Security/Domain: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 235: Line 235:
  '''Twilio SendGrid'''
  '''Twilio SendGrid'''
  Sender Authentication » Domain Authentication » '''<id>.chorke.org''' » DNS Records » Manual Install » Verify
  Sender Authentication » Domain Authentication » '''<id>.chorke.org''' » DNS Records » Manual Install » Verify
|}
==Hard Fail SPF==
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0'
!scope='col' style='text-align:left' colspan='2'|
Hard Fail SPF
|-
|valign='top' style='width:50%'|
<syntaxhighlight style='margin:3px 0' lang='yaml'>
---
Type: MX
Host/Name: @
Priority: 0
Value: .
</syntaxhighlight>
|valign='top' style='width:50%'|
|-
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='yaml'>
---
Type: TXT
Host/Name: @
Value: "v=spf1 -all"
</syntaxhighlight>
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='yaml'>
---
Type: TXT
Host/Name: _dmarc
Value: "v=DMARC1; p=reject; adkim=s; aspf=s; pct=100; rua=mailto:tool.tech@shahed.biz"
</syntaxhighlight>
|}
|}


Revision as of 07:43, 5 January 2026

Tools » Install » SPF

Tools » Install » SPF 

cat <<'EXE'| sudo bash
echo && git clone https://github.com/jsarenik/spf-tools.git /opt/cli/spf-tools
echo && cd /opt/cli/spf-tools/
./despf.sh -h
EXE

cat <<'CFG'| tee ${HOME}/.spf-toolsrc >/dev/null
DOMAIN=shahed.biz
ORIG_SPF=spf.shahed.biz
DESPF_SKIP_DOMAINS=_spf.google.com:_spf.sendgrid.net
DNS_TIMEOUT=5
DNS_SERVER=1.1.1.1
CFG

dig MX  chorke.com
dig TXT chorke.com
/opt/cli/spf-tools/despf.sh chorke.com

dig MX  chorke.org
dig TXT chorke.org
/opt/cli/spf-tools/despf.sh chorke.org

dig MX  shahed.biz
dig TXT shahed.biz
/opt/cli/spf-tools/despf.sh shahed.biz

dig MX  finology-group.com
dig TXT finology-group.com
/opt/cli/spf-tools/despf.sh finology-group.com

dig MX  finology.com.my
dig TXT finology.com.my
/opt/cli/spf-tools/despf.sh finology.com.my

dig MX  coverplus.io
dig TXT coverplus.io
/opt/cli/spf-tools/despf.sh coverplus.io

cd /opt/cli/spf-tools;./despf.sh chorke.org |./normalize.sh |./simplify.sh |./iprange.sh |./mkblocks.sh |./xsel.sh
cd /opt/cli/spf-tools;./despf.sh chorke.org |./normalize.sh |./simplify.sh |./iprange.sh |./mkblocks.sh
cd /opt/cli/spf-tools;./despf.sh chorke.org |./normalize.sh |./simplify.sh |./iprange.sh

cd /opt/cli/spf-tools;\
cat <<'SPF'| ./normalize.sh
ip4:10.19.83.10/24
ip4:10.19.93.100/24
ip4:10.20.03.110/24
SPF

cd /opt/cli/spf-tools;\
cat <<'SPF'| ./simplify.sh
ip4:10.19.83.1
ip4:10.19.83.100
ip4:10.19.83.0/24
SPF

cd /opt/cli/spf-tools;\
./despf.sh chorke.org


./despf.sh chorke.org| \
./iprange.sh

Tools » Install » DKIM

Tools » Install » DKIM 

cat <<'EXE'| sudo bash
apt-get update;echo
apt list -a --upgradable;echo
apt-get install -y opendkim-tools;echo;apt-get clean
EXE

opendkim-testkey -d coverplus.io -vvv -s s1
opendkim-testkey -d coverplus.io -vvv -s s2

opendkim-testkey -d loanplus.io -vvv -s s1
opendkim-testkey -d loanplus.io -vvv -s s2

opendkim-testkey -d loanstreet.com.my -vvv -s s1
opendkim-testkey -d loanstreet.com.my -vvv -s s2

opendkim-testkey -d finology.com.my -vvv -s fn
opendkim-testkey -d finology.com.my -vvv -s google
opendkim-testkey -d finology.com.my -vvv -s ritesh

opendkim-testkey -d chorke.org -vvv -s google
opendkim-testkey -d finology.group -vvv -s mail
opendkim-testkey -d finology-group.com -vvv -s google

opendkim-genkey -b 2048 -d chorke.org -s s1
opendkim-genkey -b 2048 -d chorke.org -s s2
opendkim-genkey -b 2048 -d chorke.org -s mail

DNS » Record » TXT » SPF

DNS » Record » TXT » SPF 

SPF TXT Record Format
v=spf1 [mechanism] [qualifier] [modifiers] ...
Mechanism Example Meaning
ip4 ip4:192.0.2.1 Allow a specific IPv4 address
ip6 ip6:2001:db8::1 Allow a specific IPv6 address
a a:example.com Allow IP from the A or AAAA record of domain
mx mx:example.com Allow mail servers listed in domain's MX records
include include:_spf.google.com Include SPF rules from another domain
all -all, ~all, ?all, +all Apply default rule to any unmatched sender
Qualifier Meaning Action Usage
+all Pass Accept mail from any IP ☠️ Not recommended
-all Hard fail Reject non-matching IPs ✅ Strict enforcement
~all Soft fail Accept but mark as spam 👍 Recommended during rollout
?all Neutral No policy guidance 🤷 Rare, for undefined policies
Modifier Description Example
redirect Redirect SPF check to another domain redirect=_spf.example.com
exp Explanation domain for failed SPF exp=explain.example.com
  1. Run a Composite Check:
  2. Use SPF Flattening
  3. Manually
    • Check for
      Proper -all ending
      Lookup count ≤ 10
      No multiple TXT records
      Only needed services included

DNS » Record » TXT » DKIM

DNS » Record » TXT » DKIM 

Gmail » Google Workspace
Admin Console » Apps » Google Workspace » Gmail » Authenticate email » Selected domain » chorke.org » Generate New Record » Start Authentication

Twilio SendGrid
Sender Authentication » Domain Authentication » <id>.chorke.org » DNS Records » Manual Install » Verify

Hard Fail SPF

Hard Fail SPF 

---
Type: MX
Host/Name: @
Priority: 0
Value: .

---
Type: TXT
Host/Name: @
Value: "v=spf1 -all"

---
Type: TXT
Host/Name: _dmarc
Value: "v=DMARC1; p=reject; adkim=s; aspf=s; pct=100; rua=mailto:tool.tech@shahed.biz"

Playground

Playground 

dig MX  chorke.org
dig TXT chorke.org
openssl s_client -connect mail.chorke.org:25

apt info   opendkim-tools
apt search opendkim-tools
sudo apt-get install -y opendkim-tools

sudo git clone https://github.com/jsarenik/spf-tools.git \
   /opt/cli/spf-tools
cd /opt/cli/spf-tools/

dig TXT s1.domainkey.u5967707.wl208.sendgrid.net
dig TXT s2.domainkey.u5967707.wl208.sendgrid.net

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=Security/Domain&oldid=16054"