openssl genrsa -out private.pem 1024 // 1024
openssl rsa -pubout -in private.pem -out public.pem //
mail._domainkey.your.tld TXT "v=DKIM1; k=rsa; t=s; p=< >"
mail
- selector. You can specify multiple entries with different selectors, where each entry will have its own key. It is used when multiple servers are involved. (each server has its own key)
v
- version of DKIM, always takes the value v=DKIM1
. (required argument)
k
- key type, always k=rsa
. (at least for now)
p
is the public key encoded in base64. (required argument)
t
- Flags:
t=y
- test mode. These differ from unsigned and are only needed to track the results.
t=s
- means that the record will be used only for the domain to which the record belongs, it is not recommended if subdomains are used.
h
- preferred hash algorithm, can take the values h = sha1 and h = sha256
s
- Type of service using DKIM. Accepts s=email
(email) and s=*
(all services). By default, "*".
;
- separator.
_adsp._domainkey.example.com. TXT "dkim=all"
all
- All letters must be signed
discardable
- Do not accept letters without a signature
unknown
- Unknown (which, in fact, is similar to the absence of a record)
your.tld. TXT "v=spf1 a mx ~all"
your.tld. TXT "v=spf1 a mx ~all"
v=spf1
is the version, always spf1
a
- allows to send letters from the address that is specified in the A and \ or AAAA records of the sender's domain
mx
- allows you to send emails from the address specified in the mx domain record
a:example.com
, it will be allowed and the record is not the sender's domain, but example.com )
ip4:
and ip6:
For example, ip4:1.1.1.1
ip6: 2001:0DB8:AA10:0001:0000:0000:0000:00FB
. There is also include:
( include:spf.example.com
), which allows you to additionally connect spf records from another domain. All this can be combined through a space. If you just need to use an entry from another domain, not complementing it, then it is best to use redirect:
( redirect:spf.example.com
)
-all
- means what will happen with letters that do not comply with the policy: "-" - reject, "+" - skip, "~" - additional checks, "?" - neutral.
_dmarc.your.tld TXT "v=DMARC1; p=none; rua=mailto:postmaster@your.tld"
v
- version, takes the value v=DMARC1
(required)
p
- rule for domain. (Required) May be none
, quarantine
and reject
, where
p=none
does nothing but prepare reports
p=quarantine
adds a letter to SPAM
p=reject
rejects the letter
sp
is responsible for subdomains and takes the same values as p
aspf
and adkim
allow you to check for matching records and can take the values r
and s
, where r - relaxed is a softer check than s - strict.
pct
is responsible for the number of letters to be filtered, indicated as a percentage, for example, pct=20
will filter 20% of letters.
rua
- allows you to send daily reports to email, example: rua=mailto:postmaster@your.tld
, you can also specify several rua=mailto:postmaster@your.tld mailto:dmarc@your.tld
a space ( rua=mailto:postmaster@your.tld mailto:dmarc@your.tld
)
<record> <row> <source_ip>1.1.1.1</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> </policy_evaluated> </row> <identities> <header_from>your.tld</header_from> </identities> <auth_results> <dkim> <domain>your.tld</domain> <result>pass</result> <human_result></human_result> </dkim> <spf> <domain>your.tld</domain> <result>pass</result> </spf> </auth_results> </record> <record> <row> <source_ip>1.1.1.1</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <reason> <type>forwarded</type> <comment></comment> </reason> </policy_evaluated> </row> <identities> <header_from>your.tld</header_from> </identities> <auth_results> <dkim> <domain>your.tld</domain> <result>pass</result> <human_result></human_result> </dkim> <spf> <domain>your.tld</domain> <result>pass</result> </spf> </auth_results> </record>
ruf
- email reports that are not DMARC validated. Otherwise, everything is the same as above.
Source: https://habr.com/ru/post/322616/