Yandex Mail Dmarc
понедельник 24 февраля
Recently, and in Yandex.Mail for domains, letters have a digital signature DKIM - DomainKeys Identified Mail.
DKIM is a technology that authenticates the sender of a letter by adding a digital signature associated with a domain name. According to statistics from Yandex.Spamoborony, now half of the letters arriving at Yandex.Mail servers contain the correct digital signature. And gradually they are becoming more and more - two years ago, such letters accounted for 35% of all.
Yandex.Mail uses a digital signature to combat spam and phishing. Before the advent of DKIM, one of the factors by which Spamooborona understood the undesirability of the letter was sender verification using SPF - Sender Policy Framefork , over which many working groups, including the MARID working group in the IETF, had worked on during its existence.
')
In order to determine the authenticity of the letter, DKIM uses modern cryptographic achievements quite elegantly. Under the cut - how DKIM is implemented in the Mail for Domains, what disadvantages SPF has and why, despite them, we will continue to use both technologies.
For the formation and verification of the DKIM signature, the classical asymmetric cryptographic scheme for verifying the electronic digital signature is used.
The private part of the domain key is located on the server and is used to generate a digital signature. At the same time, it can include not only the body of the letter, but also some headers. The signature itself is also added to the letter as a header.
The open part of the key is loaded as a TXT record into the DNS zone of the domain and serves to verify the generated signature. Its result can be used when a decision is made about the further fate of the letter: an invalid signature indicates that it was either sent from another domain, or was changed during the transfer. In any case, this is an alarming sign.
A valid signature allows you to ensure compliance with the domain of the sender and the domain specified in the letter, and thus form the reputation of domains on the Internet. In the general case, the inclusion of DKIM on a domain allows to improve the 'deliverability' of letters.
We tried to make the inclusion of DKIM happen with minimal administrator involvement. For domains delegated to Yandex, DKIM is enabled automatically. For all the others, it is enough to add the corresponding TXT record with the public key to the DNS zone.
On the Yandex.Mail side, when you confirm a new domain, a pair of keys are immediately created for it, which are necessary for generating a DKIM signature. If a domain is delegated to a Yandex DNS server, a TXT record containing the public key is automatically created in the zone. If a domain is delegated to other servers, its administration interface displays a prompt with the text of the entry that needs to be added to the domain zone.
During the next check of the status of the domain, which occur every hour, the traffic control server receives information about the presence in the zone of a record about DKIM, or that the record that existed from the zone has disappeared. The list of these changes applies to the cluster send letters with private keys. After distribution, new domains begin to subscribe to the DKIM signature in the same way as it does with all Yandex.Mail letters.
Most modern anti-spam systems work on reputational and mass criteria. For example, the Yandex Spamooborona-1024 service (a free solution for filtering corporate mail from spam), which stops its work on September 1 of this year, uses such criteria. It is quite convenient to have a guarantee that the letter was sent from the specified domain.
In SPF technology, authentication is also carried out by making a special record in the DNS zone by the domain administrator, but does not require special headers to be affixed to the letter. If there is an SPF record in the domain, the receiving server can conclude that the source address of the letter matches the list of hosts for which sending mail for this domain is allowed.
This mechanism has one major drawback: in the case of forwarding (Forward) letters from server to server, the SPF check on the receiving side will fail. In addition, SPF does not allow to unequivocally say whether the letter was sent from the domain specified in it. DKIM solves this problem by adding a cryptographic signature on the message body and headers.
Nevertheless, there are situations when some good letters from the domain come without a signature at all, that is, it will not work only on DKIM, as well as build a reputation for such domains.
In the future, in addition to SPF and DKIM, the relatively new DMARC technology, Domain-based Message Authentication, Reporting & Conformance, which combines not only the means of verifying the origin of the letter, but also the means of exchanging information about spam between mail systems, will become more widespread. Yandex.Mail has been using DMARC for over a year for additional protection against spam and phishing.
DKIM is a technology that authenticates the sender of a letter by adding a digital signature associated with a domain name. According to statistics from Yandex.Spamoborony, now half of the letters arriving at Yandex.Mail servers contain the correct digital signature. And gradually they are becoming more and more - two years ago, such letters accounted for 35% of all.
