So my last post talked about setting up an smtp server strictly for the purpose of sending e-mail out. Google sometimes categorizes such server as a bulk sender. Mail servers don’t usually like bulk senders, since they, for the most part are source of spams and advertisements. Below are a couple of pointers that could be useful in avoiding your smtp server being marked as a spam sources by receiving smtp server as well as DNSBL and RBL.
1. PTR Records
Always make sure that you can resolve a reverse DNS queries for each of your smtp servers. Meaning, you have to have a PTR Records of each of the IP for your smtp servers pointing to the correct FQDN. If your public IPs are provisioned by an internet provider, ask them to do it for you. As an example, this is a DNS query for sendx.mach5.web.id
surfer@M5-F-x-II:~$ dig sendx.mach5.web.id ; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> sendx.mach5.web.id ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18741 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sendx.mach5.web.id. IN A ;; ANSWER SECTION: sendx.mach5.web.id. 300 IN A www.xxx.yyy.zzz
A properly installed receiving smtp server would typically check to make sure that the IP really resolves to that particular FQDN, -in this case sendx.mach5.web.id- by performing reverse query:
surfer@M5-F-x-II:~$ dig -x www.xxx.yyy.zzz ; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -x www.xxx.yyy.zzz ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23772 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 25 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;zzz.yyy.xxx.www.in-addr.arpa. IN PTR ;; ANSWER SECTION: zzz.yyy.xxx.www.in-addr.arpa. 60 IN PTR sendx.mach5.web.id.
DKIM, or Domain Key Identified Email allow a sender smtp server to digitally sign each outgoing email. The receiving smtp server will then compare the signature to a public key that we must publish on our DNS server. There can be as many DKIM public keys as servers that send and sign mail. Certain domain have specific requirements in regards to your keys. For example, Google will only accept 1024-bit or longer keys.
surfer@M5-F-x-II:~$ dig mail._domainkey.mach5.web.id TXT ; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> mail._domainkey.mach5.web.id TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64563 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail._domainkey.mach5.web.id. IN TXT ;; ANSWER SECTION: mail._domainkey.mach5.web.id. 295 IN TXT "v=DKIM1\; k=rsa\; s=email\; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsxBsq0lUqpwjpg1/5LioX5sCYgm34FBeJL0zUDY3kH2HJKfcq7VGdGPf/rJTlba4aNhrgtHOQvxIndRgLwCHeUMd8uhx/3zTT20IHmLcgzHGQyb 6YsW6RXdVQ4UtDVA7rkOAKtxHn4QhZ2eChmF4uqw0qxTefcy3gjx/O/j2S0NAFcv9Ss73bsfpTyZZzwym4ZNd5B0+ja4YgL" "9DjtUh1IlHEnYN/4asqLHk2qcTWx72grzchMNI+kvj/yw0iFZmkMHVWl5eaPS2MUfVplidUSMQ4/llqxuR3KaJ7KVfj6OIheJhxwJwsTlnyaU5jslEQmuhKoe8lvJNpVxb5AfyUQIDAQAB"
3. SPF Records
A Sender Policy Framework or SPF record for short, within a DNS servers identifies which hosts are allowed to act as a sender smtp server and, thus are allowed to send e-mail from. For example, a record saying “v=spf1 +mx +ip4:www.xxx.yyy.zzz -all” means that all hosts identified on mx records of a domain, along with a node with an ip of http://www.xxx.yyy.zzz are allowed to send e-mails. The tailing “-all” means that anything beyond those mentioned earlier are prohibited from initiating smtp transfer.
surfer@M5-F-x-II:~$ dig @ns4.zoneedit.com mach5.web.id txt ; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> @ns4.zoneedit.com mach5.web.id txt ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14096 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mach5.web.id. IN TXT ;; ANSWER SECTION: mach5.web.id. 300 IN TXT "v=spf1 +mx +ip4:www.xxx.yyy.zzz -all"
Here is an example of a header of an email that is sent from an smtp server that passes both DKIM and SPF checks:
Delivered-To: firstname.lastname@example.org Received: by 10.107.129.156 with SMTP id l28csp40181ioi; Fri, 3 Jul 2015 13:02:51 -0700 (PDT) X-Received: by 10.70.131.232 with SMTP id op8mr78750335pdb.156.1435953771641; Fri, 03 Jul 2015 13:02:51 -0700 (PDT) Return-Path: <email@example.com> Received: from sendx.mach5.web.id (sendx.mach5.web.id. [www.xxx.yyy.zzz]) by mx.google.com with ESMTPS id iv9si2025187pac.228.2015.07.03.13.02.49 for <firstname.lastname@example.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Jul 2015 13:02:50 -0700 (PDT) Received-SPF: pass (google.com: domain of email@example.com designates www.xxx.yyy.zzz as permitted sender) client-ip=www.xxx.yyy.zzz; Authentication-Results: mx.google.com; spf=pass (google.com: domain of firstname.lastname@example.org designates www.xxx.yyy.zzz as permitted sender) email@example.com; dkim=pass firstname.lastname@example.org Date: Fri, 03 Jul 2015 13:02:50 -0700 (PDT) Message-Id: <5596ea6a.a9c5420a.56f3b.ffffe1d9SMTPIN_ADDED_MISSING@mx.google.com> Received: from there (unknown [18.104.22.168]) by sendx.mach5.web.id (Postfix) with ESMTPA id 6E1282051B for <email@example.com>; Fri, 3 Jul 2015 20:01:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mach5.web.id; s=mail; t=1435953752; bh=anQIPAvuDwk4z578Dwusrv+mIrvhJ6rNL3LgH2M7xKk=; h=FROM:TO:subject:From; b=myVdAcO/thC1wEWRCCFtRZeIfW9TBYsudx49GAuoQI515hFc37hMFSilxU/abqsCD N1tRtRstZOKzY0PhkwtkzozHgnQY33VAbpxczOBt32q74W9gUxnKmvEGOg3XmIvHAu O+8TpG3pw9Qf/4S9TfyasJdVcI9lQxNrzL8ufjMvlDWynRSck08dwuDgmh2lCLMZbA TGTXxDNCakU56bixAL3wsD7B817inh7yxe3sXoTk3YGyknJ58zATHSfUlj51VJlPd1 2KoJ5sdvjgR97xps9WvfmSZDKZjpC4Gf+LR/r2RWa131pgLVcYvwyDgf3cXX+y+Jaf f5oxbmRMIIkuw== FROM: firstname.lastname@example.org TO:email@example.com subject: is this the real life is this just fantasy?
As you can see this email passed SPF record check, as well as being signed with to correct DKIM key.
4. Prevent open relay
To make sure that other smtp servers do not brand ours as spam sender, we do really need to make sure that our smtp servers are actually not sending them. Some receiving smtp servers are set to check whether a sending smtp server is listed on a DNSBL or RBL. There are a couple of them, some are freely accessible while others require subscription, and the best way to make sure that our smtp servers are not listed in one or more, is not to send spam at all. If one of your host or subnets made it to the list, you can usually ask for delisting. That however, would only last until your smtp server is caught sending them again and make it back to the list. There a couple of things we can do, such as enabling authentication, so only emails sent from an authenticated sender are allowed to relay, or only allow client connection within our internal network or perhaps, only accepting senders with certain ” from address”.
So there you have it, I hope it help who are looking for answers about this kind of stuff 🙂