https://docs.inboxsys.com/api.php?action=feedcontributions&feedformat=atom&user=SebastianInboxSys document library - User contributions [en]2026-04-23T12:31:02ZUser contributionsMediaWiki 1.45.3https://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=382Brand Indicators for Message Identification (BIMI)2025-11-11T20:26:31Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS record=<br />
<br />
By default, a BIMI DNS record is set on a subdomain named '''default._bimi'''. In this case, "default" is the '''selector'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
* Optional: Avatar Preference - in case a user-avatar is also present, which to prefer. Options "bimi" or "personal". In case this is not set, it defaults to "bimi".<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem; s=bimi"<br />
</pre><br />
<br />
Alternatively, it's also possible to use a different selector for the BIMI record. For example, if the following header is found in the E-Mail that is supposed to show the BIMI logo in the inbox: <br />
<br />
<pre><br />
BIMI-Selector: v=BIMI1; s=myselector<br />
</pre><br />
<br />
The actual BIMI record can be found with this query:<br />
<br />
<pre><br />
$ host -t txt myselector._bimi.example.com<br />
myselector._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==On which domains to set a BIMI record==<br />
<br />
BIMI records can, just like DMARC records, be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no BIMI record inherits its BIMI record from the organisational domain. If a given selector is not found on a subdomain, the organisational domain is queried with that same selector.<br />
<br />
==BIMI logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
* '''VMC''' means "'''Verified Mark Certificate'''"<br />
* '''CMC''' means "'''Common Mark Certificate'''"<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| No<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| Yes<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=BIMI in InboxSys app=<br />
<br />
To check your BIMI record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]]. Optionally, you can use the [https://app.inboxsys.com/bimi.php BIMI checker] to check your BIMI record.<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]<br />
* [https://app.inboxsys.com/bimi.php InboxSys BIMI checker]<br />
* [https://inboxsys.com/introducing-the-inboxsys-bimi-checker/ Blog post about BIMI]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Sending_a_message_to_the_seedlist&diff=381Sending a message to the seedlist2025-09-13T15:33:30Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Configuration]]<br />
[[Category:E-Mail_analysis]]<br />
[[Category:Seeds]]<br />
<strong>Sending a message to the seedlist</strong><br />
<br />
Campaigns are analysed in [[:Category:InboxSys|InboxSys]] app by sending them to a [[:Category:Seeds|seedlist]]. This list consists of 2 parts:<br />
<br />
* The trigger - this is an address ending with @app.inboxsys.com.<br />
* The [[:Category:Reputation|ISP]] seeds - those are the ISP seeds that are sent to Gmail, Outlook.com, Yahoo, Orange.fr and many others.<br />
<br />
=Seedlist=<br />
<br />
You can find your personal seedlist in your InboxSys account by clicking on the cogwheels icon in the far right top.<br />
<br />
The ISP seeds are showing in the "Inbox Delivery"-section on the individual campaign results. This section shows if the seeds have arrived to the inbox, the [[wikipedia:Email_spam|spam]]-folder, or somewhere else. For all mails received, it is possible to show full mail headers.<br />
<br />
In case you would like to test delivery to any ISP not on the list, please don't hesitate to create a [https://support.inboxsys.com/login?back_url=https%3A%2F%2Fsupport.inboxsys.com%2Fissues%2Fnew support ticket].<br />
<br />
Messages to the trigger address are the messages that get actually [[:Category:E-Mail_analysis|analysed]]. <br />
* A message that is not sent to the trigger address, will not be displayed in InboxSys at all. <br />
* Messages sent to the trigger address only, will arrive, but show all ISP seeds as "missing".<br />
<br />
Each message sent to an ISP seed is one that will not be opened and will not have it's links clicked. Only the trigger seed has clickable links and potentially responding tracking pixels. E-Mail addresses that show no response may have a negative effect on your reputation on the long run. Since many ISPs rely on user-based engagement metrics, it has become impossible to definitely determine if a message has or hasn't hit the spam folder. When it hits the spamfolder in our pristine ISP seed addresses, that doesn't mean it also lands in the spamfolder for someone who has gathered and shared a lot of user-based engagement metrics with their ISP, or vice versa.<br />
<br />
For that reason, we recommend to start testing to the trigger seed only and do full seedlist test after all issues, reported by InboxSys, have been fixed, or in case spamfolder-issues are suspected. When the ISP seedlist detects an issue, it's already too late for preventive measures. Prevention can already be achieved by sending to the trigger address only.<br />
<br />
Messages to the full seedlist should be sent as list - in single messages. Adding seeds to CC or BCC will distort the final analysis. If you don't have access to an ESP, you can use [https://support.microsoft.com/en-us/office/use-mail-merge-for-bulk-email-letters-labels-and-envelopes-f488ed5b-b849-4c11-9cff-932c49474705 Mail Merge for Microsoft] or [https://addons.thunderbird.net/en-US/thunderbird/addon/mail-merge/ Mail Merge for Thunderbird] to simulate list-sending.<br />
<br />
=Methods of matching triggers to ISP-seeds=<br />
<br />
By default, seeds are matched based on the sender address ''and'' [[subject]]line, it is important that all subjectlines are exactly the same. If [[personalisation]] on the subjectline is being used, personalization variables for each address in the seedlist should have the same content.<br />
<br />
In case your test messages have different sender addresses and/or subject line, you can choose to set a specific X-Header in order to invoke a different method of matching. Available X-Headers/methods are: <br />
<br />
==X-Campaign-ID==<br />
<br />
Each time you press "send to list", it's a new "campaign". The X-Campaign-ID contains a unique identifier for a single campaign. Let's say, the campaign ID is "12345678-a". In that case, the X-Campaign-ID should look like this:<br />
<br />
<pre><br />
X-Campaign-ID: <12345678-a><br />
</pre><br />
<br />
Because the campaign ID alone doesn't allow us to match to a specific user account reliably, it's required the campaign has at least one more identifier. This can be the sender address ''or'' the subject. One of both is sufficient, it doesn't matter which one.<br />
<br />
==X-InboxSys-ID==<br />
<br />
The X-InboxSys-ID allows you to send your user-ID along with your campaign ID. This way, the campaign can be directly matched to your user account and no further identifiers are required. In this example, those are your user IDs:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|-<br />
!Account name!!Account ID<br />
|-<br />
|main_account||1234<br />
|-<br />
|sub_account||1235<br />
|}<br />
<br />
Let's say, for example, the trigger of your seedlist is sub_account@app.inboxsys.com and your unique campaign ID is "12345678-b". In that case, your X-InboxSys-ID should look like this:<br />
<br />
<pre><br />
X-InboxSys-ID: <1235_12345678-b><br />
</pre><br />
<br />
As long as your campaign ID is unique, this matches both your user account and the campaign in question. In this case, no further matching is required. Subject, sender and content can be entirely different.<br />
<br />
=InboxSys trigger seed unsubscribes=<br />
<br />
InboxSys calls the headers of all links in all seeds, in order to test if links work. InboxSys is not calling the ''body'' of that link! If this little check unsubscribes immediately, that indicates a few severe flaws in the unsubscribe mechanism.<br />
<br />
First of all, no-one uses a single-click [[unsubscribe]] in the bottom of an E-Mail. It's legally allowed to use a dual-click unsubscribe, so that is the common standard. When you click on an unsusbscribe link, the landing page should show a confirmation dialog. Otherwise, you get bot-unsubscribes! That is basically what we have here: a bot-unsubscribe.<br />
<br />
Secondly, we are calling the header of the page, but not the body. Even if there is no dialog, calling the header should only send back header information, but not execute actions that are typically taken ''after'' the ''full page'' has loaded.<br />
<br />
An immediate unsubscribe upon only calling the header of a page looks symptomatic to a [[List-Unsubscribe]] link. LU have opposite requirements and best practices from standard unsubscribe links. InboxSys never calls a List-Unsubscribe link, for this exact, obvious reason.<br />
<br />
==Troubleshooting unsubscribes==<br />
<br />
* Check your logs to see the reason for the unsubscription<br />
* Request Information from your ESP to explain why this has happened<br />
* InboxSys can assist to converse with ESP to see if their approach can be changed<br />
* Ensure the InboxSys trigger seed is safe-listed<br />
<br />
=Useful links=<br />
<br />
* [https://inboxsys.com/what-is-a-seed-list/ Blog article on seedlists]<br />
* [https://app.inboxsys.com/login.php InboxSys login]<br />
* [https://app.inboxsys.com/login.php?showform=createaccount InboxSys registration]<br />
* [https://youtu.be/EUCWWOuLxnQ Video tutorial]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Sending_a_message_to_the_seedlist&diff=380Sending a message to the seedlist2025-09-13T15:07:52Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Configuration]]<br />
[[Category:E-Mail_analysis]]<br />
[[Category:Seeds]]<br />
<strong>Sending a message to the seedlist</strong><br />
<br />