Yandex.Mail uses a digital signature to combat spam and phishing. Before the advent of DKIM, one of the factors by which Spamooborona understood the undesirability of the letter was sender verification using SPF - Sender Policy Framefork , over which many working groups, including the MARID working group in the IETF, had worked on during its existence.
')
In order to determine the authenticity of the letter, DKIM uses modern cryptographic achievements quite elegantly. Under the cut - how DKIM is implemented in the Mail for Domains, what disadvantages SPF has and why, despite them, we will continue to use both technologies.
For the formation and verification of the DKIM signature, the classical asymmetric cryptographic scheme for verifying the electronic digital signature is used.
The private part of the domain key is located on the server and is used to generate a digital signature. At the same time, it can include not only the body of the letter, but also some headers. The signature itself is also added to the letter as a header.
The open part of the key is loaded as a TXT record into the DNS zone of the domain and serves to verify the generated signature. Its result can be used when a decision is made about the further fate of the letter: an invalid signature indicates that it was either sent from another domain, or was changed during the transfer. In any case, this is an alarming sign.
A valid signature allows you to ensure compliance with the domain of the sender and the domain specified in the letter, and thus form the reputation of domains on the Internet. In the general case, the inclusion of DKIM on a domain allows to improve the 'deliverability' of letters.
We tried to make the inclusion of DKIM happen with minimal administrator involvement. For domains delegated to Yandex, DKIM is enabled automatically. For all the others, it is enough to add the corresponding TXT record with the public key to the DNS zone.
On the Yandex.Mail side, when you confirm a new domain, a pair of keys are immediately created for it, which are necessary for generating a DKIM signature. If a domain is delegated to a Yandex DNS server, a TXT record containing the public key is automatically created in the zone. If a domain is delegated to other servers, its administration interface displays a prompt with the text of the entry that needs to be added to the domain zone.
During the next check of the status of the domain, which occur every hour, the traffic control server receives information about the presence in the zone of a record about DKIM, or that the record that existed from the zone has disappeared. The list of these changes applies to the cluster send letters with private keys. After distribution, new domains begin to subscribe to the DKIM signature in the same way as it does with all Yandex.Mail letters.
Most modern anti-spam systems work on reputational and mass criteria. For example, the Yandex Spamooborona-1024 service (a free solution for filtering corporate mail from spam), which stops its work on September 1 of this year, uses such criteria. It is quite convenient to have a guarantee that the letter was sent from the specified domain.
In SPF technology, authentication is also carried out by making a special record in the DNS zone by the domain administrator, but does not require special headers to be affixed to the letter. If there is an SPF record in the domain, the receiving server can conclude that the source address of the letter matches the list of hosts for which sending mail for this domain is allowed.
This mechanism has one major drawback: in the case of forwarding (Forward) letters from server to server, the SPF check on the receiving side will fail. In addition, SPF does not allow to unequivocally say whether the letter was sent from the domain specified in it. DKIM solves this problem by adding a cryptographic signature on the message body and headers.
Nevertheless, there are situations when some good letters from the domain come without a signature at all, that is, it will not work only on DKIM, as well as build a reputation for such domains.
In the future, in addition to SPF and DKIM, the relatively new DMARC technology, Domain-based Message Authentication, Reporting & Conformance, which combines not only the means of verifying the origin of the letter, but also the means of exchanging information about spam between mail systems, will become more widespread. Yandex.Mail has been using DMARC for over a year for additional protection against spam and phishing.
DMARC Record Creation. Agari: DMARC Record Generator; dmarcian.com: DMARC Record Generator; Global Cyberalliance: DMARC Setup Guide (also covers SPF, DKIM) Scott Kitterman’s DMARC Record Assistant; Proofpoint: DMARC Record Creation Wizard (registration required). Nero 6 portable washer.
For many people, myself included, his most interesting stage is probably his brief stint with Atlantic Records in the early 1970s. He is probably the artist for whom the term “Americana” was most properly invented.Yet his career can be divided into rather neatly-defined stages. Discovered covered the late great daniel johnston rar.