Security/Domain: Difference between revisions
Jump to navigation
Jump to search
| Line 30: | Line 30: | ||
'''SPF TXT Record Format''' | '''SPF TXT Record Format''' | ||
v=spf1 ['''mechanism'''] ['''qualifier'''] ['''modifiers'''] ... | v=spf1 ['''mechanism'''] ['''qualifier'''] ['''modifiers'''] ... | ||
---- | |||
{|class="wikitable" | |||
|- | |||
!scope="col" style='width:100px'| Mechanism | |||
!scope="col" style='width:220px'| Example | |||
!scope="col" style='width:370px'| Meaning | |||
|- | |||
| <code>ip4</code> || <code>ip4:192.0.2.1</code> || Allow a specific IPv4 address | |||
|- | |||
| <code>ip6</code> || <code>ip6:2001:db8::1</code> || Allow a specific IPv6 address | |||
|- | |||
| <code>a</code> || <code>a:example.com</code> || Allow IP from the A or AAAA record of domain | |||
|- | |||
| <code>mx</code> || <code>mx:example.com</code> || Allow mail servers listed in domain's MX records | |||
|- | |||
| <code>include</code> || <code>include:_spf.google.com</code> || Include SPF rules from another domain | |||
|- | |||
| <code>all</code> || <code>-all</code>, <code>~all</code>, <code>?all</code>, <code>+all</code> || Apply default rule to any unmatched sender | |||
|} | |||
---- | |||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
| Line 45: | Line 65: | ||
|- | |- | ||
| <code>?all</code> || Neutral || No policy guidance || 🤷 Rare, for undefined policies | | <code>?all</code> || Neutral || No policy guidance || 🤷 Rare, for undefined policies | ||
|} | |||
---- | |||
{|class="wikitable" | |||
|- | |||
!scope="col" style='width:100px'| Modifier | |||
!scope="col" style='width:310px'| Description | |||
!scope="col" style='width:280px'| Example | |||
|- | |||
| <code>redirect</code> || Redirect SPF check to another domain || <code>redirect=_spf.example.com</code> | |||
|- | |||
| <code>exp</code> || Explanation domain for failed SPF || <code>exp=explain.example.com</code> | |||
|} | |} | ||
Revision as of 08:21, 30 May 2025
Tools » Install » SPF
cat <<'EXE'| sudo bash
echo && git clone https://github.com/jsarenik/spf-tools.git /opt/cli/spf-tools
echo && cd /opt/cli/spf-tools/
./despf.sh -h
EXE
cat <<'CFG'| tee ${HOME}/.spf-toolsrc >/dev/null
DOMAIN=shahed.biz
ORIG_SPF=spf.shahed.biz
DESPF_SKIP_DOMAINS=_spf.google.com:_spf.sendgrid.net
DNS_TIMEOUT=5
DNS_SERVER=1.1.1.1
CFG
Tools » Install » DKIM
cat <<'EXE'| sudo bash
apt-get update;echo
apt list -a --upgradable;echo
apt-get install -y opendkim-tools;echo;apt-get clean
EXE
DNS » Record » TXT » SPF
SPF TXT Record Format v=spf1 [mechanism] [qualifier] [modifiers] ...
| Mechanism | Example | Meaning |
|---|---|---|
ip4 |
ip4:192.0.2.1 |
Allow a specific IPv4 address |
ip6 |
ip6:2001:db8::1 |
Allow a specific IPv6 address |
a |
a:example.com |
Allow IP from the A or AAAA record of domain |
mx |
mx:example.com |
Allow mail servers listed in domain's MX records |
include |
include:_spf.google.com |
Include SPF rules from another domain |
all |
-all, ~all, ?all, +all |
Apply default rule to any unmatched sender |
| Qualifier | Meaning | Action | Usage |
|---|---|---|---|
+all |
Pass | Accept mail from any IP | ☠️ Not recommended |
-all |
Hard fail | Reject non-matching IPs | ✅ Strict enforcement |
~all |
Soft fail | Accept but mark as spam | 👍 Recommended during rollout |
?all |
Neutral | No policy guidance | 🤷 Rare, for undefined policies |
| Modifier | Description | Example |
|---|---|---|
redirect |
Redirect SPF check to another domain | redirect=_spf.example.com
|
exp |
Explanation domain for failed SPF | exp=explain.example.com
|
- Run a Composite Check:
- Use SPF Flattening
- Manually
- Check for
- Proper -all ending
- Lookup count ≤ 10
- No multiple TXT records
- Only needed services included
DNS » Record » TXT » DKIM
Playground
dig MX chorke.org
dig TXT chorke.org
openssl s_client -connect mail.chorke.org:25
|
apt info opendkim-tools
apt search opendkim-tools
sudo apt-get install -y opendkim-tools
|
sudo git clone https://github.com/jsarenik/spf-tools.git \
/opt/cli/spf-tools
cd /opt/cli/spf-tools/
|
|
| ||
References
|
| ||
|
| ||