Campaigns are analysed in [[:Category:InboxSys|InboxSys]] app by sending them to a [[:Category:Seeds|seedlist]]. This list consists of 2 parts:<br />
<br />
* The trigger - this is an address ending with @app.inboxsys.com.<br />
* The [[:Category:Reputation|ISP]] seeds - those are the ISP seeds that are sent to Gmail, Outlook.com, Yahoo, Orange.fr and many others.<br />
<br />
=Seedlist=<br />
<br />
You can find your personal seedlist in your InboxSys account by clicking on the cogwheels icon in the far right top.<br />
<br />
The ISP seeds are showing in the "Inbox Delivery"-section on the individual campaign results. This section shows if the seeds have arrived to the inbox, the [[wikipedia:Email_spam|spam]]-folder, or somewhere else. For all mails received, it is possible to show full mail headers.<br />
<br />
In case you would like to test delivery to any ISP not on the list, please don't hesitate to create a [https://support.inboxsys.com/login?back_url=https%3A%2F%2Fsupport.inboxsys.com%2Fissues%2Fnew support ticket].<br />
<br />
Messages to the trigger address are the messages that get actually [[:Category:E-Mail_analysis|analysed]]. <br />
* A message that is not sent to the trigger address, will not be displayed in InboxSys at all. <br />
* Messages sent to the trigger address only, will arrive, but show all ISP seeds as "missing".<br />
<br />
Each message sent to an ISP seed is one that will not be opened and will not have it's links clicked. Only the trigger seed has clickable links and potentially responding tracking pixels. E-Mail addresses that show no response may have a negative effect on your reputation on the long run. Since many ISPs rely on user-based engagement metrics, it has become impossible to definitely determine if a message has or hasn't hit the spam folder. When it hits the spamfolder in our pristine ISP seed addresses, that doesn't mean it also lands in the spamfolder for someone who has gathered and shared a lot of user-based engagement metrics with their ISP, or vice versa.<br />
<br />
For that reason, we recommend to start testing to the trigger seed only and do full seedlist test after all issues, reported by InboxSys, have been fixed, or in case spamfolder-issues are suspected. When the ISP seedlist detects an issue, it's already too late for preventive measures. Prevention can already be achieved by sending to the trigger address only.<br />
<br />
Messages to the full seedlist should be sent as list - in single messages. Adding seeds to CC or BCC will distort the final analysis. If you don't have access to an ESP, you can use [https://support.microsoft.com/en-us/office/use-mail-merge-for-bulk-email-letters-labels-and-envelopes-f488ed5b-b849-4c11-9cff-932c49474705 Mail Merge for Microsoft] or [https://addons.thunderbird.net/en-US/thunderbird/addon/mail-merge/ Mail Merge for Thunderbird] to simulate list-sending.<br />
<br />
=Methods of matching triggers to ISP-seeds=<br />
<br />
By default, seeds are matched based on the sender address ''and'' [[subject]]line, it is important that all subjectlines are exactly the same. If [[personalisation]] on the subjectline is being used, personalization variables for each address in the seedlist should have the same content.<br />
<br />
In case your test messages have different sender addresses and/or subject line, you can choose to set a specific X-Header in order to invoke a different method of matching. Available X-Headers/methods are: <br />
<br />
==X-Campaign-ID (BETA)==<br />
<br />
Each time you press "send to list", it's a new "campaign". The X-Campaign-ID contains a unique identifier for a single campaign. Let's say, the campaign ID is "12345678-a". In that case, the X-Campaign-ID should look like this:<br />
<br />
<pre><br />
X-Campaign-ID: <12345678-a><br />
</pre><br />
<br />
Because the campaign ID alone doesn't allow us to match to a specific user account reliably, it's required the campaign has at least one more identifier. This can be the sender address ''or'' the subject. One of both is sufficient, it doesn't matter which one.<br />
<br />
==X-InboxSys-ID (BETA)==<br />
<br />
The X-InboxSys-ID allows you to send your user-ID along with your campaign ID. This way, the campaign can be directly matched to your user account and no further identifiers are required. In this example, those are your user IDs:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|-<br />
!Account name!!Account ID<br />
|-<br />
|main_account||1234<br />
|-<br />
|sub_account||1235<br />
|}<br />
<br />
Let's say, for example, the trigger of your seedlist is sub_account@app.inboxsys.com and your unique campaign ID is "12345678-b". In that case, your X-InboxSys-ID should look like this:<br />
<br />
<pre><br />
X-InboxSys-ID: <1235_12345678-b><br />
</pre><br />
<br />
As long as your campaign ID is unique, this matches both your user account and the campaign in question. In this case, no further matching is required. Subject, sender and content can be entirely different.<br />
<br />
=InboxSys trigger seed unsubscribes=<br />
<br />
InboxSys calls the headers of all links in all seeds, in order to test if links work. InboxSys is not calling the ''body'' of that link! If this little check unsubscribes immediately, that indicates a few severe flaws in the unsubscribe mechanism.<br />
<br />
First of all, no-one uses a single-click [[unsubscribe]] in the bottom of an E-Mail. It's legally allowed to use a dual-click unsubscribe, so that is the common standard. When you click on an unsusbscribe link, the landing page should show a confirmation dialog. Otherwise, you get bot-unsubscribes! That is basically what we have here: a bot-unsubscribe.<br />
<br />
Secondly, we are calling the header of the page, but not the body. Even if there is no dialog, calling the header should only send back header information, but not execute actions that are typically taken ''after'' the ''full page'' has loaded.<br />
<br />
An immediate unsubscribe upon only calling the header of a page looks symptomatic to a [[List-Unsubscribe]] link. LU have opposite requirements and best practices from standard unsubscribe links. InboxSys never calls a List-Unsubscribe link, for this exact, obvious reason.<br />
<br />
==Troubleshooting unsubscribes==<br />
<br />
* Check your logs to see the reason for the unsubscription<br />
* Request Information from your ESP to explain why this has happened<br />
* InboxSys can assist to converse with ESP to see if their approach can be changed<br />
* Ensure the InboxSys trigger seed is safe-listed<br />
<br />
=Useful links=<br />
<br />
* [https://inboxsys.com/what-is-a-seed-list/ Blog article on seedlists]<br />
* [https://app.inboxsys.com/login.php InboxSys login]<br />
* [https://app.inboxsys.com/login.php?showform=createaccount InboxSys registration]<br />
* [https://youtu.be/EUCWWOuLxnQ Video tutorial]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Sending_a_message_to_the_seedlist&diff=379Sending a message to the seedlist2025-09-13T15:06:37Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Configuration]]<br />
[[Category:E-Mail_analysis]]<br />
[[Category:Seeds]]<br />
<strong>Sending a message to the seedlist</strong><br />
<br />
Campaigns are analysed in [[:Category:InboxSys|InboxSys]] app by sending them to a [[:Category:Seeds|seedlist]]. This list consists of 2 parts:<br />
<br />
* The trigger - this is an address ending with @app.inboxsys.com.<br />
* The [[:Category:Reputation|ISP]] seeds - those are the ISP seeds that are sent to Gmail, Outlook.com, Yahoo, Orange.fr and many others.<br />
<br />
=Seedlist=<br />
<br />
You can find your personal seedlist in your InboxSys account by clicking on the cogwheels icon in the far right top.<br />
<br />
The ISP seeds are showing in the "Inbox Delivery"-section on the individual campaign results. This section shows if the seeds have arrived to the inbox, the [[wikipedia:Email_spam|spam]]-folder, or somewhere else. For all mails received, it is possible to show full mail headers.<br />
<br />
In case you would like to test delivery to any ISP not on the list, please don't hesitate to create a [https://support.inboxsys.com/login?back_url=https%3A%2F%2Fsupport.inboxsys.com%2Fissues%2Fnew support ticket].<br />
<br />
Messages to the trigger address are the messages that get actually [[:Category:E-Mail_analysis|analysed]]. <br />
* A message that is not sent to the trigger address, will not be displayed in InboxSys at all. <br />
* Messages sent to the trigger address only, will arrive, but show all ISP seeds as "missing".<br />
<br />
Each message sent to an ISP seed is one that will not be opened and will not have it's links clicked. Only the trigger seed has clickable links and potentially responding tracking pixels. E-Mail addresses that show no response may have a negative effect on your reputation on the long run. Since many ISPs rely on user-based engagement metrics, it has become impossible to definitely determine if a message has or hasn't hit the spam folder. When it hits the spamfolder in our pristine ISP seed addresses, that doesn't mean it also lands in the spamfolder for someone who has gathered and shared a lot of user-based engagement metrics with their ISP, or vice versa.<br />
<br />
For that reason, we recommend to start testing to the trigger seed only and do full seedlist test after all issues, reported by InboxSys, have been fixed, or in case spamfolder-issues are suspected. When the ISP seedlist detects an issue, it's already too late for preventive measures. Prevention can be achieved by sending to the trigger address only.<br />
<br />
Messages to the full seedlist should be sent as list - in single messages. Adding seeds to CC or BCC will distort the final analysis. If you don't have access to an ESP, you can use [https://support.microsoft.com/en-us/office/use-mail-merge-for-bulk-email-letters-labels-and-envelopes-f488ed5b-b849-4c11-9cff-932c49474705 Mail Merge for Microsoft] or [https://addons.thunderbird.net/en-US/thunderbird/addon/mail-merge/ Mail Merge for Thunderbird] to simulate list-sending.<br />
