and the same thing is with the domain key this is the default setting I can say okay if I receive email which will fail the domain in settings I will treat this success that's it full thirty laughing asses to wrap it up a house today send the verification more and more important and more amore requested sir because the big players consider is as a way how to eliminate unsolicited email for their customers and big players in email think I mean specifically Yahoo up mails Google are treating your messages better if they comply with those standards you are getting platform it doesn't mean that you can there you can send correctly your SPF record your domain key for your D market costs and then sends a nice-looking sense it doesn't look like this as I told still means that they will look into the contest everybody will look into the contest but this is something which at least me that it can help and prevent sending to bulk emails with the big spam bot zombie machine from half of the China sending the hundreds and hundreds thousands messages their minutes just to flood the internet service fan so if we all would use the SPF domain T's and D mark I believe that it would be almost the end of the span at least in the forum we know it's like now SPF is the technology which verifies the sending server which is okay but you have to know you have to be aware that it's not always in your hand remember for example the forwarding domain keys it's in my open a much better verifies the authenticity of the message itself so it really means that if I am have two main companies calm and I'm signing my messages and I'm publishing my domain he recalls in the ENS the recipient can easily say okay company calm send it this email so if I will turn spam from my come from my domain it would be enough to just say okay blockless company calm and I prefer be mark in for the recipient how's it supposed to handle messages which will not pop the SPF or domain key check and describe the mechanism how to inform this administrator the sending domain this some facilities and fast this is what I think I wanted to show you I forget if you go to the DiMaggio fork there is a bunch of information how it works our students also but what I like very much and which watch is super super convenient is this in deployment tools there is a Demark record generator and oh not to one I like this one and if you tell your domain say that your policy should be quarantine if anything fails and say ok send the aggregate and forensic report to this email address and say failure reporting options if you look into the RFC you can probably see that the default is if both fails if any of them fails and this is Demark fails pc FPS fails so you can say ok if both of them fail so for any of them fails you can say for them like this domain key could be 3 XPS could be relaxed report format supported something which is not as important to me just for master of the XML which is coming you can say the policy of the percentage means that if you are starting you can say okay if everything would be okay I can leave it the default 10% but I can start for example sin of 25% so the recipient can apply the policy only on a quarter of the mail is mail from my domain for example and so I can say that there is no subdomain policies for example from newsletter does he become feasible something like it and if I click a get B mark record I will receive exactly what I have in my in my here so if it's a very nice thing I recommend you to start with e marks with leaf generator because it's really really easy to use if you if you want to know more the good idea to read this I see quite long it is very very nice 3d okay so this is the d mark and the last important thing is that by publishing to the DMACC record there is no obligation for the recipient to deliver message so you cannot say that i send a message or check so far so good be modest to pass it doesn't mean that the the recipient has to deliver it's up to him on receiving the email I can look into the record I can keep the record from consideration but it's up to me what I should do with it please keep this in mind thank you thank you for your time thank you for coming I believe that I hope that you can bring some new information to your professional life and maybe start setting up the domainkeys or SPF record for your domains or even the d mark if you have any questions feel free to send me an email call me here are the other links with the information about the products or services i'm use i've used during presentation specifically i would fall into the d'marco code generator which is very nice which is what you just seen how to create the d mark record without without reading the whole RFC and hope that we can hear each other later I believe that very lots to fix on the email delivery so thank you have a nice day and enjoy

Info

Channel: PB Com

Views: 20,899

Rating: 4.8936172 out of 5

Keywords: e-mail, spam, spf, dkim, domainkeys, dmarc, google, postfix, linux, mailserver, example, 101, pbcom, smtp, rfc

Id: 3BV7z1Pi89Q

Channel Id: undefined

Length: 71min 22sec (4282 seconds)

Published: Tue Mar 07 2017