我的域名具有严格的 DMARC 策略( )和带有catchallp=reject的标准 SPF 策略。~all
我的电子邮件提供商是 Google Workspace。
我收到了一封伪造我发件人地址的电子邮件。它来自41.174.75.34一个赞比亚 IP 地址,该地址被列入一些垃圾邮件数据库的黑名单。Gmail 确实将电子邮件标记为垃圾邮件。通过 Google 的消息头分析器我得到以下结论:
- SPF:软失败
- DMARC:失败
我从一些在线文档中了解到这个问题或者这个问题是这封电子邮件应该被完全拒绝,因为它没有通过 DKIM 并且源 IP 不在允许的 SPF 范围内。我根本没想到它会进入我的邮箱,即使它被标记为垃圾邮件。
考虑到我所看到的示例,拒绝欺骗电子邮件的正确 DMARC 和 SPF 配置是什么?最好为您的答案提供参考。
更新 1
以下是相关 DNS 记录的值,供参考:
DMARC 记录
v=DMARC1; p=reject; rua=mailto:<redacted>; ruf=mailto:<redacted>; fo=1
SPF 记录
v=spf1 include:_spf.google.com include:_spf.salesforce.com include:<redacted> ~all
更新 2
以下是经过少量删改的完整邮件标题:
Delivered-To: <user-redacted>@<domain-redacted>
Received: by 2002:a05:6214:aaa:0:0:0:0 with SMTP id ew10csp427451qvb;
Thu, 25 Feb 2021 07:46:07 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxFPuLVmXBoRU+vQaU0r38lcka6Mby1RlA787SCOD8Rb7QkX5EOXGpiMC/Tenm4pXpACNBR
X-Received: by 2002:a62:68c5:0:b029:1ee:863:8c55 with SMTP id d188-20020a6268c50000b02901ee08638c55mr3732841pfc.37.1614267967132;
Thu, 25 Feb 2021 07:46:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614267967; cv=none;
d=google.com; s=arc-20160816;
b=wFGGZzBJaDIOxatWEKE7LE2TBMVhqNpktIexiXikL9SJWCMTxvXV7EAooox3TKoWI2
JpquJ/v+fsFHvHGp/AaFghBTQcvEv9MDRPtdDKDX1zulGa2vGF5P4pE8EVcPrCZ7OEZ6
hjky81yTDLBMnowYRefHs9/UhjkrrS944a/HnLJeYN2E/UEQW7a0YjXjmFRo87g9l35g
fBml7hP9NFmW9ZECvOU6K/cXYr/W/Fl/53X6t+kfFbschLf3/NoB0KvIi8cBA+9NiXtF
p12/7MjR2M4gd9gqYqGzpYyfZ2FK2T/3fgJFNa07CQldfLW8qkGNBJJIFAG0boPQlEs1
enJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=importance:mime-version:date:subject:to:from:message-id;
bh=1beLMfc/QIXWzdWj0auhMhJreQONuvV9O2Srp9s2OQY=;
b=u/KHc8DIEQxX0NzfQWqE8d/wu3hGQR0UHANF4dZZjSpAKgrVeAki+WYNaXdk3s5owS
82yew5mZcS6PJ9b3k8LnjXX1gALocBFqZcn23FbnxFoIT/9WQdYWya/dqYI42nDLByB7
5O/c4f9tKwZjF3VDHLAVg97P6hSPhCWrIhElqIjev60huc6jm/+FjPgBq1Umpbjv1720
hZbi95+vetbIkPZMmhXw6iOwiB/YG3RDhhUyLwCnJhr8ixf3dg3MwgCMgqHb+ky/wn5b
x0F4D4PHZ+3MCuIFPMkMR1kvhUFPidY6RRzjL72nWGVGJ1NbQs+aVgviVTqBJKWCGxI9
fhBQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=softfail (google.com: domain of transitioning <user-redacted>@<domain-redacted> does not designate 41.174.75.34 as permitted sender) smtp.mailfrom=<user-redacted>@<domain-redacted>;
dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=<domain-redacted>
Return-Path: <<user-redacted>@<domain-redacted>>
Received: from [41.174.75.34] ([41.174.75.34])
by mx.google.com with ESMTP id p11si6119467plo.125.2021.02.25.07.46.00
for <<user-redacted>@<domain-redacted>>;
Thu, 25 Feb 2021 07:46:07 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning <user-redacted>@<domain-redacted> does not designate 41.174.75.34 as permitted sender) client-ip=41.174.75.34;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning <user-redacted>@<domain-redacted> does not designate 41.174.75.34 as permitted sender) smtp.mailfrom=<user-redacted>@<domain-redacted>;
dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=<domain-redacted>
Message-ID: <20644A25380E0B57133D524F797C2064@8AIF179>
From: <<user-redacted>@<domain-redacted>>
To: <<user-redacted>@<domain-redacted>>
Subject: 情報リクエストに関する個人的な
Date: 26 Feb 2021 04:37:43 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_003F_01D70BF1.06CD2753"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912
更新 3
这是 rua 报告 - 这是唯一一份提到有问题的41.174.75.34IP 地址的报告。我删除了不相关的<record>条目。softfail就在那里,但问题是为什么?
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>[email protected]</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>...redacted...</report_id>
<date_range>
<begin>1614211200</begin>
<end>1614297599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>...redacted...</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
</policy_published>
... redacted multiple <record> entries ...
<record>
<row>
<source_ip>41.174.75.34</source_ip>
<count>7</count>
<policy_evaluated>
<disposition>reject</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>...redacted...</header_from>
</identifiers>
<auth_results>
<spf>
<domain>...redacted...</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
... redacted multiple <record> entries ...
</feedback>
答案1
因此,aspf=s 意味着它应该严格执行 SPF 匹配,这意味着你需要 -all 而不是 ~all
adkim=s 表示它应该严格遵守 DKIM 匹配,这意味着它提供了一个传出的 DKIM 签名密钥,并且该 DKIM 密钥对的公共组件与它要配对的公共 DNS 记录相匹配。
以上两个设置是 DMARC 记录的一部分。
您当前的 aspf 和 adkim 设置是 r(宽松)。
查看标题,似乎发件人已将电子邮件发送到 mx.google.com,我想这在 _spf.google.com 的覆盖范围内,因此我认为最终您需要设置严格的 dkim 对齐,因为我们的想法是最终该用户将需要发送带有您域名的签名密钥的电子邮件,而不是简单地从 Google 的 IP 范围发送。
您可以注册一个提供经过身份验证的 smtp 的电子邮件提供商,以便通过 SMTP/SMTPS 通过 Gmail 远程发送电子邮件来测试这一点,也许可以使用它来发送一封测试电子邮件www.mail-tester.com并分析结果。
为您提供一些链接:
https://mxtoolbox.com/dmarc/details/dmarc-tags/aspf
https://mxtoolbox.com/dmarc/details/dmarc-tags/adkim
https://www.dmarcanalyzer.com/dmarc/dmarc-record-setup-guides/google-g-suite-dmarc-setup-guide/