我对我们的邮件服务器进行了测试,看看发件人标头是否可以被欺骗,我预计会失败。据我所知,我们的 SPF、DKIM 和 DMARC 都设置正确。然而,以下消息仍然被发送到 Gmail:
Delivered-To: [email protected]
Received: by 2002:a4a:6f4a:0:0:0:0:0 with SMTP id i10-v6csp7502430oof;
Tue, 28 Aug 2018 09:27:26 -0700 (PDT)
X-Google-Smtp-Source: ANB0Vdb2gL9sqUjkSSq6b8JksGiMbZvpaadOegQlnNtn5jNJ6ElcYeT1bO6sdYlQdOreTUazCdTqcfiWICU=
X-Received: by 2002:aca:2dd7:: with SMTP id t206-v6mr1995034oit.154.1535473645509;
Tue, 28 Aug 2018 09:27:25 -0700 (PDT)
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 192.254.121.248 as permitted sender) smtp.mailfrom="[email protected]";
dkim=pass [email protected] header.s=smtpapi header.b=q5LRqj1g
Received-SPF: pass (google.com: domain of [email protected] designates 192.254.121.248 as permitted sender) client-ip=192.254.121.248;
Received: by 2002:aca:e48f:: with POP3 id b137-v6mf6449095oih.6;
Tue, 28 Aug 2018 09:27:25 -0700 (PDT)
X-Gmail-Fetch-Info: [email protected] 4 mail.knextion.com 995 [email protected]
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from paul.knextion.com by paul.knextion.com with LMTP id cFWUMs91hVvZKgAAKeyupQ for <[email protected]>; Tue, 28 Aug 2018 16:18:23 +0000
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 28 Aug 2018 16:18:23 +0000
Received: from o2.pstemail.knowbe4.com ([192.254.121.248]:8276) by paul.knextion.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <[email protected]>) id 1fughC-0002qa-Nn for [email protected]; Tue, 28 Aug 2018 16:18:23 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.net; h=from:mime-version:to:content-type:subject; s=smtpapi; bh=bg0lHs+VfF3/1byBibxhl5LSVFs=; b=q5LRqj1gde0l32I1BEy1+Cj6p1gj2 mxJv6jwrtedaLsIvcj99UIewFHPRuyMAoBgSo/swR9HPvN+1qSPu/7GNd58imdnM q3aMvatNxj30CDISkvjS0XSs95WvZ6rvk188Aml3hBeRpsBPsm7nHITwop9r4c3y bVeEKV6YHxxt1I=
Received: by filter0028p3iad2.sendgrid.net with SMTP id filter0028p3iad2-9024-5B8575A3-60
2018-08-28 16:17:40.014016575 +0000 UTC m=+930326.755523913
Received: from NjMyNzMyNQ (ec2-35-170-11-38.compute-1.amazonaws.com [35.170.11.38]) by ismtpd0001p1iad1.sendgrid.net (SG) with HTTP id _-UcpATiQ5mYDleTFM62hQ Tue, 28 Aug 2018 16:17:39.902 +0000 (UTC)
Date: Tue, 28 Aug 2018 16:17:40 +0000 (UTC)
From: [email protected]
Mime-Version: 1.0
To: [email protected]
Message-ID: <[email protected]>
Content-type: multipart/alternative; boundary="----------=_1535473060-15651-1640"
Subject: Test Email
X-SG-EID: 8K5OYQepvmN+h/LdhcHZbe/QO6KUcyHPG/zIchVj+BckwZYyPPqFXNewZ2m/rVJHhuGqH80rPI0boR v+6IjNiHfb+8JS7SvwO/vI085p32sPr1UOneuJ6jO1dBw0/wuhOsySPV6fd541QtFkKOU/RFs3bPiG jbF25PCRgPLJg0jpWGICqT3arHhUYq4aSPJxQX58HVn9SpHZdnkj5KsNxA==
X-SG-ID: ry6MXBxyEtnC+S9qPe1Pt1jDZZ1BhhEm7IkH/SKulWDtQz9/mmkpElaI9wX0Rf6V
X-Spam-Status: No, score=5.2
X-Spam-Score: 52
X-Spam-Bar: +++++
X-Ham-Report: Spam detection software, running on the system "paul.knextion.com", has NOT identified this incoming email as spam.
The original message has been attached to this so you can view it or label similar future email.
If you have any questions, see root\@localhost for details.
Content preview:
This is a test Spoof email This is a test Spoof email [...]