<br />
=Methods of matching triggers to ISP-seeds=<br />
<br />
By default, seeds are matched based on the sender address ''and'' [[subject]]line, it is important that all subjectlines are exactly the same. If [[personalisation]] on the subjectline is being used, personalization variables for each address in the seedlist should have the same content.<br />
<br />
In case your test messages have different sender addresses and/or subject line, you can choose to set a specific X-Header in order to invoke a different method of matching. Available X-Headers/methods are: <br />
<br />
==X-Campaign-ID (BETA)==<br />
<br />
Each time you press "send to list", it's a new "campaign". The X-Campaign-ID contains a unique identifier for a single campaign. Let's say, the campaign ID is "12345678-a". In that case, the X-Campaign-ID should look like this:<br />
<br />
<pre><br />
X-Campaign-ID: <12345678-a><br />
</pre><br />
<br />
Because the campaign ID alone doesn't allow us to match to a specific user account reliably, it's required the campaign has at least one more identifier. This can be the sender address ''or'' the subject. One of both is sufficient, it doesn't matter which one.<br />
<br />
==X-InboxSys-ID (BETA)==<br />
<br />
The X-InboxSys-ID allows you to send your user-ID along with your campaign ID. This way, the campaign can be directly matched to your user account and no further identifiers are required. In this example, those are your user IDs:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|-<br />
!Account name!!Account ID<br />
|-<br />
|main_account||1234<br />
|-<br />
|sub_account||1235<br />
|}<br />
<br />
Let's say, for example, the trigger of your seedlist is sub_account@app.inboxsys.com and your unique campaign ID is "12345678-b". In that case, your X-InboxSys-ID should look like this:<br />
<br />
<pre><br />
X-InboxSys-ID: <1235_12345678-b><br />
</pre><br />
<br />
As long as your campaign ID is unique, this matches both your user account and the campaign in question. In this case, no further matching is required. Subject, sender and content can be entirely different.<br />
<br />
=InboxSys trigger seed unsubscribes=<br />
<br />
InboxSys calls the headers of all links in all seeds, in order to test if links work. InboxSys is not calling the ''body'' of that link! If this little check unsubscribes immediately, that indicates a few severe flaws in the unsubscribe mechanism.<br />
<br />
First of all, no-one uses a single-click [[unsubscribe]] in the bottom of an E-Mail. It's legally allowed to use a dual-click unsubscribe, so that is the common standard. When you click on an unsusbscribe link, the landing page should show a confirmation dialog. Otherwise, you get bot-unsubscribes! That is basically what we have here: a bot-unsubscribe.<br />
<br />
Secondly, we are calling the header of the page, but not the body. Even if there is no dialog, calling the header should only send back header information, but not execute actions that are typically taken ''after'' the ''full page'' has loaded.<br />
<br />
An immediate unsubscribe upon only calling the header of a page looks symptomatic to a [[List-Unsubscribe]] link. LU have opposite requirements and best practices from standard unsubscribe links. InboxSys never calls a List-Unsubscribe link, for this exact, obvious reason.<br />
<br />
==Troubleshooting unsubscribes==<br />
<br />
* Check your logs to see the reason for the unsubscription<br />
* Request Information from your ESP to explain why this has happened<br />
* InboxSys can assist to converse with ESP to see if their approach can be changed<br />
* Ensure the InboxSys trigger seed is safe-listed<br />
<br />
=Useful links=<br />
<br />
* [https://inboxsys.com/what-is-a-seed-list/ Blog article on seedlists]<br />
* [https://app.inboxsys.com/login.php InboxSys login]<br />
* [https://app.inboxsys.com/login.php?showform=createaccount InboxSys registration]<br />
* [https://youtu.be/EUCWWOuLxnQ Video tutorial]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Register_a_test_account&diff=378Register a test account2025-09-13T14:50:30Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Configuration]]<br />
<strong>Register a test account</strong><br />
<br />
You can sign up to InboxSys on https://app.inboxsys.com/login.php?showform=createaccount. (People with a referral code can use [https://app.inboxsys.com/login.php?showform=createaccount this link] instead) Before the first login, your E-Mail address needs to be verified. We will send an Email with:<br />
<br />
* Username<br />
* Password<br />
* Activation code<br />
<br />
In this E-mail, an activation link can be found. This link has the activation code included. Signing up should be as simple as pressing the link in the E-mail and entering username and password. If, for any reason, the activation code is not included in the link, you will be asked to enter the activation code manually.<br />
<br />
Once your account is ready, you can proceed to [[Sending_a_message_to_the_seedlist|send your first test message to your new seedlist]], as shown in [https://youtu.be/EUCWWOuLxnQ this video]. <br />
<br />
==What if it does not work?==<br />
<br />
In case the first E-mail does not arrive - please allow it 30 minutes and check all mail-folders and tabs before to proceed - a new password can be requested at https://app.inboxsys.com/login.php?getpassword=yes. With username and the new password, a fresh activation code can be requested after login.<br />
<br />
==How long can I use InboxSys?==<br />
<br />
InboxSys can be tested in full functionality for 14 days. After those 14 days, a commercial licence can be acquired from within your account. Detailed information on features and pricing can be found at https://inboxsys.com/<br />
<br />
=Useful links=<br />
<br />
* [https://inboxsys.com/ InboxSys Website]<br />
* [https://app.inboxsys.com/login.php InboxSys login]<br />
* [https://app.inboxsys.com/login.php?showform=createaccount InboxSys registration]<br />
* [https://youtu.be/EUCWWOuLxnQ Video tutorial]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Sending_a_message_to_the_seedlist&diff=377Sending a message to the seedlist2025-09-13T03:35:12Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Configuration]]<br />
[[Category:E-Mail_analysis]]<br />
[[Category:Seeds]]<br />
<strong>Sending a message to the seedlist</strong><br />
<br />
Campaigns are analysed in [[:Category:InboxSys|InboxSys]] app by sending them to a [[:Category:Seeds|seedlist]]. This list consists of 2 parts:<br />
<br />
* The trigger - this is an address ending with @app.inboxsys.com.<br />
* The [[:Category:Reputation|ISP]] seeds - those are the ISP seeds that are sent to Gmail, Outlook.com, Yahoo, Orange.fr and many others.<br />
<br />
=Seedlist=<br />
<br />
You can find your personal seedlist in your InboxSys account by clicking on the cogwheels icon in the far right top.<br />
<br />
The ISP seeds are showing in the "Inbox Delivery"-section on the individual campaign results. This section shows if the seeds have arrived to the inbox, the [[wikipedia:Email_spam|spam]]-folder, or somewhere else. For all mails received, it is possible to show full mail headers.<br />
<br />
In case you would like to test delivery to any ISP not on the list, please don't hesitate to create a [https://support.inboxsys.com/login?back_url=https%3A%2F%2Fsupport.inboxsys.com%2Fissues%2Fnew support ticket].<br />
<br />
Messages to the trigger address are the messages that get actually [[:Category:E-Mail_analysis|analysed]]. <br />
* A message that is not sent to the trigger address, will not be displayed in InboxSys at all. <br />
* Messages sent to the trigger address only will arrive, but show all ISP seeds as "missing".<br />
<br />
Messages to the seedlist should be sent as list - in single messages. Adding seeds to CC or BCC will distort the final analysis. If you don't have access to an ESP, you can use [https://support.microsoft.com/en-us/office/use-mail-merge-for-bulk-email-letters-labels-and-envelopes-f488ed5b-b849-4c11-9cff-932c49474705 Mail Merge for Microsoft] or [https://addons.thunderbird.net/en-US/thunderbird/addon/mail-merge/ Mail Merge for Thunderbird] to simulate list-sending.<br />
<br />
=Methods of matching triggers to ISP-seeds=<br />
<br />
By default, seeds are matched based on the sender address ''and'' [[subject]]line, it is important that all subjectlines are exactly the same. If [[personalisation]] on the subjectline is being used, personalization variables for each address in the seedlist should have the same content.<br />
<br />
In case your test messages have different sender addresses and/or subject line, you can choose to set a specific X-Header in order to invoke a different method of matching. Available X-Headers/methods are: <br />
<br />
==X-Campaign-ID (BETA)==<br />
<br />
Each time you press "send to list", it's a new "campaign". The X-Campaign-ID contains a unique identifier for a single campaign. Let's say, the campaign ID is "12345678-a". In that case, the X-Campaign-ID should look like this:<br />
<br />
<pre><br />
X-Campaign-ID: <12345678-a><br />
</pre><br />
<br />
Because the campaign ID alone doesn't allow us to match to a specific user account reliably, it's required the campaign has at least one more identifier. This can be the sender address ''or'' the subject. One of both is sufficient, it doesn't matter which one.<br />
<br />
==X-InboxSys-ID (BETA)==<br />
<br />
The X-InboxSys-ID allows you to send your user-ID along with your campaign ID. This way, the campaign can be directly matched to your user account and no further identifiers are required. In this example, those are your user IDs:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|-<br />
!Account name!!Account ID<br />
|-<br />
|main_account||1234<br />
|-<br />
|sub_account||1235<br />
|}<br />
<br />
Let's say, for example, the trigger of your seedlist is sub_account@app.inboxsys.com and your unique campaign ID is "12345678-b". In that case, your X-InboxSys-ID should look like this:<br />
