Email verification - Mailing list pgsql-www
| From | Bruce Momjian |
|---|---|
| Subject | Email verification |
| Date | |
| Msg-id | aBuIf2H3IBM8wEHB@momjian.us Whole thread Raw |
| List | pgsql-www |
I have been researching email verification systems lately, and I thought
I should share what I learned with this list. First, there are three
systems, all controlled by TXT messages in DNS domain files: SPF, DKIM,
and DMARC. A good summary is at:
https://redsift.com/guides/email-protocol-configuration-guide/all-you-need-to-know-about-spf-dkim-and-dmarc
SPF controls who can transmit email as your domain. Specifically it
controls what domains can declare they are authorized email servers for
your domain. Checks are done against the "From" (no colon, envelope
"From") email header (the first email header line), which identifies the
transmitting email server.
The Postgres email servers send email-list email as transmitted from the
postgresql.org servers so it does not pretend to be the domain of the
original email poster (the "From:" (with colon) user, header "From").
To clarify, "From" (no colon) identifies the host transmitting the
email, and "From:" (colon, more user visible) is the email address of
the person who created the email and sent it.
DKIM allows the sending email server to cryptographically sign many of
the email headers, preventing undetected modification. Postgres _keeps_
the DKIM signature of the original email poster. However, Postgres does
need to modify some List-* and Resent-* headers, so those should not be
signed by the domain of the original email poster. For exim4 on Debian
12, I had to modify exim4.conf.localmacros to redefine the exim
DKIM_SIGN_HEADERS configuration variable to remove List-* and Resent-*
header signing:
$ exim -bP macros | grep '^_DKIM_SIGN_HEADERS=' | sed --regexp-extended 's/:?\<(Resent-|List-)[^:]*//g'
DKIM_SIGN_HEADERS=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:In-Reply-To:References
If you don't modify DKIM_SIGN_HEADERS, you can get email verification
errors when email is bounced via redirection rules.
DMARC allows domains to specify how the recients of email from the DNS
domain should handle (reject, quarantine, report) emails that fail
verification. Verification requires passing SPF authentication and SPF
alignment and/or passing DKIM authentication and DKIM alignment:
https://www.proofpoint.com/us/threat-reference/dmarc
What this means is that SPF must be valid and the "From:" (with colon,
header "From") matches the domain SPF list, or DKIM is valid and the
"From:" (with colon, header "From") matches the DKIM signing domain.
Postgres email-list emails are delivered without problem because they
preserve the author's DKIM, and that DKIM matches "From:" (with colon,
header "From").
I think all email servers should have these three features enabled,
though I would recommend just "reporting" for DMARC. I have had DMARC
set to "reporting" for a few days and have not received any reports yet.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Do not let urgent matters crowd out time for investment in the future.