Content analysis details:
(5.2 points, 8.0 required)
pts rule name
description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE
RBL: Sender listed at http://www.dnswl.org/, no
trust
[192.254.121.248 listed in list.dnswl.org]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different -0.0 SPF_PASS
SPF: sender matches SPF record
1.7 HTML_IMAGE_ONLY_08
BODY: HTML: images with 400-800 bytes of words
0.8 BAYES_50
BODY: Bayes spam probability is 40 to 60%
[score: 0.4717]
0.0 HTML_MESSAGE
BODY: HTML included in message
1.1 KAM_REALLYHUGEIMGSRC
RAW: Spam with image tags with ridiculously huge
http urls -0.1 DKIM_VALID
Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED
Message has a DKIM or DK signature, not necessarily valid
1.0 URIBL_GREY
Contains an URL listed in the URIBL greylist
[URIs: sendgrid.net]
0.5 URIBL_GOLD
Contains an URL listed in the URIBL GOLDlist
[URIs: sendgrid.net]
0.0 T_REMOTE_IMAGE
Message contains an external image
X-Spam-Flag: NO
------------=_1535473060-15651-1640
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
This is a test Spoof email
------------=_1535473060-15651-1640
Content-Type: text/html; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
<html><body>
<p>This is a test Spoof email</p>
<img src=3D"https://u6327325.ct.sendgrid.net/wf/open?upn=3DNrk2gJgYF-2FJNXx=
3U3HYjEEXjY9Gfjb7cox0Z4e6RjHEZt6qh0p8LoeTIXQa76HCYYj3NDi02ZXXL6LbK93JpA8Jh6=
-2FQv-2FGmvbigv62ioqwJ8g64lpiJsmGybUPYqSphC11ihdXDIx-2FPdze0-2Fl-2FjacR8VYp=
10vUfLnsNm7qfjEjvuIffEmpN9oGqYSNWwlXFoPvLhGRLIms9LP-2Bxzx6YVVfxoL7v5hzO0JNg=
MXPOTg-2BTgoOYhxskJGVdKFgrp9FOrSImbfZtOx-2BbbZn5wWUVsyg-3D-3D" alt=3D"" wid=
th=3D"1" height=3D"1" border=3D"0" style=3D"height:1px !important;width:1px=
!important;border-width:0 !important;margin-top:0 !important;margin-bottom=
:0 !important;margin-right:0 !important;margin-left:0 !important;padding-to=
p:0 !important;padding-bottom:0 !important;padding-right:0 !important;paddi=
ng-left:0 !important;"/>
</body></html>
------------=_1535473060-15651-1640--
如你看到的,信封发件人和从域名不匹配,我以为 DMARC 会失败,Gmail 会拒绝。为什么这封邮件没有被拒绝?
信封发件人:[电子邮件保护]
从:[电子邮件保护]
编辑:
从https://techblog.exonet.nl/2017-02-03-spf-dkim-dmarc:
DMARC 使用一种称为对齐的概念。这会检查 header-from 是否与 envelope-from (SPF) 或 d=domain (DKIM) 匹配。DMARC 策略要求 SPF 和/或 DKIM 之一通过。它不要求两者同时通过,因为如果电子邮件已被转发,SPF 检查可能会失败,但 DKIM 仍应通过(如果未更改任何内容)。但是,即使 SPF 和 DKIM 都通过,如果对齐不匹配,DMARC 仍会失败。
答案1
这封邮件为什么没有被拒绝?
简而言之:可能是因为客户为 Sendgrid 等信誉良好的邮件服务付费,因为他们能够成功发送电子邮件,而且他们在这方面做得相当出色……
从技术角度来看:
Sendgrid 在 EnvelopeFrom 和 Return-Path 中使用了自己的 sendgrid.net 域,这在纯 SPF 中使 sendgrid.netSPF 策略适用,而不是您自己域的 SPF 策略。
Sendgrid 还添加了自己的 DKIM 签名,由于它设置了域d=sendgrid.net,所以不会验证您的标头,但它仍然增加了对消息是通过 sendgrid 发送的信任。 From: [email protected]
当 SPF 和 DKIM 均未失败时,GMail 将不会触发您域的 DMARC 策略。
如果您是域名所有者,则首先需要在所有出站电子邮件流上配置 SPF 记录和 DKIM 密钥。DMARC 依靠这些技术来确保签名的完整性。未通过 SPF 和/或 DKIM 检查的邮件将触发 DMARC 策略(来源:https://support.google.com/a/answer/2466580?hl=en)
答案2
示例标头让我印象深刻的是,Google 似乎跳过了此特定邮件的 DMARC 检查。当 Google 检测到您的发件人域的 DMARC 记录时,我期望标头中出现“dmarc=”结果,但实际上没有。
您的 DMARC 记录似乎有效检查的时候。
您是否有可能在发布 DMARC 记录后不久就发送了此示例?在这种情况下,Google 可能会使用缓存“DMARC 记录丢失”结果。
您还遇到这种情况吗?如果是那样的话,您能否发送更新后的标头以获取更新的示例?
此外,由于您未使用对齐的 DKIM 签名和/或对齐的 Return-Path 标头,因此邮件未通过 DMARC。请参阅Sendgrid 文档了解有关如何在您的帐户中进行设置的更多信息。
问候,
米歇尔
DMARC 分析器