Sample: Google Apps Setup

1. 创建SPF记录

创建 SPF 记录 http://www.openspf.org/SPF_Record_Syntax

创建如下：

openwebsecurity.org.	2285	IN	TXT	"v=spf1 include:_spf.google.com ~all"

查询并解释：https://dmarcian.com/spf-survey/

测试小工具：http://www.kitterman.com/spf/validate.html

超强测试工具：http://mxtoolbox.com/spf.aspx

Google IP 地址范围：https://support.google.com/a/answer/60764?hl=zh-Hans

2. 配置DKIM

使用域密钥对电子邮件进行身份验证 - 启用电子邮件签名功能

DKIM检查工具：http://protodave.com/tools/dkim-key-checker/

3. 创建DMARC记录

创建 DMARC 记录

创建如下：

_dmarc.openwebsecurity.org. 3599 IN	TXT	"v=DMARC1\; p=none\; rua=mailto:hatter@openwebsecurity.org\; ruf=mailto:hatter@openwebsecurity.org"

查看并解释：https://dmarcian.com/dmarc-inspector/

生成DMARC小工具：http://kitterman.com/dmarc/assistant.html

电子邮件身份验证

当您获取邮件标头之后，请查找“Authentication-Results”（身份验证结果）标头。
如果邮件成功通过 SPF 或 DKIM 身份验证，则会显示“spf=pass”或“dkim=pass”

例如：

Authentication-Results: mr.google.com; 
    spf=pass (google.com: domain of sender@gmail.com designates 10.90.20.10 as permitted sender) smtp.mail=sender@gmail.com; 
    dkim=pass header.i=sender@gmail.com

检查配置是否OK，发邮件到：

check-auth@verifier.port25.com

---

• http://www.bits.org/publications/security/BITSSecureEmailApr2007.pdf
• http://www.bits.org/publications/security/BITSSecureBrowserRec091610.pdf
• http://www.bits.org/publications/security/BITSSenderAuthDeployJun09.pdf
• http://www.bits.org/publications/security/BITSEmailAuthenticationFeb2013.pdf
• http://en.wikipedia.org/wiki/Author_Domain_Signing_Practices
• https://leap.se/en/services/email

查看IP是否在黑名单：

• http://www.blacklistalert.org/

邮件头分析：

• http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx
• https://toolbox.googleapps.com/apps/messageheader/

相关RFC：

• http://tools.ietf.org/html/rfc5321
• http://tools.ietf.org/html/rfc6854
• http://tools.ietf.org/html/rfc7001

ADSP:

$ dig +short txt _adsp._domainkey.paypal.com
"dkim=discardable"

Enterprise Open-Source Spam Filter - http://spamassassin.apache.org/

Related: Study_Mail

参考资料

[1]. http://www.trusteddomain.org/
[2]. http://www.dkim.org/
[3]. http://www.opendkim.org/
[4]. http://www.openspf.org/
[5]. http://www.dmarc.org/
[6]. http://dmarc-qa.com/
[7]. http://www.techrepublic.com/blog/google-in-the-enterprise/send-better-email-configure-spf-and-dkim-for-google-apps/
[8]. http://jsmtp.com/doc/index.html#!/how_to_sign_with_dkim
[9]. http://emailstuff.org/authentication
[10]. http://dkimcore.org/tools/
[11]. http://yxcwf.wordpress.com/2011/05/30/dkim%E6%8A%80%E6%9C%AF%E8%AF%B4%E6%98%8E/
[12]. http://www.microsoft.com/senderid
[13]. http://internetmessagingtechnology.org/
[14]. http://en.wikipedia.org/wiki/Author_Domain_Signing_Practices
[15]. http://en.wikipedia.org/wiki/List_of_DNS_record_types
[16]. http://en.wikipedia.org/wiki/Message_transfer_agent
[17]. http://en.wikipedia.org/wiki/Email_authentication