<br />
<pre><br />
X-InboxSys-ID: <1235_12345678-b><br />
</pre><br />
<br />
As long as your campaign ID is unique, this matches both your user account and the campaign in question. In this case, no further matching is required. Subject, sender and content can be entirely different.<br />
<br />
=InboxSys trigger seed unsubscribes=<br />
<br />
InboxSys calls the headers of all links in all seeds, in order to test if links work. InboxSys is not calling the ''body'' of that link! If this little check unsubscribes immediately, that indicates a few severe flaws in the unsubscribe mechanism.<br />
<br />
First of all, no-one uses a single-click [[unsubscribe]] in the bottom of an E-Mail. It's legally allowed to use a dual-click unsubscribe, so that is the common standard. When you click on an unsusbscribe link, the landing page should show a confirmation dialog. Otherwise, you get bot-unsubscribes! That is basically what we have here: a bot-unsubscribe.<br />
<br />
Secondly, we are calling the header of the page, but not the body. Even if there is no dialog, calling the header should only send back header information, but not execute actions that are typically taken ''after'' the ''full page'' has loaded.<br />
<br />
An immediate unsubscribe upon only calling the header of a page looks symptomatic to a [[List-Unsubscribe]] link. LU have opposite requirements and best practices from standard unsubscribe links. InboxSys never calls a List-Unsubscribe link, for this exact, obvious reason.<br />
<br />
==Troubleshooting unsubscribes==<br />
<br />
* Check your logs to see the reason for the unsubscription<br />
* Request Information from your ESP to explain why this has happened<br />
* InboxSys can assist to converse with ESP to see if their approach can be changed<br />
* Ensure the InboxSys trigger seed is safe-listed<br />
<br />
=Useful links=<br />
<br />
* [https://inboxsys.com/what-is-a-seed-list/ Blog article on seedlists]<br />
* [https://app.inboxsys.com/login.php InboxSys login]<br />
* [https://app.inboxsys.com/login.php?showform=createaccount InboxSys registration]<br />
* [https://youtu.be/EUCWWOuLxnQ Video tutorial]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Register_a_test_account&diff=376Register a test account2025-09-13T03:34:30Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Configuration]]<br />
<strong>Register a test account</strong><br />
<br />
You can sign up to InboxSys on https://app.inboxsys.com/login.php?showform=createaccount. (People with a referral code can use [https://app.inboxsys.com/login.php?showform=createaccount this link] instead) Before the first login, your E-Mail address needs to be verified. We will send an Email with:<br />
<br />
* Username<br />
* Password<br />
* Activation code<br />
<br />
In this E-mail, an activation link can be found. This link has the activation code included. Signing up should be as simple as pressing the link in the E-mail and entering username and password. If, for any reason, the activation code is not included in the link, you will be asked to enter the activation code manually.<br />
<br />
==What if it does not work?==<br />
<br />
In case the first E-mail does not arrive - please allow it 30 minutes and check all mail-folders and tabs before to proceed - a new password can be requested at https://app.inboxsys.com/login.php?getpassword=yes. With username and the new password, a fresh activation code can be requested after login.<br />
<br />
==How long can I use InboxSys?==<br />
<br />
InboxSys can be tested in full functionality for 14 days. After those 14 days, a commercial licence can be acquired from within your account. Detailed information on features and pricing can be found at https://inboxsys.com/<br />
<br />
=Useful links=<br />
<br />
* [https://inboxsys.com/ InboxSys Website]<br />
* [https://app.inboxsys.com/login.php InboxSys login]<br />
* [https://app.inboxsys.com/login.php?showform=createaccount InboxSys registration]<br />
* [https://youtu.be/EUCWWOuLxnQ Video tutorial]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=InboxSys_document_library&diff=375InboxSys document library2025-09-13T03:32:49Z<p>Sebastian: </p>
<hr />
<div>[[File:Full logo.svg|thumb|InboxSys Logo]]<br />
<br />
[https://inboxsys.com InboxSys] is a service developed with years of industry expertise to meet the constantly evolving methods and criteria applied by [[:Category:Reputation|ISP]]s (Internet Service Providers) to prevent [[wikipedia:Email_spam|spam]] from reaching their users. As spam prevention methods are becoming more sophisticated, the risk of your content being flagged is increased and this can quickly escalate into large scale issues such as [[Blocklists|blocklisting]]s and negative categorization. InboxSys' system allows senders to quickly identify and address [[:Category:Deliverability|deliverability]] issues to bring them under control.<br />
<br />
=Getting started=<br />
Before you can get started with InboxSys, you need an [[Register_a_test_account|InboxSys account]]. Once that's done, you can [[Sending_a_message_to_the_seedlist|send your first test message to your new seedlist]]. <br />
<br />
=Deliverability=<br />
[[:Category:Deliverability|Deliverability]] is the foundation of email engagement, and it is comprised of a series of technologies and requirements that allow ISPs to differentiate between legitimate mail and spam. With so many filters used by ISPs, from infrastructure mechanisms to content level checks, even general sendings can become a real risk to your ability to efficiently communicate with your clients and partners.<br />
<br />
=Read further...=<br />
* [[:Category:InboxSys]]<br />
* [[:Category:Configuration]]<br />
* [[:Category:Deliverability]]<br />
* [[:Category:Authentication]]<br />
<br />
=Useful links=<br />
* [https://www.youtube.com/@Email-Matters InboxSys on YouTube]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=MTA-STS&diff=374MTA-STS2025-08-15T13:52:10Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that [[wikipedia:Transport_Layer_Security|TLS]] encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
'''SMTP MTA Strict Transport Security''' (MTA-STS) was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to secure TLS connections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails.<br />
<br />
=Configuration and setup=<br />
<br />
MTA-STS is set up on a so-called "policy domain". This is the domain that holds the policy. Each [[RFC5322.From]] domain should have it's own MTA-STS policy configuration. Subdomains don't automatically inherit MTA-STS settings. <br />
<br />
MTA-STS consists of two components:<br />
<br />
* Policy file<br />
* DNS record<br />
<br />
==Policy file==<br />
<br />
The policy file is stored on a webhost in the ".well-known" webdirectory with a subdomain of the policy domain named "mta-sts" and the filename named "mta-sts.txt". It must be reachable from outside and contain the following keys: <br />
<br />
* version: This is the mta-sts version used. Currently, "STSv1" is the only valid value.<br />
* mode: This can be either<br />
** testing: Testing mode,<br />
** enforce: Enforced TLS, or<br />
** none: MTA-STS is disabled. May be useful to receive TLSRPT reports only.<br />
* mx: Each MX has its own line.<br />
* max_age: Should not exceed 31557600 (~1 year).<br />
<br />
For example, the policy domain for policydomain.TLD is located at https://mta-sts.policydomain.TLD/.well-known/mta-sts.txt and contains the following text: <br />
<br />
<pre><br />
version: STSv1<br />
mode: enforce<br />
mx: mta1.policydomain.TLD<br />
mx: mta2.policydomain.TLD<br />
max_age: 86400<br />
</pre><br />
<br />
==DNS record==<br />
<br />
In order to tell the world that a particular domain is an MTA-STS policy domain, it's required to create another subdomain with a TXT record present. The subdomain is "_mta-sts" and the TXT record syntax has two switches: <br />
<br />
* v: For "version". This is exactly the same key/value pair as in the policy file. "STSv1" currently is the only valid value.<br />
* id: A unique and incremental number, indicating the version update of the policy. This number should be changed each time the policy file is modified. It's recommended to use a generic value, such as date and time. <br />
<br />
For example, policy domain "policydomain.TLD" could have the following DNS TXT MTA-STS record: <br />
<br />
<pre><br />
_mta-sts.policydomain.TLD. IN TXT "v=STSv1; id=202403010850;"<br />
</pre><br />
<br />
=TLS reporting=<br />
<br />
''Main article: [[TLSRPT]]<br />
<br />
RFC 8461 states that <q>MTA-STS is intended to be used along with TLS reporting (TLSRPT)</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant domains should be able to receive and process TLSRPT reports at least.<br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=DNS-based_Authentication_of_Named_Entities_(DANE)&diff=373DNS-based Authentication of Named Entities (DANE)2025-08-15T13:46:45Z<p>Sebastian: Created page with "Category:Deliverability Category:Authentication In modern E-Mail communication, Opportunistic TLS is common. This means that TLS encryption for the transition of E-Mail is negotiated by MTAs on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. '''DANE (DNS-bas..."</p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that [[wikipedia:Transport_Layer_Security|TLS]] encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
'''DANE (DNS-based Authentication of Named Entities)''', together with the TLSA protocol, was introduced in [https://www.rfc-editor.org/rfc/rfc6698 RFC 6698]. It's main purpose is to secure TLS connections against [[wikipedia:Man-in-the-middle_attack|MitM (Man in the Middle) attacks]]. Dane requires [[wikipedia:DNSSEC|DNSSEC]]. DANE compliant Mail is returned to the sender if the TLS negotiation fails.<br />
<br />
=Configuration and setup=<br />
<br />
DANE is set up on the recipient's mail host in multiple layers:<br />
