28 сентября 2013
Проверка корректности SPF и DKIM
В процессе настройки современного почтового сервера, пожалуй, обязательным компонентом является настройка SPF и DKIM. Просто и легко проверить, все ли правильно вы настроили, можно с помощью отправки письма на <a href=»mailto:check-auth@verifier.port25.com»>check-auth@verifier.port25.com</a>. Если все в порядке, то в ответе будет статус PASS. В случае успеха полный текст письма будет выглядеть следующим образом:
<code>This message is an automatic response from Port25’s authentication verifier
service at verifier.port25.com. The service allows email senders to perform
a simple check of various sender authentication mechanisms. It is provided
free of charge, in the hope that it is useful to the email community. While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.
Thank you for using the verifier,
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: permerror
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: permerror
SpamAssassin check: ham
==========================================================
Details:
==========================================================
HELO hostname: mail-ob0-x230.google.com
Source IP: 2607:f8b0:4003:c01::230
mail-from: ilya@podebrady.ru
———————————————————-
SPF check details:
———————————————————-
Result: permerror (syntax error in «ip6:ip6:2a01:4f8:190:53ca::2»: Error parsing IP address «ip6:2a01:4f8:190:53ca::2»: Illegal character ‘i’ in hex byte)
ID(s) verified: smtp.mailfrom=ilya@podebrady.ru
DNS record(s):
podebrady.ru. SPF (no records)
podebrady.ru. 3600 IN TXT «v=spf1 ip4:78.46.174.203 ip6:ip6:2a01:4f8:190:53ca::2 a include:_spf.google.com ~all»
———————————————————-
DomainKeys check details:
———————————————————-
Result: neutral (message not signed)
ID(s) verified: header.From=ilya@podebrady.ru
DNS record(s):
———————————————————-
DKIM check details:
———————————————————-
Result: pass (matches From: ilya@podebrady.ru)
ID(s) verified: header.d=podebrady.ru
Canonicalized Headers:
mime-version:1.0’0D»0A’
date:Sat,’20’28’20’Sep’20’2013’20’01:43:22’20’+0200’0D»0A’
message-id:<CAKAnfQMrOa-kU5LHFUufKWMkNYW_vKHusg+EfxvZA6CtFiARbw@mail.gmail.com>’0D»0A’
subject:’0D»0A’
from:Ilya’20’Rudomilov’20′<ilya@podebrady.ru>’0D»0A’
to:check-auth@verifier.port25.com’0D»0A’
content-type:multipart/alternative;’20’boundary=001a11c1c93a51681a04e7660de2’0D»0A’
dkim-signature:v=1;’20’a=rsa-sha256;’20’c=relaxed/relaxed;’20’d=podebrady.ru;’20’s=google;’20’h=mime-version:date:message-id:subject:from:to:content-type;’20’bh=Om2iIHz6MfxXqHA8EvOSszzyV8unCmtNJegwR33eQOo=;’20’b=
Canonicalized Body:
—001a11c1c93a51681a04e7660de2’0D»0A’
Content-Type:’20’text/plain;’20’charset=ISO-8859-1’0D»0A’
‘0D»0A’
‘0D»0A’
‘0D»0A’
—001a11c1c93a51681a04e7660de2’0D»0A’
Content-Type:’20’text/html;’20’charset=ISO-8859-1’0D»0A’
‘0D»0A’
<div’20’dir=»ltr»><br></div>’0D»0A’
‘0D»0A’
—001a11c1c93a51681a04e7660de2—‘0D»0A’
DNS record(s):
google._domainkey.podebrady.ru. 3600 IN TXT «v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFPmjV/qTzUWa78ig0hL1i9TTbrYAzJ456e4dW6f5xjaiqHNxTAT4u3SqeFYdgAhzva3PcmZ0DY73NumcB+7Pnr51f2kxaQIKhv5s295QDP2J8DQ1BEElLiJpEwuZoX2QVGgX858uY35y/8s4P4oADoqtyFfR6bMtnWG80VAGfGwIDAQAB»
Public key used for verification: google._domainkey.podebrady.ru (1024 bits)
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25’s PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
———————————————————-
Sender-ID check details:
———————————————————-
Result: permerror (syntax error in «ip6:ip6:2a01:4f8:190:53ca::2»: Error parsing IP address «ip6:2a01:4f8:190:53ca::2»: Illegal character ‘i’ in hex byte)
ID(s) verified: header.From=ilya@podebrady.ru
DNS record(s):
podebrady.ru. SPF (no records)
podebrady.ru. 3600 IN TXT «v=spf1 ip4:78.46.174.203 ip6:ip6:2a01:4f8:190:53ca::2 a include:_spf.google.com ~all»
———————————————————-
SpamAssassin check details:
———————————————————-
SpamAssassin v3.3.1 (2010-03-16)
Result: ham (0.3 points, 5.0 required)
pts rule name description
—- ———————- —————————————————
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author’s
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
Subject: text
==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================
SPF and Sender-ID Results
=========================
«none»
No policy records were published at the sender’s DNS domain.
