From a8b8b9d7b289796303f45d7a311a6b19b0f4514f Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:29:56 -0400 Subject: [PATCH 1/7] Added headers, and new resources Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc. --- docs/prerequisite-dns.md | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index a5f29fdbf..d37d7ef3b 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -31,18 +31,21 @@ autoconfig IN CNAME mail In the example DNS zone file snippet below, a simple **SPF** TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.open-spf.org/) for further reading. ``` +# Name Type Value @ IN TXT "v=spf1 mx a -all" ``` It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading. ``` +# Name Type Value dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=..." ``` The last step in protecting yourself and others is the implementation of a **DMARC** TXT record, for example by using the [DMARC Assistant](http://www.kitterman.com/dmarc/assistant.html) ([check](https://dmarcian.com/dmarc-inspector/google.com)). ``` +# Name Type Value _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org" ``` @@ -51,18 +54,19 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ **SRV** records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.org."). Please refer to [RFC 2782](https://tools.ietf.org/html/rfc2782). ``` -_imap._tcp IN SRV 0 1 143 mail.example.org. -_imaps._tcp IN SRV 0 1 993 mail.example.org. -_pop3._tcp IN SRV 0 1 110 mail.example.org. -_pop3s._tcp IN SRV 0 1 995 mail.example.org. -_submission._tcp IN SRV 0 1 587 mail.example.org. -_smtps._tcp IN SRV 0 1 465 mail.example.org. -_sieve._tcp IN SRV 0 1 4190 mail.example.org. -_autodiscover._tcp IN SRV 0 1 443 mail.example.org. -_carddavs._tcp IN SRV 0 1 443 mail.example.org. -_carddavs._tcp IN TXT "path=/SOGo/dav/" -_caldavs._tcp IN SRV 0 1 443 mail.example.org. -_caldavs._tcp IN TXT "path=/SOGo/dav/" +# Name Type Priority Weight Port Value +_imap._tcp IN SRV 0 1 143 mail.example.org. +_imaps._tcp IN SRV 0 1 993 mail.example.org. +_pop3._tcp IN SRV 0 1 110 mail.example.org. +_pop3s._tcp IN SRV 0 1 995 mail.example.org. +_submission._tcp IN SRV 0 1 587 mail.example.org. +_smtps._tcp IN SRV 0 1 465 mail.example.org. +_sieve._tcp IN SRV 0 1 4190 mail.example.org. +_autodiscover._tcp IN SRV 0 1 443 mail.example.org. +_carddavs._tcp IN SRV 0 1 443 Mail.example.org. +_carddavs._tcp IN TXT "path=/SOGo/dav/" +_caldavs._tcp IN SRV 0 1 443 mail.example.org. +_caldavs._tcp IN TXT "path=/SOGo/dav/" ``` ## Testing @@ -73,10 +77,11 @@ Here are some tools you can use to verify your DNS configuration: - [port25.com](https://www.port25.com/dkim-wizard/) (DKIM, SPF) - [Mail-tester](https://www.mail-tester.com/) (DKIM, DMARC, SPF) - [DMARC Analyzer](https://www.dmarcanalyzer.com/spf/checker/) (DMARC, SPF) +- [MultiRBL.valli.org](http://multirbl.valli.org/) (DNSBL, RBL, FCrDNS) ## Misc -If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. This is clearly optional. +If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. Another alternative service is [Postmark](https://dmarc.postmarkapp.com) These are clearly optional. ``` @ IN TXT "google-site-verification=..." From 1d536f7850edbcfa1ed3b0b5b6eb383b978b3b1a Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:04:40 -0400 Subject: [PATCH 2/7] Edited DMARC with more resources, and added table - Edited DMARC section with more resources than my original PR. - Moved some stuff around and added in the DMARC section. - Added a table to the DMARC section to match the above. --- docs/prerequisite-dns.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index d37d7ef3b..7c29aec89 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -81,10 +81,27 @@ Here are some tools you can use to verify your DNS configuration: ## Misc -If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. Another alternative service is [Postmark](https://dmarc.postmarkapp.com) These are clearly optional. +### Optional DMARC Statistics +If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. + +**NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. + +- [Postmaster Tool](https://gmail.com/postmaster) +- [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted) +- [Fraudmarc](https://fraudmarc.com/) +- [Postmark](https://dmarc.postmarkapp.com) +- [Dmarcian](https://dmarcian.com/) + +The services should provide you with a TXT record, which will give you details about spam-classified mails by your domain. +Using Google Postmaster as an example: ``` + +# Name Type Value + @ IN TXT "google-site-verification=..." + ``` + [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From a50b53bd9d02b7625b7bbd14c960acb6a7f66d5f Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:09:07 -0400 Subject: [PATCH 3/7] Minor edit to DMARC stats section --- docs/prerequisite-dns.