Mandrill is most commonly used Transactional Email Service. They are easy to add with just few PHP snippets, like we gave snippets or tutorials for using WordPress with Mandrill or XenForo with Mandrill. Commonly, Transactional Email Services Like Mandrill is used With Google Apps. Here is How to Add DMARC, DKIM, SFP to Avoid Email Spoofing. Mandrill infamously mark with Poor Account Reputation. Although, Poor Account Reputation is a deliberate work done by Mandrill, DMARC, DKIM, SFP avoids Email Spoofing and for Free Mandrill like transactional email service with a shared IP, it is quite important.
What We Need to Know Before Jumping to Ask How to Add DMARC, DKIM, SFP to Avoid Email Spoofing
IP Spoofing was discussed before. There is also DNS Spoofing. Most of these Cloud Transactional Email Services are smaller business has no own datacenter or DNS. It is unlikely that they use Dyn like good DNS provider.
We talked about SFP before.
If you are using Google Mail for Domains (old name of Google Apps) or Zoho Mail with any Cloud Transactional Email Service, you must be careful and add all these records.
DKIM means DomainKeys Identified Mail, which is an email authentication method to detect email spoofing through cryptographic authentication. DMARC is Domain-based Message Authetication, Reporting, and Conformance. You’ll receive daily emails by Google Apps and/or Transactional Email Service as tar ball.
How to Add DMARC, DKIM, SFP to Avoid Email Spoofing
We are setting these records via DNS Service Provider as TXT record.
SPF for Google Mail for Domains (Google Apps) Plus Mandrill
Run this command for our website on Terminal or iTerm2 window :
|
1 |
dig +short thecustomizewindows.com txt |
You’ll get this result :
|
1 |
"v=spf1 include:spf.mandrillapp.com include:_spf.google.com ~all" |
That v=spf1 is common, include:spf.mandrillapp.com is for Mandrill, include:_spf.google.com is for Google, ~all is a flag. You can blindly use the same like that of us if you are using Google Mail for Domains (Google Apps) Plus Mandrill. SPF follows this RFC :
|
1 |
https://www.rfc-editor.org/rfc/rfc7208.txt |
DKIM for Google Mail for Domains (Google Apps) Plus Mandrill
In the same way, run this command :
|
1 |
dig +short mandrill._domainkey.thecustomizewindows.com txt |
You’ll get a big response :
|
1 |
"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB\;" |
Notice that dig was for mandrill._domainkey.thecustomizewindows.com. Now, run this :
|
1 |
dig +short google._domainkey.thecustomizewindows.com txt |
You’ll get a big response :
|
1 |
"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaXevY184DD7FcEwRi/2ahLfCD+ACcFw8r1jx4zf97EmSc7VFWvC8CeqQB5hzR6geQ7fNC1lMxMKSxezHhcVoIZx8gGVvHXY9AjddO+6FmQ3ATDTPJY4gbTiizP5ROs6bsBB17uCvv8u2uLcyjqVe+zK9Yx6Zdhd7N2AbVkk5cvQIDAQAB" |
No, the value are not same. There is IQ inside, run :
|
1 |
dig +short google._domainkey.thecustomizewindows.com txt | grep IQ |
there will be no return. But, if you run :
---
|
1 |
dig +short mandrill._domainkey.thecustomizewindows.com txt | grep IQ |
there will be IQ highlighted.
Notice that dig was for google._domainkey.thecustomizewindows.com. For Google Apps, at this moment, the URL to directly get that DKIM is :
|
1 |
https://admin.google.com/AdminHome#AppDetails:service=email&flyout=dkim |
It is mandatory to combine SFP record from multiple providers like Mandrill, Google Apps when both are used by the domain in the way we have shown. DKIM needs not to combines or rather not possible.
DKIM is spelled on RFC 4871 :
|
1 |
https://www.ietf.org/rfc/rfc4871.txt |
DMARC for Google Mail for Domains (Google Apps) Plus Mandrill
DMARC is most difficult. No Mail Service Provider will auto generate DMARC for you, unlike SPF and DKIM. Above two were copy && paste work. Run :
|
1 |
dig +short _dmarc.thecustomizewindows.com txt |
You’ll get this response :
|
1 |
"v=DMARC1\; p=none\; pct=100\; rua=mailto:webmaster@thecustomizewindows.com\; ruf=mailto:admin@thecustomizewindows.com\;" |
What those words mean in v=DMARC1\; p=none\; pct=100\; rua=mailto:webmaster@thecustomizewindows.com\; ruf=mailto:admin@thecustomizewindows.com\; is nicely written in RFC elaborately. Basically like for hyperlinks, bots understand rel="nofollow" and rel="no_follow" both, pct=100 automatically may get adjusted by function to 90%.
Here is a genuine DMARC report of our this website sent by Google – https://gist.github.com/AbhishekGhosh/10e3122bff346af62ae4
You’ll get human usable tools here – https://dmarc.org/resources/deployment-tools/ to generate that type of record. Keep in mind – we are using Google Apps. Google has that service to receive, analyze and send the record to us as zip file. Everyday we get one email with the zip file from noreply-dmarc-support@google.com to webmaster@thecustomizewindows.com. Mandrill possibly do not have that DMARC service.
