Server Security Guide
Server Security Guide for Kicksecure, Linux, and Kicksecure Hardening
DMARC Strict Alignment
Consider using DMARC strict alignment:
- relaxed alignment
adkim=rmight lead to spammers sending e-mails impersonating the domain name and DMARC passing anyhow.
- Illustrative examples on DMARC Strict Alignment
- SPF/DKIM/DMARC/DomainKey/RBL Online Test
DKIM Header Injection Attack
DKIM Replay Attack
Could a DKIM replay attack be resolved by enforcing In theory, yes. In practice, unsupported by DMARC. See DMARC Alignment: Enforce messages pass BOTH SPF and DKIM. And unlikely to be ever implemented since this would break the e-mail forwarding use case.
Is SPF + DMARC sufficient or would this lead to ending up in the spam folder?
- DMARC will
pass(success, not a failure) when either SPF or DMARC has
- Such as
pass(as in DMARC reports) however does only indicate that DMARC was
pass. The e-mail could still end up being rejected for being spam or end up in the spam folder.
- Such as
- Quote https://emfluence.com/blog/how-dkim-affects-email-deliverability:
Yahoo! requires DKIM to sign up for their Feedback Loop (where they keep track of spam complaints). That means anyone who doesn’t have DKIM set up isn’t capturing spam complaints at Yahoo!, and because of that, those email addresses aren’t being suppressed automatically. That could put you on the road to being blocked or blacklisted by Yahoo!
- https://dmarcly.com/blog/can-i-set-up-dmarc-without-dkim doesn't mention spam.
- Quote https://support.google.com/a/answer/174124?hl=en:
Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.
e-mail self hosting is hard
- and google postmaster tools don't help https://www.tablix.org/~avian/blog/archives/2019/04/google_is_eating_our_mail/
rain dance required:
SPF mostly ignored:
- "SPF is terrible, but was necessary"
View e-mail headers:
- For example in Thunderbird: select an e-mail ->
There are two different "From" fields in an e-mail.
- A) 'MAIL FROM' https://en.wikipedia.org/wiki/Bounce_address
- B) 'From' header https://en.wikipedia.org/wiki/Email#Message_header
Very good explanation here: https://www.xeams.com/difference-envelope-header.htm
Checking DKIM Signatures on the Command Line
Might be mostly only useful for learning and testing purposes.
python3-dkim. To accomplish that, the following steps A. to D. need to be done.
A. Update the package lists.
sudo apt update
B. Upgrade the system.
sudo apt full-upgrade
C. Install the
sudo apt install --no-install-recommends python3-dkim
The procedure of installing
python3-dkim is complete.
dkimverify < e-mail.eml
- consider signing up for https://www.abuse.net/addnew.phtml
Standard E-Mail Addresses
- a number of standard e-mail addresses should redirect to the inbox of the server administrator
Miscellaneous Server Tests
- See also Website and Server Tests.