<br />
==DNSSEC==<br />
<br />
The first connection attempt requires DNSSEC for all DNS queries:<br />
<br />
# Querying MX records from the '''recipient domain'''.<br />
# Querying '''MX domains / MTA hostnames''' for TLSA records.<br />
<br />
==TLSA DNS record==<br />
<br />
TLSA records are set on MTA hostnames on a sudomain that consists of: <br />
<br />
* Port<br />
* Protocol (UDP, TCP or SCTP)<br />
<br />
For example, if the MTA has ''mta.example.com'' as hostname, ''TCP'' as protocol and we're using port ''25'' for SMTP connections, this is what a lookup of the TLSA record would look like: <br />
<br />
<pre><br />
$ host -t tlsa _25._tcp.mta.example.com<br />
</pre><br />
<br />
Inside the record, we find the following components:<br />
<br />
===Certificate Usage Field (CUF)===<br />
<br />
The CUF specifies how the recipient server's certificate is to be verified.<br />
<br />
{| class="wikitable"<br />
|+ Certificate Usage Field<br />
|-<br />
!Value!!Type!!Description<br />
|-<br />
|0||PKIX-TA||Allows the certificate of the trust anchor to be utilised along with Certificate Authority certificates<br />
|-<br />
|1||PKIX-EE||PKIX verification, including various checks<br />
|-<br />
|2||DANE-TA2||Validate the domain TLS certificates using the server private key from the X.509 (PKI) tree<br />
|-<br />
|3||DANE-EE||The CUF must only match against the certificate<br />
|}<br />
<br />
===Selector Field (SF)===<br />
<br />
The SF specifies which part of the recipient server's TLS certificate will be matched against the Certificate Association Data.<br />
<br />
{| class="wikitable"<br />
|+ Selector Field<br />
|-<br />
!Value!!Type!!Description<br />
|-<br />
|0||SubjectPublicKeyInfo (SPKI)||Parts of the certificate, such as public key, pk algorithm, etc.<br />
|-<br />
|1||Full certificate||Full certificate<br />
|}<br />
<br />
===Matching Type Field (MTF)===<br />
<br />
The MTF specifies how the CAD is presented for use with the Selector Field.<br />
<br />
{| class="wikitable"<br />
|+ Matching Type Field<br />
|-<br />
!Value!!Type!!Description<br />
|-<br />
|1||SHA-256||SHA-256 hash of CAD based on the SF value<br />
|-<br />
|2||SHA-512||SHA-512 hash of CAD based on the SF value<br />
|-<br />
|0||Full||Exact match against CAD based on the SF value<br />
|}<br />
<br />
===Certificate Association Data (CAD)===<br />
<br />
At the end of the TLSA record, we find a long string named '''Certificate Association Data''' (CAD). This field contains the hashed certificate date that matches the CUF.<br />
<br />
That said, the result of our above lookup could be something like this:<br />
<br />
<pre><br />
_25._tcp.mta.example.com has TLSA record 3 1 1 0AD1234567890ABCD1234567890ABCD1234567890ABCD1234567890ABCD12390<br />
</pre><br />
<br />
==STARTTLS==<br />
<br />
STARTTLS is required on the recipients server for DANE to work. If no STARTTLS is offered, a so-called "downgrade attack" is suspected and the connection is dropped immediately. If STARTLS is offered, the checksum of the TLS certificate is compared to the information found in the TLSA DNS record.<br />
<br />
=TLS reporting=<br />
<br />
''Main article: [[TLSRPT]]<br />
<br />
[https://www.rfc-editor.org/rfc/rfc8460 RFC 8460] states that <q>Recipient domains may also use the mechanisms defined by [[MTA-STS]] [RFC8461] or DANE [RFC6698] to publish additional encryption and authentication requirements; this document defines a mechanism for sending domains that are compatible with MTA-STS or DANE to share success and failure statistics with recipient domains.</q> Even though this is not explicitly mentioned in RFC 6698, DANE compliant MTAs should be able to receive and process TLSRPT reports.<br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc6698 RFC 6698]: DANE RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:DNSSEC]]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=DANE&diff=372DANE2025-08-15T13:38:16Z<p>Sebastian: Changed redirect target from DNS-based Authentication of Named Entities to DNS-based Authentication of Named Entities (DANE)</p>
<hr />
<div>#REDIRECT [[DNS-based_Authentication_of_Named_Entities_(DANE)]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=DANE&diff=371DANE2025-08-15T13:37:53Z<p>Sebastian: Redirected page to DNS-based Authentication of Named Entities</p>
<hr />
<div>#REDIRECT [[DNS-based_Authentication_of_Named_Entities]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=MTA-STS&diff=370MTA-STS2025-08-15T11:53:34Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that [[wikipedia:Transport_Layer_Security|TLS]] encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
MTA-STS was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to secure TLS connections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails.<br />
<br />
=Configuration and setup=<br />
<br />
MTA-STS is set up on a so-called "policy domain". This is the domain that holds the policy. Each [[RFC5322.From]] domain should have it's own MTA-STS policy configuration. Subdomains don't automatically inherit MTA-STS settings. <br />
<br />
MTA-STS consists of two components:<br />
<br />
* Policy file<br />
* DNS record<br />
<br />
==Policy file==<br />
<br />
The policy file is stored on a webhost in the ".well-known" webdirectory with a subdomain of the policy domain named "mta-sts" and the filename named "mta-sts.txt". It must be reachable from outside and contain the following keys: <br />
<br />
* version: This is the mta-sts version used. Currently, "STSv1" is the only valid value.<br />
* mode: This can be either<br />
** testing: Testing mode,<br />
** enforce: Enforced TLS, or<br />
** none: MTA-STS is disabled. May be useful to receive TLSRPT reports only.<br />
* mx: Each MX has its own line.<br />
* max_age: Should not exceed 31557600 (~1 year).<br />
<br />
For example, the policy domain for policydomain.TLD is located at https://mta-sts.policydomain.TLD/.well-known/mta-sts.txt and contains the following text: <br />
<br />
<pre><br />
version: STSv1<br />
mode: enforce<br />
mx: mta1.policydomain.TLD<br />
mx: mta2.policydomain.TLD<br />
max_age: 86400<br />
</pre><br />
<br />
==DNS record==<br />
<br />
In order to tell the world that a particular domain is an MTA-STS policy domain, it's required to create another subdomain with a TXT record present. The subdomain is "_mta-sts" and the TXT record syntax has two switches: <br />
<br />
* v: For "version". This is exactly the same key/value pair as in the policy file. "STSv1" currently is the only valid value.<br />
* id: A unique and incremental number, indicating the version update of the policy. This number should be changed each time the policy file is modified. It's recommended to use a generic value, such as date and time. <br />
<br />
For example, policy domain "policydomain.TLD" could have the following DNS TXT MTA-STS record: <br />
<br />
<pre><br />
_mta-sts.policydomain.TLD. IN TXT "v=STSv1; id=202403010850;"<br />
</pre><br />
<br />
=TLS reporting=<br />
<br />
''Main article: [[TLSRPT]]<br />
<br />
RFC 8461 states that <q>MTA-STS is intended to be used along with TLS reporting (TLSRPT)</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=369Brand Indicators for Message Identification (BIMI)2025-02-14T19:21:05Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS record=<br />
<br />
By default, a BIMI DNS record is set on a subdomain named '''default._bimi'''. In this case, "default" is the '''selector'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
* Optional: Avatar Preference - in case a user-avatar is also present, which to prefer. Options "bimi" or "personal". In case this is not set, it defaults to "bimi".<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem; s=bimi"<br />
</pre><br />
<br />
Alternatively, it's also possible to use a different selector for the BIMI record. For example, if the following header is found in the E-Mail that is supposed to show the BIMI logo in the inbox: <br />
<br />
<pre><br />
BIMI-Selector: v=BIMI1; s=myselector<br />
</pre><br />
<br />
The actual BIMI record can be found with this query:<br />
<br />
<pre><br />
$ host -t txt myselector._bimi.example.com<br />
myselector._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==On which domains to set a BIMI record==<br />
<br />
BIMI records can, just like DMARC records, be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no BIMI record inherits its BIMI record from the organisational domain. If a given selector is not found on a subdomain, the organisational domain is queried with that same selector.<br />
<br />
==BIMI logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
* '''VMC''' means "'''Verified Mark Certificate'''"<br />
* '''CMC''' means "'''Common Mark Certificate'''"<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| No<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| Yes<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain-based_Message_Authentication,_Reporting,_and_Conformance_(DMARC)&diff=368Domain-based Message Authentication, Reporting, and Conformance (DMARC)2025-02-03T20:40:48Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reporting]]<br />
A '''DMARC (Domain-based Message Authentication, Reporting, and Conformance)''' record is a [[DNS]] TXT record for a subdomain named ''_dmarc'' on any senderdomain ([[RFC5322.From]]). [[SPF]] ''or'' [[DKIM]] are requirements. At least one of both methods needs to align for DMARC to pass. <br />
<br />
Example:<br />
<br />
<pre><br />
$ host -t txt _dmarc.senderdomain.TLD<br />
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"<br />
</pre><br />
<br />
=On which domains to set a DMARC record=<br />
<br />
DMARC records can be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.<br />
<br />
[https://tools.ietf.org/html/rfc7489#section-3.1 RFC7489 Section 3.1] states: <br />
<br />
<blockquote><br />
DMARC authenticates use of the RFC5322.From domain by requiring that<br />
it match (be aligned with) an Authenticated Identifier. The<br />