«neutral»
The sender’s ADMD has asserted that it cannot or does not
want to assert whether or not the sending IP address is authorized
to send mail using the sender’s DNS domain.
«pass»
The client is authorized by the sender’s ADMD to inject or
relay mail on behalf of the sender’s DNS domain.
«policy»
The client is authorized to inject or relay mail on behalf
of the sender’s DNS domain according to the authentication
method’s algorithm, but local policy dictates that the result is
unacceptable.
«fail»
This client is explicitly not authorized to inject or
relay mail using the sender’s DNS domain.
«softfail»
The sender’s ADMD believes the client was not authorized
to inject or relay mail using the sender’s DNS domain, but is
unwilling to make a strong assertion to that effect.
«temperror»
The message could not be verified due to some error that
is likely transient in nature, such as a temporary inability to
retrieve a policy record from DNS. A later attempt may produce a
final result.
«permerror»
The message could not be verified due to some error that
is unrecoverable, such as a required header field being absent or
a syntax error in a retrieved DNS TXT record. A later attempt is
unlikely to produce a final result.
DKIM and DomainKeys Results
===========================
«none»
The message was not signed.
«pass»
The message was signed, the signature or signatures were
acceptable to the verifier, and the signature(s) passed
verification tests.
«fail»
The message was signed and the signature or signatures were
acceptable to the verifier, but they failed the verification
test(s).
«policy»
The message was signed but the signature or signatures were
not acceptable to the verifier.
«neutral»
The message was signed but the signature or signatures
contained syntax errors or were not otherwise able to be
processed. This result SHOULD also be used for other
failures not covered elsewhere in this list.
«temperror»
The message could not be verified due to some error that
is likely transient in nature, such as a temporary inability
to retrieve a public key. A later attempt may produce a
final result.
«permerror»
The message could not be verified due to some error that
is unrecoverable, such as a required header field being
absent. A later attempt is unlikely to produce a final result.