Emails Should Be Signed in Addition
Everyone knows that Emails should be signed by GNU PG key. It is not very difficult to implement for WordPress and OS X GPG tool discussed before, so as Facebook GNU PG. Otherwise a malware on your server can sent valid emails, none will understand who is replying using admin@thecustomizewindows.com. Support can reply or I can reply.
I sent an email from admin@thecustomizewindows.com to my email me@abhishekghosh.pro and in Apple Mail, got this from View > Message > Raw Source. SPF, DKIM and GPG are present. I altered the RSA key to smaller and modified that X-ZohoMail-Sender: x.x.x.x :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
Delivered-To: me@abhishekghosh.pro Received-SPF: Pass (zoho.com: domain of admin@thecustomizewindows.com designates 209.85.220.52 as permitted sender ) client-ip: 209.85.220.52 Received: from mail-pa0-f52.google.com (mail-pa0-f52.google.com [209.85.220.52]) by mx.zohomail.com with SMTPS id 1452417035861743.8316555668265; Sun, 10 Jan 2016 01:10:35 -0800 (PST) Received: by mail-pa0-f52.google.com with SMTP id yy13so213359486pab.3 for <me@abhishekghosh.pro>; Sun, 10 Jan 2016 01:10:35 -0800 (PST) Return-Path: <admin@thecustomizewindows.com> Return-Path: <admin@thecustomizewindows.com> Received: from [100.84.253.192] ([115.250.186.46]) by smtp.gmail.com with ESMTPSA id ya4sm12239430pab.22.2016.01.10.01.10.31 for <me@abhishekghosh.pro> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 10 Jan 2016 01:10:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thecustomizewindows.com; s=google; h=from:content-type:subject:date:message-id:to:mime-version; bh=U7191yZOCeAQsrgsJe3xrlvz/QZQs9i8rlHxhopPVYI=; b=USVvnpBZEwDmgrAn/w06DJspE2wSfYlXQfSz6tMKxEAAXIewsH0F0yGXJgpJMoGaPk o9ygdOCUdZkxD0os14MJ2nRPS6VDhJchA2fH3l94986ioFKhJJU1GugwsWwdTPV1GEiP DjfR+G8M3M3cvDaPQV6yO5mfjnesWHZM/VHa0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:subject:date:message-id:to :mime-version; bh=U7191yZOCeAQsrgsJe3xrlvz/QZQs9i8rlHxhopPVYI=; b=Yo+79chtCUhGuiXLIYBBjAmMUdc7c0VGyWE5QfIJ1/Cue2qa5I82gAV2Ncaw9Elt5B ueiVNtLtnF7OISB9jjfFGek7BBedchoQDquZ8dhQ2deax9ZNdKzQrvYpPpkhV0RfurOw SFAc/0vZhuSWQYpCbxq4Sot8XymzAhEAaxRrwew15ENO9RiCNMqbyCaR42ha6S8wyPMA hA66wrYxcoC4ChtTKLpXE11JdRrUCINsCEnDy4CRz7XzaU4dHmiHqx5V7N3OaJe3DzCF oefl9sRXik35Gsu6YOok3+d+jJq14hI2/tj9K8hLiLls0UJ8zNXl7YVW71FsWVU4Cq2n Y9jA== X-Gm-Message-State: ALoCoQkgl33jEMCTlZNniYh0RCjMhNhRHCL5b5NrSuSkb3zfrUBsLs45aNd6H/r2Xq2jeOuLE2Vt8EeYxeCKexiveK1Dbgq1xA== X-Received: by 10.67.2.73 with SMTP id bm9mr172854181pad.94.1452417033461; Sun, 10 Jan 2016 01:10:33 -0800 (PST) From: The Customize Windows <admin@thecustomizewindows.com> X-Pgp-Agent: GPGMail 2.5.2 Content-Type: multipart/signed; boundary="Apple-Mail=_BB0B1A89-B78C-4507-B2D2-43F46E6CF300"; protocol="application/pgp-signature"; micalg=pgp-sha512 Subject: Testing DMARC and GNU PG Date: Sun, 10 Jan 2016 14:40:27 +0530 Message-Id: <09683138-D098-4E9C-AE57-6D12635007A6@thecustomizewindows.com> To: "Dr. Abhishek Ghosh" <me@abhishekghosh.pro> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) X-Mailer: Apple Mail (2.2098) X-Zoho-Virus-Status: 1 X-ZohoMail: SS_5 SFPD SFPP UW2468 UB6248 PIW SF_SOIPH1_3 COSF A9 NDL SGR3_1_0_21125_80 X-ZohoMail-Owner: <09683138-D098-4E9C-AE57-6D12635007A6@thecustomizewindows.com>+zmo_1_<admin@thecustomizewindows.com> X-ZohoMail-Sender: x.x.x.x --Apple-Mail=_BB0B1A89-B78C-4507-B2D2-43F46E6CF300 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Hi, We are testing DMARC and GNU PG for encryption. Thanks. --Apple-Mail=_BB0B1A89-B78C-4507-B2D2-43F46E6CF300 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWkiAEAAoJEChxaZWUDR0hW6MQAJEk/ ... pZWiGrzNpNgkAgprnJ8u=YI4c -----END PGP SIGNATURE----- --Apple-Mail=ABCD-43F46E456-- |
About Abhishek Ghosh
Here’s what we’ve got for you which might like :
Additionally, performing a search on this website can help you. Also, we have YouTube Videos.
Take The Conversation Further ...
We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!
If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.
Contact Us