RFC5322.From domain was selected as the central identity of the DMARC<br />
mechanism because it is a required message header field and therefore<br />
guaranteed to be present in compliant messages, and most Mail User<br />
Agents (MUAs) represent the RFC5322.From field as the originator of<br />
the message and render some or all of this header field's content to<br />
end users.<br />
</blockquote><br />
<br />
[https://tools.ietf.org/html/rfc7489#section-2.2 RFC7489 Section 2.2] mentions to be "out of scope":<br />
<br />
<blockquote><br />
evaluation of anything other than RFC5322.From;<br />
</blockquote><br />
<br />
=Switches=<br />
<br />
Each DMARC record consists of various switches. The most important switches are: <br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DMARC record switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=DMARC1</code> || Version || Required<br />
|-<br />
! scope="row"| p <br />
|| <code>p=reject</code> || Policy || Required<br />
|-<br />
! scope="row"| rua <br />
|| <code>rua=mailto:dmarc@dmarc.example.com</code> || Aggregated reports || Optional<br />
|-<br />
! scope="row"| ruf <br />
|| <code>ruf=mailto:dmarc@dmarc.example.com</code> || Failure / forensic reports || Optional<br />
|-<br />
! scope="row"| adkim <br />
|| <code>adkim=s</code> || DKIM alignment || Optional<br />
|-<br />
! scope="row"| aspf <br />
|| <code>aspf=r</code> || SPF alignment || Optional<br />
|-<br />
! scope="row"| rf <br />
|| <code>rf=afrf</code> || Reporting format || Optional<br />
|-<br />
! scope="row"| pct <br />
|| <code>pct=100</code> || Percentage || Optional<br />
|}<br />
<br />
==Policy (p)==<br />
<br />
The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:<br />
<br />
* '''none''': to do nothing when authentication fails<br />
* '''quarantine''': to put the mail in the [[wikipedia:Email_spam|SPAM]] folder when authentication fails<br />
* '''reject''': to the message when authentication fails.<br />
<br />
Only by using the ''reject'' policy can a domain be fully protected. "'''Unauthenticated'''" means, SPF and / or DKIM do not align.<br />
<br />
DMARC allows ISPs to rely not only on IP reputation, but also on '''domain reputation'''. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Without a DMARC record it is impossible for ISPs to reliably measure reputation for a domain.<br />
<br />
It is a common mistake to configure DMARC for reporting (with "p" set to "none" or "quarantine") and to forget about it afterwards. Loss in reputation comes gradually over time and is often only noticed when it's already too late. By thumb of fist it takes about as long to fix a broken reputation as it has taken this reputation to break.<br />
<br />
==Reporting==<br />
<br />
===Aggregated reports (ruf/rua)===<br />
<br />
A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:<br />
<br />
* '''rua''': aggregated reports (recommended)<br />
* '''ruf''': forensic reports (not recommended)<br />
<br />
Bot ruf and rua switch should contain a functional '''mailto-link''' where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only (test-mode):<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
DMARC reporting alone - as in the above example - does not provide protection against phishing and consequent loss in reputation. It provides reporting functionality only. Such a setting can be useful when evaluating the impact of switching the policy to reject. It is not useful in protecting your domain.<br />
<br />
Once the reports show it's safe to reject unauthenticated mail, the following example provides full protection: <br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
===Failure (or forensic) reports (ruf)===<br />
<br />
Forensic reports (ruf) are very rare for 2 reasons:<br />
<br />
* High volume: failure reports generate a single report for each individual mail that failed authentication.<br />
* Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.<br />
<br />
It is generally recommended to refrain from setting a ruf-switch at all.<br />
<br />
==Alignment (adkim/aspf)==<br />
''Main article: [[Alignment]]''<br />
<br />
Alignment means, domains used for authentication mechanisms match with the sender domain (RFC5321.MailFrom or "returnpath"). DMARC only passes when either SPF identifiers or DKIM align.<br />
<br />
* The domain used to authenticate '''SPF''' is the [[RFC5321.MailFrom]] domain or "sender domain". To see SPF identifier aligment, it's required for the RFC5321.MailFrom domain to match the [[RFC5322.From]] domain.<br />
* The domain used to authenticate '''DKIM''' is the domain used by the sending mail server to sign DKIM. To see DKIM identifier aligment, it's required for the domain used to sign DKIM to match the RFC5322.From domain.<br />
<br />
Here is an example of a DMARC record with aspf and adkim switches set to "strict":<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s;"<br />
</pre><br />
<br />
# '''aspf''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
# '''adkim''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
<br />
* '''Strict''' alignment means, the matching domains are exactly the same.<br />
* '''Relaxed''' alignment means, the matching domains have a same superior domain. For example, ''mail.example.com'' and ''bounce.example.com'' would align relaxed.<br />
<br />
The adkim and aspf switches are optional. The default value for adkim and aspf is "r".<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=Brand Indicators for Message Identification (BIMI)=<br />
''Main article: [[Brand Indicators for Message Identification (BIMI)]]''<br />
<br />
DMARC=pass with a policy set to either "reject" or "quarantine" is a prerequisite for BIMI to work.<br />
<br />
=DMARC in InboxSys app=<br />
<br />
To check your DMARC record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]]. Optionally, you can use the [https://app.inboxsys.com/domainchecker.php domainchecker] to check your DMARC record.<br />
<br />
==DMARC reports with InboxSys==<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for DMARC and [[TLSRPT]]. <br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://tools.ietf.org/html/rfc7489 RFC 7489]: DMARC RFC<br />
* [https://dmarc.org/overview/ dmarc.org]: Functionality of DMARC<br />
* [https://inboxsys.com/authentication-and-alignment/ InboxSys blog]: Authentication and alignment<br />
* [https://inboxsys.com/dmarc-explained/ InboxSys blog]: DMARC explained<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [https://app.inboxsys.com/domainchecker.php domainchecker]<br />
* [[wikipedia:DMARC]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=367Brand Indicators for Message Identification (BIMI)2025-02-03T20:35:36Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS record=<br />
<br />
By default, a BIMI DNS record is set on a subdomain named '''default._bimi'''. In this case, "default" is the '''selector'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
* Optional: Avatar Preference - in case a user-avatar is also present, which to prefer. Options "bimi" or "personal". In case this is not set, it defaults to "bimi".<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem; s=bimi"<br />
</pre><br />
<br />
Alternatively, it's also possible to use a different selector for the BIMI record. For example, if the following record is found: <br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; s=myselector;"<br />
</pre><br />
<br />
The actual BIMI record can be found with this query:<br />
<br />
<pre><br />
$ host -t txt myselector._bimi.example.com<br />
myselector._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==On which domains to set a BIMI record==<br />
<br />
BIMI records can, just like DMARC records, be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no BIMI record inherits its BIMI record from the organisational domain. If a given selector is not found on a subdomain, the organisational domain is queried with that same selector.<br />
<br />
==BIMI logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
* '''VMC''' means "'''Verified Mark Certificate'''"<br />
* '''CMC''' means "'''Common Mark Certificate'''"<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| No<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| Yes<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=366Brand Indicators for Message Identification (BIMI)2025-02-03T18:37:28Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS record=<br />
<br />
A BIMI DNS record is set on a subdomain named '''default._bimi'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==BIMI logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
* '''VMC''' means "'''Verified Mark Certificate'''"<br />
* '''CMC''' means "'''Common Mark Certificate'''"<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| No<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| Yes<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=DomainKeys_Identified_Mail_(DKIM)&diff=365DomainKeys Identified Mail (DKIM)2025-02-01T03:45:24Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
'''DKIM (DomainKeys Identified Mail)''' is an E-Mail domain [[:Category:Authentication|authentication]] method, designed to protect E-Mail sender domains ([[RFC5322.From]]) from forgery (spoofing). DKIM is defined in [https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376] with updates in [https://www.rfc-editor.org/rfc/rfc8301.html RFC 8301] and [https://www.rfc-editor.org/rfc/rfc8463.html RFC 8463]. DKIM is a requirement of [[DMARC]].<br />
<br />
=Functionality=<br />
<br />
Each message is digitally signed by the sending server when it's being sent. DKIM works with a public key and a private key for signing and a selector for identification.<br />
<br />
==Selector==<br />
<br />
The selector assures that multiple DKIM records can be set on a single sender domain. Selectors can be any phrase. Here's an example from RFC 6376:<br />
<br />
<pre><br />
selectors might indicate the names of office locations (e.g.,<br />