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 7c29aec89..3296ea577 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -103,5 +103,6 @@ Using Google Postmaster as an example: ``` +However, ensure to read documentation from the service you choose, as this process may vary. [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From ed4e12f2e2d11c745aec85df9d6e879294f3ad4e Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:12:14 -0400 Subject: [PATCH 4/7] Removed line breaks from dmarc & added a reference --- docs/prerequisite-dns.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 3296ea577..73f085cf1 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -8,6 +8,9 @@ Below you can find a list of **recommended DNS records**. While some are mandato ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) - An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) +- A thorough guide on DMARC +[Demystifying DMARC: A guide to preventing email spoofing](https://seanthegeek.net/459/demystifying-dmarc/) + ## Reverse DNS of your IP @@ -96,11 +99,9 @@ The services should provide you with a TXT record, which will give you details a Using Google Postmaster as an example: ``` - # Name Type Value @ IN TXT "google-site-verification=..." - ``` However, ensure to read documentation from the service you choose, as this process may vary. From 75d481fa1121ba153ce59c4ed2eaabe893fe43d4 Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Wed, 14 Oct 2020 09:57:48 -0400 Subject: [PATCH 5/7] Added missing quotes and colan to new reference --- docs/prerequisite-dns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 73f085cf1..e89fc6393 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -8,8 +8,8 @@ Below you can find a list of **recommended DNS records**. While some are mandato ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) - An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) -- A thorough guide on DMARC -[Demystifying DMARC: A guide to preventing email spoofing](https://seanthegeek.net/459/demystifying-dmarc/) +- A thorough guide on understanding DMARC: +["Demystifying DMARC: A guide to preventing email spoofing"](https://seanthegeek.net/459/demystifying-dmarc/) ## Reverse DNS of your IP From 5404be00dade27f3f760362c12bd1b09f0cda07b Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Sat, 24 Oct 2020 14:16:31 -0400 Subject: [PATCH 6/7] Changes to DMARC and Added FQDN header - Removed the Google Postmaster TXT record example - Increased clarity to follow the DMARC statistics guide to deploying, as they may not all utilize TXT files and the process can vary per service or tool. - Increased clarity that other services and tools are available for DMARC statistics than just the listed few - Add a header to FQDN for separation from the DMARC section under Misc. --- docs/prerequisite-dns.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index e89fc6393..bc975841f 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -89,21 +89,15 @@ If you are interested in statistics, you can additionally register with some of **NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. + - [Postmaster Tool](https://gmail.com/postmaster) - [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted) - [Fraudmarc](https://fraudmarc.com/) - [Postmark](https://dmarc.postmarkapp.com) - [Dmarcian](https://dmarcian.com/) -The services should provide you with a TXT record, which will give you details about spam-classified mails by your domain. -Using Google Postmaster as an example: - -``` -# Name Type Value - -@ IN TXT "google-site-verification=..." -``` - -However, ensure to read documentation from the service you choose, as this process may vary. +**NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +### Fully Qualified Domain Name (FQDN) [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From f36bf4b6c791206b542d48f0fda3e7a6369f8af7 Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Sat, 24 Oct 2020 16:01:15 -0400 Subject: [PATCH 7/7] changed capitalization --- docs/prerequisite-dns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 3b94214b8..95b5a5543 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -87,7 +87,7 @@ Here are some tools you can use to verify your DNS configuration: ### Optional DMARC Statistics If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. -**NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +**NOTE:** It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -100,4 +100,4 @@ It is worth mentioning, that the following suggestions are not a comprehensive l **NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. ### Fully Qualified Domain Name (FQDN) -[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. \ No newline at end of file +[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`.