[BlueOnyx:26727] Re: DKIM

David Hahn blueonyx at sb9.com
Sat Jan 27 17:23:50 -05 2024 

Here are my notes. Hope they help. I test from www.t-e-s-t.net.

*DMARC*
Domain-based Message Authentication Reporting & Conformance
(DMARC) is an email security protocol. DMARC verifies email senders by 
building
on the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and 
Sender
Policy Framework (SPF) protocols.

DMARC requires DKIM and SPF to be in place on the domain email server and a
DMARC record to be published in the DNS. The DMARC policy process, also 
known
as DMARC domain alignment, enables the email domain policy to be shared and
authenticated after the DKIM and SPF status has been checked.

*DMARC Report Providers* Send reports about all email that checked 
authentication into a XML digest.
The report aggregates the data for a certain time period. Much better
than sending individual reports for each event. Email providers 
typically send
the aggregated report once per day, although these policies could differ 
from
provider to provider. The report comes as a attachment and is in a 
compressed
file format. Normally .gz or a .zip. The uncompressed content is a XML file.

*What is a DMARC Record?*
A DMARC record is included within an organization
or domain owner DNS database, and is a specific version of a DNS text 
record
(TXT records). The full DMARC record looks similar to this:
'*v=DMARC1; p=none; rua=mailto:a at a.tld; ruf=mailto:f at f.tld; pct=100*'.

The various sections within the DMARC record signify:
1. v=DMARC1: The DMARC version specified.
2. p=none: The domain owner DMARC policy or preferred disposition of any 
email
     messages.
3. rua=mailto:a at a.tld: The email address to which aggregate reports 
should be sent.
4. ruf=mailto:mailto:f at f.tld: The email address
     to which forensic reports should be sent.
5. pct=100: The percentage of email to be subjected to a DMARC policy
     disposition.

FYI: 100% of email that fail a DMARC test should be rejected by the server.

*DMARC Domain Alignment*
Domain alignment is a DMARC concept that matches the domain of an email 
against
SPF and DKIM. A DMARC record can have varied strictness of DKIM 
alignment, which
affects if messages will be allowed to pass through the DKIM process. The
alignment can either be relaxed, which matches base domains but allows 
different
sub.domains, or strict, which precisely matches the whole domain.

The 2nd kind of DKIM test is alignment. In basic terms, a alignment test
verifies that the organizational domain matches (aligns) in several areas.
To achieve DKIM alignment, the header visible to the email receiver
must match the aforementioned d= domain in the DKIM header. By default, 
this
match looks for the primary domain to match between the two domains, which
means messages that contain a sub.domain should align.

*What are DMARC p= Policies?*
The policy a domain owner uses in the DMARC record tells the receiving 
email
server what it should do with email that fails DKIM and/or a SPF check, but
claims to be from the domain. There are three policies, which are 
signified by
'p= policies,' available are:

None
Signified by 'p=none,' this advises the receiving server to perform no 
action
when receiving a unqualified email.
However, the server should send email reports to the rua= and/or ruf= email
address in the DMARC record.

Quarantine
Signified by 'p=quarantine,' this advises the receiving server to 
quarantine
any unqualified email. As a result, email will typically reach the 
recipient
SPAM folder.

Reject
Signified by 'p=reject,' this advises the
receiver to deny unqualified email messages. It ensures only email messages
that are 100% verified as being from a domain will reach the inbox. The 
email
that fails the checks should be denied.

*SPF Alignment*
Alignment is the 1st SPF test that consists of checking whether the
sending domain in multiple parts of the message headers match. To 
achieve SPF
alignment, the header visible to the email receiver must match the
domain used to authenticate SPF. The envelope 'mail from:' domain. By
default, this match looks for the primary domain to match between the two
domains. So a message that contain a sub.domain will align. As the case 
with
authentication.

*SPF Authentication*
SPF can be evaluated via authentication and alignment. An outbound email 
should
pass SPF authentication when delivered from an IP address published in 
the SPF
policy for the domain found in the 'mail from' envelope. Essentially, 
the IP
address that sent the email must match an IP address published in the SPF
record domain.

