前言

公司自建的小 Mail server 不時被 Google SMTP server (我們用 Gsuite) 擋下；例如可能會在 postfix log 中看到 Google SMTP server 的回覆：

1

Our system has detected that this message is 550-5.7.1 likely unsolicited mail.

為了解決這個問題，把相關的資訊記錄在這邊。

A) 設定 DNS

1. 正解與反解

• 無論正解 (hostname to IP) 或是反解 (IP to hostname)，都要能夠查得到這台 Mail Server。
• 例如用 nslookup 查詢 (已刪除真實的域名與 IP)：

1
2
3
4
5
6
7

nslookup
    
mail.<domain>canonical name = <FQDN>.
Name:<FQDN>
Address: 10.10.1.90
> 10.10.1.90
90.1.10.10.in-addr.arpaname = <FQDN>.

2. TXT record for Google Postmaster

• 需要在 postmaster.google.com 中拿到 Google 提供的 TXT，然後在 DNS 紀錄上新增。

• 例如 GoDaddy 中修改 DNS TXT 紀錄

B) 設定 DMARC (以及 SPF 與 DKIM)

1. 設定 SPF (Sender Policy Framework)

• 是一個 Protocol
• 目的是「防止其他人假冒公司網域發信」。

The Sender Policy Framework (SPF) is an email authentication protocol and part of email cybersecurity used to stop phishing attacks. It allows your company to specify who is allowed to send email on behalf of your domain. This is useful because in a typical phishing attack, the threat actor spoofs the sender address to look like an official business account or someone the victim may know.

• 設定步驟參考 Google 的 SPF 說明即可

2. 設定 DKIM (DomainKeys Identified Mail)

• 是一個 protocol
• 目的是「在送出的 mail 中簽名，讓收件者可以驗證此信真的是寄件 server」，防止冒用

DKIM (DomainKeys Identified Mail) is a protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify.

• 設定步驟參考 Google 的 DKIM 說明即可。

3. 設定 DMARC (Domain-based Message Authentication Reporting and Conformance)

• 也是一個 Protocol
• 目的是「告訴收件人」該如何處理「未通過 SPF 或 DKIM 驗證的信件」

DMARC is an open email authentication protocol that provides domain-level protection of the email channel. DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks. Building on existing standards—SPF and DKIM—DMARC is the first and only widely deployed technology that can make the header “from” domain trustworthy. The domain owner can publish a DMARC record in the Domain Name System (DNS) and create a policy to tell receivers what to do with emails that fail authentication.

• 設定步驟一樣參考 Google 的 DMARC 說明

C) 測試 MX record

• 可以用 mxtoolbox.com 這個網站測試完成設定的 Mail server 有沒有生效。
• (原來找不到 DNS record 也沒關係)

REF

1. https://www.proofpoint.com/us/threat-reference/spf
2. https://www.proofpoint.com/us/threat-reference/dkim
3. https://www.proofpoint.com/us/threat-reference/dmarc
4. https://ithelp.ithome.com.tw/questions/10200632
5. https://ithelp.ithome.com.tw/articles/10212132
6. https://support.google.com/a/answer/2466580?hl=zh-Hant&ref_topic=2759254