==========================================================
Original Email
==========================================================
Return-Path: <ilya@podebrady.ru>
Received: from mail-ob0-x230.google.com (2607:f8b0:4003:c01::230) by verifier.port25.com id h8oc1q11u9cd for <check-auth@verifier.port25.com>; Fri, 27 Sep 2013 19:43:25 -0400 (envelope-from <ilya@podebrady.ru>)
Authentication-Results: verifier.port25.com; spf=permerror (syntax error in «ip6:ip6:2a01:4f8:190:53ca::2»: Error parsing IP address «ip6:2a01:4f8:190:53ca::2»: Illegal character ‘i’ in hex byte) smtp.mailfrom=ilya@podebrady.ru
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=ilya@podebrady.ru
Authentication-Results: verifier.port25.com; dkim=pass (matches From: ilya@podebrady.ru) header.d=podebrady.ru
Authentication-Results: verifier.port25.com; sender-id=permerror (syntax error in «ip6:ip6:2a01:4f8:190:53ca::2»: Error parsing IP address «ip6:2a01:4f8:190:53ca::2″: Illegal character ‘i’ in hex byte) header.From=ilya@podebrady.ru
Received: by mail-ob0-f176.google.com with SMTP id uy5so3680718obc.21
for <check-auth@verifier.port25.com>; Fri, 27 Sep 2013 16:43:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=podebrady.ru; s=google;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=Om2iIHz6MfxXqHA8EvOSszzyV8unCmtNJegwR33eQOo=;
b=D8ZbN0wSnIRyYqfh3xiRl+BUQfymN15YoOWjo8K6HQsT9CaAINWDOzk+OGKjZ5TH+c
Os7St2hVdEL03sYbo2cvVDf9BOFQ4F3Bil6nla1yAAI/p8inr525sIAHInoOeFJ01r6R
1s0MLPiicf5axiuPTFrvKun1Rg1f+oLtS+iVo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:date:message-id:subject:from:to
:content-type;
bh=Om2iIHz6MfxXqHA8EvOSszzyV8unCmtNJegwR33eQOo=;
b=QmdL20afzOiUmNoScGElV0JJ7ggSuVFL6baqQZDiwDM9XKXGLqOhIveUcRCi+1zShq
fCUSztSjF10qn55zRRb1hSB4e4v1W1roqb70za8Jk/Dh2MyUYJKC8p0u3wrlBusL3Kbn
CqvieaLduZgJ2Gd6gT2t0T+IPNZ+YLRZ/polkr63DDIHEpsSnKAtVxQy3hSSM5I1CCgK
Wac2WacKH2sR0rqWDvDHzwoIUYRSNkoW1640ZC75l9RMFq/of0zGtDsbYhFdaVGQZXPb
y6cgKNEZj5O23diUmEA+1Hg/94J9oKcIJ8bKPIQFcuPVT6TrnHo6IIBhGfgF8zq4cqym
L9SA==
X-Gm-Message-State: ALoCoQmgd22t3KyFm/HrzfDVSOM8WuDQ046ClaemFifUg/E4CgnMMNRlrEjYorHGKyMQcX73+v/7
MIME-Version: 1.0
X-Received: by 10.182.53.196 with SMTP id d4mr8096518obp.7.1380325402956; Fri,
27 Sep 2013 16:43:22 -0700 (PDT)
Received: by 10.182.17.6 with HTTP; Fri, 27 Sep 2013 16:43:22 -0700 (PDT)
X-Originating-IP: [147.32.108.160]
Date: Sat, 28 Sep 2013 01:43:22 +0200
Message-ID: <CAKAnfQMrOa-kU5LHFUufKWMkNYW_vKHusg+EfxvZA6CtFiARbw@mail.gmail.com>
Subject:
From: Ilya Rudomilov <ilya@podebrady.ru>
To: check-auth@verifier.port25.com
Content-Type: multipart/alternative; boundary=001a11c1c93a51681a04e7660de2
—001a11c1c93a51681a04e7660de2
Content-Type: text/plain; charset=ISO-8859-1
—001a11c1c93a51681a04e7660de2
Content-Type: text/html; charset=ISO-8859-1
<div dir=»ltr»><br></div>
—001a11c1c93a51681a04e7660de2—</code>
SPF check: permerror
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: permerror
SpamAssassin check: ham
Это проверка только DKIM? потому что остальные записи не много не корректны
[…] Само собой, адрес vasiliy@rudomilov.com в этом случае лишь подставляется в поле отправителя, а на самом деле все идет через учетную запись vasiliy@rudomilov.ru. Но визуально это ни видно ни пользователю в его веб-клиенте, клиенте на телефоне, ни получателю. Вопрос настройки SPF для домена-синонима, само сабой, остается за рамками статьи — это само собой разумеющаяся настройка, не забудьте проверить корректность. […]