"sanfrancisco", "coolumbeach", and "reykjavik"), the signing date<br />
(e.g., "january2005", "february2005", etc.), or even an individual<br />
user.<br />
</pre><br />
<br />
The selector is used to compile a subdomain for the DKIM DNS TXT record. If, for example, the selector is "reykjavik" and the senderdomain is "email.example.com", the following subdomain should be created: ''reykjavik._domainkey.email.example.com''.<br />
<br />
==Public and private key==<br />
<br />
The public key is publicly accessible in this [[DNS]] TXT record. The full content of the DNS TXT record may look like this:<br />
<br />
<pre><br />
v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB<br />
</pre><br />
<br />
There are numerous switches that can be applied to a DKIM record. The ones we see here are:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DKIM record switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=DKIM1</code> || Version || Required<br />
|-<br />
! scope="row"| t <br />
|| <code>t=s</code> || Alignment / Testing || Recommended<br />
|-<br />
! scope="row"| k <br />
|| <code>k=rsa</code> || Key type || Optional<br />
|-<br />
! scope="row"| p <br />
|| <pre>p=LONG KEY</pre> <br />
|| Public key || Required<br />
|}<br />
<br />
The long key (p-switch) is the public key that matches the private key on the signing server. This key can be obtained from your [[ISP]]/[[ESP]] or your mail server administrator.<br />
<br />
The minimum length for DKIM keys is 1024 bit. The minimum recommended length for DKIM keys is 2048 bit.<br />
<br />
Once a message has been received, the DKIM signature can be found in the [[E-Mail header]] and it looks like this:<br />
<br />
<pre><br />
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.example.com;<br />
s=reykjavik; t=1117574938; i=@email.example.com;<br />
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;<br />
h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe:<br />
From:To:Cc:Subject;<br />
b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm<br />
2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH<br />
By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=<br />
</pre><br />
<br />
The meaning of the individual switches we see in the example is as follows:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DKIM header switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=1</code> || Version || Required<br />
|-<br />
! scope="row"| a <br />
|| <code>a=rsa-sha256</code> || Key type / Signing algorithm|| Required<br />
|-<br />
! scope="row"| c <br />
|| <code>c=relaxed/relaxed</code> || Canonicalization algorithm(s) for header and body || Optional<br />
|-<br />
! scope="row"| d <br />
|| <code>d=email.example.com</code> || Signing Domain Identifier (SDID) || Required<br />
|-<br />
! scope="row"| s <br />
|| <code>s=reykjavik</code> || Selector || Required<br />
|-<br />
! scope="row"| t <br />
|| <code>t=1117574938</code> || Timestamp || Recommended<br />
|-<br />
! scope="row"| i <br />
|| <code>i=@email.example.com</code> || Sending domain (AUID) || Optional<br />
|-<br />
! scope="row"| bh <br />
|| <code>bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=</code> || Body hash || Required<br />
|-<br />
! scope="row"| h <br />
|| <pre>h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe:<br />
From:To:Cc:Subject;</pre><br />
|| list of header fields that have been signed || Required<br />
|-<br />
! scope="row"| b <br />
|| <pre>b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm<br />
2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH<br />
By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=</pre> <br />
|| Signature of headers and body || Required<br />
|}<br />
<br />
=Alignment=<br />
''Main article: [[Alignment]]''<br />
<br />
DKIM is aligned when the sender domain matches the signing domain. In correct phrasing: when the RFC5322.From domain (also "Agent or User Identifier"), represented in the i-switch, matches the "Signing Domain Identifier", represented in the d-switch.<br />
<br />
=Double DKIM=<br />
''Main article: [[Double DKIM]]''<br />
<br />
=DKIM in InboxSys app=<br />
<br />
To check your DKIM record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]]. Optionally, you can use the [https://app.inboxsys.com/domainchecker.php domainchecker] to check your DKIM record.<br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376]<br />
* [https://www.rfc-editor.org/rfc/rfc8301.html RFC 8301]<br />
* [https://www.rfc-editor.org/rfc/rfc8463.html RFC 8463]<br />
* https://www.mailhardener.com/kb/how-to-use-dkim-with-ed25519<br />
* [https://app.inboxsys.com/domainchecker.php Domainchecker]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Sender_Policy_Framework_(SPF)&diff=364Sender Policy Framework (SPF)2025-02-01T03:44:18Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
'''SPF (Sender Policy Framework)''' is an E-Mail domain [[:Category:Authentication|authentication]] method, designed to protect E-Mail sender domains ([[RFC5321.MailFrom]]) from forgery (spoofing). SPF is defined as a "proposed standard" in [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208]. SPF is required for [[DMARC]] and it's the base for [[SenderID]].<br />
<br />
=Functionality=<br />
<br />
An SPF record is a [[DNS]] TXT record that defines which IPs are allowed to send with the domain in question. An example of a very simple SPF record is:<br />
<br />
<pre><br />
example.com descriptive text "v=spf1 ip4:1.2.3.4 ip4:4.3.2.0/24 -all"<br />
</pre><br />
<br />
In this example, the domain "example.com" is strictly and only allowed to send from IP ''1.2.3.4'' or from the [[CIDR]] network ''4.3.2.0/24'' (4.3.2.1 - 4.3.2.254). This example-record consists of 3 parts:<br />
<br />
# Version (v=spf1)<br />
# Method (ip4:1.2.3.4 ip4:4.3.2.0/24)<br />
# Policy qualifier (-all)<br />
<br />
==Version==<br />
<br />
Since SenderID is deprecated, there is only one SPF version: spf1. <br />
<br />
==Method==<br />
<br />
SPF offers 8 mechanisms:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ SPF methods<br />
|-<br />
! Switch !! Example !! Description<br />
|-<br />
! scope="row"| A <br />
|| <code>A</code> || Matches the domain's A-record.<br />
|-<br />
! scope="row"| All<br />
|| <code>ALL</code> || Matches always. This mechanism is rarely used.<br />
|-<br />
! scope="row"| EXISTS<br />
|| <code>exists:example.com</code> || Matches the IP behind the domain. Can be used with [https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/ SPF macro language] and is rarely used.<br />
|-<br />
! scope="row"| IP4 <br />
|| <code>ip4:4.3.2.0/24</code> || Includes IPv4 addresses.<br />
|-<br />
! scope="row"| IP6 <br />
|| <code>ip6:2001:db8:a::123/64</code> || Includes IPv6 addresses.<br />
|-<br />
! scope="row"| INCLUDE <br />
|| <code>include:subdomain.example.com</code> || Include the results of the SPF record of another domain.<br />
|-<br />
! scope="row"| MX <br />
|| <code>MX</code> || Matches all IPs in the domain's [[MX-Record|MX-record]].<br />
|-<br />
! scope="row"| PTR <br />
|| <code>PTR</code> || Matches only if the reverse DNS (PTR) for the client's address is in the domain in question and the PTR record resolves back to the domain's A or AAAA record. Should be avoided!<br />
|}<br />
<br />
==Policy qualifier==<br />
<br />
The policy qualifier defines what to do when all previous methods fail. The following qualifiers are available:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ SPF policy qualifiers<br />
|-<br />
! Switch !! Name<br />
|-<br />
! scope="row"| +all <br />
|| PASS || SPF returns PASS, even if it fails. This renders SPF obsolete and is not considered valid by all [[ISP]]s.<br />
|-<br />
! scope="row"| ?all <br />
|| NEUTRAL || SPF returns NEUTRAL, even if it fails.<br />
|-<br />
! scope="row"| ~all <br />
|| SOFTFAIL || SPF returns SOFTFAIL when it fails.<br />
|-<br />
! scope="row"| -all <br />
|| FAIL || SPF returns FAIL when it fails. Can break things when using [[mailing lists]].<br />
|}<br />
<br />
Forwarding an E-Mail with the RFC5321.MailFrom unchanged, but from a different IP, breaks SPF authentication. For this reason ''~all'' is sometimes preferred over ''-all''.<br />
<br />
=Alignment=<br />
''Main article: [[Alignment]]''<br />
<br />
SPF aligns when the RFC5321.MailFrom domain matches the [[RFC5322.From]] domain. In laymen terms: When the envelope-from domain matches the sender domain.<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=SPF in InboxSys app=<br />
<br />
To check your SPF record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]]. Optionally, you can use the [https://app.inboxsys.com/domainchecker.php domainchecker] to check your SPF record.<br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208]<br />
* [https://app.inboxsys.com/domainchecker.php Domainchecker]<br />
* [[wikipedia:Sender_Policy_Framework]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Sender_Policy_Framework_(SPF)&diff=363Sender Policy Framework (SPF)2025-02-01T03:44:05Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
'''SPF (Sender Policy Framework)''' is an E-Mail domain [[:Category:Authentication|authentication]] method, designed to protect E-Mail sender domains ([[RFC5321.MailFrom]]) from forgery (spoofing). SPF is defined as a "proposed standard" in [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208]. SPF is required for [[DMARC]] and it's the base for [[SenderID]].<br />
<br />
=Functionality=<br />
<br />
An SPF record is a [[DNS]] TXT record that defines which IPs are allowed to send with the domain in question. An example of a very simple SPF record is:<br />
<br />
<pre><br />
example.com descriptive text "v=spf1 ip4:1.2.3.4 ip4:4.3.2.0/24 -all"<br />
</pre><br />
<br />
In this example, the domain "example.com" is strictly and only allowed to send from IP ''1.2.3.4'' or from the [[CIDR]] network ''4.3.2.0/24'' (4.3.2.1 - 4.3.2.254). This example-record consists of 3 parts:<br />
<br />
