{{tag>howto dmarc dkim spf mailserver email dig dns}} ====== DMARC ====== * https://support.google.com/a/answer/2466580 * https://dmarc.org/2015/08/receiving-dmarc-reports-outside-your-domain/ * https://powerdmarc.com/de/how-to-find-dkim-selector/ * https://mxtoolbox.com/DMARCRecordGenerator.aspx? * https://easydmarc.com/tools/dkim-record-generator * https://www.agari.com/blog/dkim-setup * https://mxtoolbox.com/problem/dmarc/dmarc-external-validation?page=prob_dmarc * https://dmarcadvisor.com/de/was-ist-external-destination-verification/ * https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-postfix <- THIS IS GOLD! * https://www.synology-forum.de/threads/strato-und-mail-server-einrichtung-dkim-spf-dmarc-workaround.92191/ * https://powerdmarc.com/how-to-read-dmarc-reports/ * https://www.mailercheck.com/articles/how-to-read-a-dmarc-report-and-actually-understand-it Open Source DMARC-Report Analyzers/Visualizer: * https://domainaware.github.io/parsedmarc/ #MX dig -t MX +noall +answer netzwerkforensik.com dig +noall +answer netzwerkforensik.com


netzwerkforensik.com.   150     IN      MX      5 smtpin.rzone.de.


smtpin.rzone.de.        1800    IN      A       81.169.145.97

# SPF dig -t txt +noall +answer _spf.strato.com dig -t txt +noall +answer netzwerkforensik.com


_spf.strato.com.        3600    IN      TXT     "v=spf1 ip4:81.169.146.128/25 ip4:85.215.255.0/24 ip6:2a01:238:20a:202::0/64 ip6:2a01:238:400::0/48 ip4:81.169.144.153 ip6:2a01:238:20a:202:50ff::153 -all"


netzwerkforensik.com.   150     IN      TXT     "v=spf1 include:_spf.strato.com mx -all"

#DKIM Selector 1 dig -t txt +noall +answer strato-dkim-0002._domainkey.netzwerkforensik.com


strato-dkim-0002._domainkey.netzwerkforensik.com. 150 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt3a1nbhQdD0MtbPT1r8DGZefoQlj3fSgtWdINsXsRl55OmOAf2QNR8B0SwC59dWqA+isuH/bQnU0f0OmO5A7p+cyfT9EekbWslP575NAnAYpsUJlBv/0O8qA6T/cLoDz6LsUYv000gFRqSSUe1BZnJ/sjg0f96UCkomT1aQRpSUSDwNYCqpQKQ/fWg9IS2fL+" "d2kR1rckqwoKdgbEtjr4i+ICn2SUodI1KkGusIivuBueMYfDh8RGYKvFv40UZlBSfuX71GkzEPvQPnQTfXLqM9F8q1kWq/mdWYy5R0KrWptAnuAmCZqujkgWmcqzLoTMln04oOxGFp/zkf8iA75lwIDAQAB"

#DKIM Selector 2 dig -t txt +noall +answer strato-dkim-0003._domainkey.netzwerkforensik.com


strato-dkim-0003._domainkey.netzwerkforensik.com. 150 IN TXT "v=DKIM1; k=ed25519; p=hB4fidO1tsRNeRkj6ySb9N2xwfNzERRFYLQhGQyQ9dE="

#DMARC dig -t txt +noall +answer _dmarc.netzwerkforensik.com dig -t txt +noall +answer netzwerkforensik.com._report._dmarc.wiretrip.de


_dmarc.netzwerkforensik.com. 150 IN     TXT     "v=DMARC1; p=quarantine; rua=mailto:dmarc-report@wiretrip.de; ruf=mailto:postmaster@wiretrip.de; sp=reject; fo=0:1:d:s; pct=100; aspf=s"


netzwerkforensik.com._report._dmarc.wiretrip.de. 43200 IN TXT "v=DMARC1;"

google.com noreply-dmarc-support@google.com https://support.google.com/a/answer/2466580 6934733341335759686 1697673600 1697759999 netzwerkforensik.com r s

quarantine

reject 100 reject 81.169.146.220 1 none pass pass netzwerkforensik.com netzwerkforensik.com pass strato-dkim-0002 netzwerkforensik.com fail netzwerkforensik.com pass Der Fail in Zeile 43 kommt vermutlich vom zweiten Selector 0003 weil das kein RSA sondern ED25519 Zertifikat ist und google das noch nicht unterstützt. Sollte aber neutral bewertet werden - also Selector 1: pass und Selector 2: neutral. ===== Mail-tester-Ergebnis ===== * https://www.mail-tester.com/test-trw64bcwh {{:pages:howtos:mailserver:screenshot-2023-10-22-at-16-20-58-spam-test-result.png?direct&600|}} ---- ~~DISCUSSION~~