*Complying with DMARC through DKIM*
For an email to comply with DMARC based on DKIM, both of the following
conditions must be met:

1. The message must have a valid DKIM signature.
2. The From address in the email header must align with the domain in 
the DKIM
     signature. If the domain's DMARC policy specifies strict alignment 
for DKIM,
     these domains must match exactly. If the domain's DMARC policy 
specifies
     relaxed alignment for DKIM, the domain can be a sub.domain of the 
 From domain.

*Complying with DMARC through SPF*
For a email to comply with DMARC based on SPF, both of the following 
conditions
must be met:

1. The email must pass an SPF check.
2. The domain in the From address of the email header must align with the
     MAIL FROM domain that the sending mail server specifies to the 
receiving
     mail server. If the domain's DMARC policy for SPF specifies strict 
alignment
     the From and MAIL FROM domains must match exactly. If the domain DMARC
     policy for SPF specifies relaxed alignment, then MAIL FROM domain 
can be a
     sub.domain of the domain in the From header.

*TIPS & FYI:*
You can check your domain DMARC alignment for SPF by typing the following
command at the command line, replace example.com with your domain:
*nslookup -type=TXT _dmarc.example.com*

*Email Headers*
Return-Path: user at subhost.domain.tld <==MAIL From
From: user at subhost.domain.tld <==ENVELOPE From
Received: from subhost.domain.tld (subhost.domain.tld. [252.252.252.252])
Reply-To: user at subhost.domain.tld
To: user at subhost.domain.

pct= is an optional DMARC tag that takes a plain-text integer between 
0-100,
inclusive. If this tag is not used, 100% of failed messages are subject 
to the
DMARC published policy for the domain.

*Summation*
SPF and DKIM protocols are necessary to attain DMARC compliance. 
Sub-components
of the protocols, authentications, and alignments must pass all 
respective tests
for the outbound email setup to reach 100% DMARC compliance and intended 
users.

DMARC combines these two standards into a common framework. It enables 
domain
administrators to set rules on how to handle email from a domain if it 
fails
authentication.

DMARC, DKIM, and SPF are all protocols relating to different areas of email
authentication. SPF enables senders to define the Internet Protocol (IP)
addresses that are allowed to send email from a domain. DKIM verifies 
the email
message using a digital signature and a encryption key, ensuring the email
message cannot be altered or spoofed in transit.

SPF, DKIM, DMARC record requests the email server to send Extensible Markup
Language (XML) reports to the email address associated with the records. A
DMARC report provides information about how email moves through a system 
and
enables users to identify the email traffic that uses the email domain.

-- 
Best regards
David Hahn
_______________________________________________

On 1/27/2024 5:26 AM, Richard Sidlin via Blueonyx wrote:
>
> Guys
>
> Staying on the subject of DKIM. I think I set it up properly but when 
> I do a test either on one of the online checkers or looking at the 
> Gmail headers, it states FAIL.
>
> 5210R. OpenDKIM is enabled and a couple of DKIM aliases, hostname of 
> default._domainkey, domain name of the DNS TXT Record set and the TXT 
> record that is:
>
> v=DKIM1; k=rsa; 
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZqcsl8kAZREYi+KatsmFL35XTGYZuAEO3baCGHSXFZ+DzpHs3SNtczldMFCZybgU/n+hlXQlE1Pca0wiiPkbYIxd813CRhh+URkuPLZcQGFeJK08v4OBS3j6SnjaYq/2evvbe4b8NuwqfSV8lzwcsFP39yJZVngi0em2fuD5VQIDAQAB
>
> On a separate 5210R server that I use for DNS, I added a TXT record:
>
> Under Query:
>
> default._domainkey . racesonline.uk
>
> Type:
>
> TXT
>
> Response:
>
> v=DKIM1; k=rsa; 
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZqcsl8kAZREYi+KatsmFL35XTGYZuAEO3baCGHSXFZ+DzpHs3SNtczldMFCZybgU/n+hlXQlE1Pca0wiiPkbYIxd813CRhh+URkuPLZcQGFeJK08v4OBS3j6SnjaYq/2evvbe4b8NuwqfSV8lzwcsFP39yJZVngi0em2fuD5VQIDAQAB
>
> 	
>
> https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=2cd2b490-c533-4f46-9135-10335cf9ff51
>
> Can anyone point me in the right direction please?
>
> Thanks
>
> Rich
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-- 
---
TIA
David Hahn - PageKeeper Service
----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20240127/d8bc0e84/attachment.html>

More information about the Blueonyx mailing list