# Version (v=spf1)<br />
# Method (ip4:1.2.3.4 ip4:4.3.2.0/24)<br />
# Policy qualifier (-all)<br />
<br />
==Version==<br />
<br />
Since SenderID is deprecated, there is only one SPF version: spf1. <br />
<br />
==Method==<br />
<br />
SPF offers 8 mechanisms:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ SPF methods<br />
|-<br />
! Switch !! Example !! Description<br />
|-<br />
! scope="row"| A <br />
|| <code>A</code> || Matches the domain's A-record.<br />
|-<br />
! scope="row"| All<br />
|| <code>ALL</code> || Matches always. This mechanism is rarely used.<br />
|-<br />
! scope="row"| EXISTS<br />
|| <code>exists:example.com</code> || Matches the IP behind the domain. Can be used with [https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/ SPF macro language] and is rarely used.<br />
|-<br />
! scope="row"| IP4 <br />
|| <code>ip4:4.3.2.0/24</code> || Includes IPv4 addresses.<br />
|-<br />
! scope="row"| IP6 <br />
|| <code>ip6:2001:db8:a::123/64</code> || Includes IPv6 addresses.<br />
|-<br />
! scope="row"| INCLUDE <br />
|| <code>include:subdomain.example.com</code> || Include the results of the SPF record of another domain.<br />
|-<br />
! scope="row"| MX <br />
|| <code>MX</code> || Matches all IPs in the domain's [[MX-Record|MX-record]].<br />
|-<br />
! scope="row"| PTR <br />
|| <code>PTR</code> || Matches only if the reverse DNS (PTR) for the client's address is in the domain in question and the PTR record resolves back to the domain's A or AAAA record. Should be avoided!<br />
|}<br />
<br />
==Policy qualifier==<br />
<br />
The policy qualifier defines what to do when all previous methods fail. The following qualifiers are available:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ SPF policy qualifiers<br />
|-<br />
! Switch !! Name<br />
|-<br />
! scope="row"| +all <br />
|| PASS || SPF returns PASS, even if it fails. This renders SPF obsolete and is not considered valid by all [[ISP]]s.<br />
|-<br />
! scope="row"| ?all <br />
|| NEUTRAL || SPF returns NEUTRAL, even if it fails.<br />
|-<br />
! scope="row"| ~all <br />
|| SOFTFAIL || SPF returns SOFTFAIL when it fails.<br />
|-<br />
! scope="row"| -all <br />
|| FAIL || SPF returns FAIL when it fails. Can break things when using [[mailing lists]].<br />
|}<br />
<br />
Forwarding an E-Mail with the RFC5321.MailFrom unchanged, but from a different IP, breaks SPF authentication. For this reason ''~all'' is sometimes preferred over ''-all''.<br />
<br />
=Alignment=<br />
''Main article: [[Alignment]]''<br />
<br />
SPF aligns when the RFC5321.MailFrom domain matches the [[RFC5322.From]] domain. In laymen terms: When the envelope-from domain matches the sender domain.<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=SPF in InboxSys app=<br />
<br />
To check your SPF record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]]. Optionally, you can use the [https://app.inboxsys.com/domainchecker.php domainchecker] to check your SPF record.<br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208]<br />
* [https://app.inboxsys.com/domainchecker.php domainchecker]<br />
* [[wikipedia:Sender_Policy_Framework]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain-based_Message_Authentication,_Reporting,_and_Conformance_(DMARC)&diff=362Domain-based Message Authentication, Reporting, and Conformance (DMARC)2025-02-01T03:43:19Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reporting]]<br />
A '''DMARC (Domain-based Message Authentication, Reporting, and Conformance)''' record is a [[DNS]] TXT record for a subdomain named ''_dmarc'' on any senderdomain ([[RFC5322.From]]). [[SPF]] ''or'' [[DKIM]] are requirements. At least one of both methods needs to align for DMARC to pass. <br />
<br />
Example:<br />
<br />
<pre><br />
$ host -t txt _dmarc.senderdomain.TLD<br />
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"<br />
</pre><br />
<br />
=On which domains to set a DMARC record=<br />
<br />
DMARC records can be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.<br />
<br />
[https://tools.ietf.org/html/rfc7489#section-3.1 RFC7489 Section 3.1] states: <br />
<br />
<blockquote><br />
DMARC authenticates use of the RFC5322.From domain by requiring that<br />
it match (be aligned with) an Authenticated Identifier. The<br />
RFC5322.From domain was selected as the central identity of the DMARC<br />
mechanism because it is a required message header field and therefore<br />
guaranteed to be present in compliant messages, and most Mail User<br />
Agents (MUAs) represent the RFC5322.From field as the originator of<br />
the message and render some or all of this header field's content to<br />
end users.<br />
</blockquote><br />
<br />
[https://tools.ietf.org/html/rfc7489#section-2.2 RFC7489 Section 2.2] mentions to be "out of scope":<br />
<br />
<blockquote><br />
evaluation of anything other than RFC5322.From;<br />
</blockquote><br />
<br />
=Switches=<br />
<br />
Each DMARC record consists of various switches. The most important switches are: <br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DMARC record switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=DMARC1</code> || Version || Required<br />
|-<br />
! scope="row"| p <br />
|| <code>p=reject</code> || Policy || Required<br />
|-<br />
! scope="row"| rua <br />
|| <code>rua=mailto:dmarc@dmarc.example.com</code> || Aggregated reports || Optional<br />
|-<br />
! scope="row"| ruf <br />
|| <code>ruf=mailto:dmarc@dmarc.example.com</code> || Failure / forensic reports || Optional<br />
|-<br />
! scope="row"| adkim <br />
|| <code>adkim=s</code> || DKIM alignment || Optional<br />
|-<br />
! scope="row"| aspf <br />
|| <code>aspf=r</code> || SPF alignment || Optional<br />
|-<br />
! scope="row"| rf <br />
|| <code>rf=afrf</code> || Reporting format || Optional<br />
|-<br />
! scope="row"| pct <br />
|| <code>pct=100</code> || Percentage || Optional<br />
|}<br />
<br />
==Policy (p)==<br />
<br />
The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:<br />
<br />
* '''none''': to do nothing when authentication fails<br />
* '''quarantine''': to put the mail in the [[wikipedia:Email_spam|SPAM]] folder when authentication fails<br />
* '''reject''': to the message when authentication fails.<br />
<br />
Only by using the ''reject'' policy can a domain be fully protected. "'''Unauthenticated'''" means, SPF and / or DKIM do not align.<br />
<br />
DMARC allows ISPs to rely not only on IP reputation, but also on '''domain reputation'''. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Without a DMARC record it is impossible for ISPs to reliably measure reputation for a domain.<br />
<br />
It is a common mistake to configure DMARC for reporting (with "p" set to "none" or "quarantine") and to forget about it afterwards. Loss in reputation comes gradually over time and is often only noticed when it's already too late. By thumb of fist it takes about as long to fix a broken reputation as it has taken this reputation to break.<br />
<br />
==Reporting==<br />
<br />
===Aggregated reports (ruf/rua)===<br />
<br />
A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:<br />
<br />
* '''rua''': aggregated reports (recommended)<br />
* '''ruf''': forensic reports (not recommended)<br />
<br />
Bot ruf and rua switch should contain a functional '''mailto-link''' where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only (test-mode):<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
DMARC reporting alone - as in the above example - does not provide protection against phishing and consequent loss in reputation. It provides reporting functionality only. Such a setting can be useful when evaluating the impact of switching the policy to reject. It is not useful in protecting your domain.<br />
<br />
Once the reports show it's safe to reject unauthenticated mail, the following example provides full protection: <br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
===Failure (or forensic) reports (ruf)===<br />
<br />
Forensic reports (ruf) are very rare for 2 reasons:<br />
<br />
* High volume: failure reports generate a single report for each individual mail that failed authentication.<br />
* Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.<br />
<br />
It is generally recommended to refrain from setting a ruf-switch at all.<br />
<br />
==Alignment (adkim/aspf)==<br />
''Main article: [[Alignment]]''<br />
<br />
Alignment means, domains used for authentication mechanisms match with the sender domain (RFC5321.MailFrom or "returnpath"). DMARC only passes when either SPF identifiers or DKIM align.<br />
<br />
* The domain used to authenticate '''SPF''' is the [[RFC5321.MailFrom]] domain or "sender domain". To see SPF identifier aligment, it's required for the RFC5321.MailFrom domain to match the [[RFC5322.From]] domain.<br />
* The domain used to authenticate '''DKIM''' is the domain used by the sending mail server to sign DKIM. To see DKIM identifier aligment, it's required for the domain used to sign DKIM to match the RFC5322.From domain.<br />
<br />
Here is an example of a DMARC record with aspf and adkim switches set to "strict":<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s;"<br />
</pre><br />
<br />
# '''aspf''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
# '''adkim''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
<br />
* '''Strict''' alignment means, the matching domains are exactly the same.<br />
* '''Relaxed''' alignment means, the matching domains have a same superior domain. For example, ''mail.example.com'' and ''bounce.example.com'' would align relaxed.<br />
<br />
The adkim and aspf switches are optional. The default value for adkim and aspf is "r".<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=Brand Indicators for Message Identification (BIMI)=<br />
''Main article: [[Brand_Indicators_for_Message_Identification_(BIMI)]]''<br />
<br />
DMARC=pass with a policy set to either "reject" or "quarantine" is a prerequisite for BIMI to work.<br />
<br />
=DMARC in InboxSys app=<br />
<br />
To check your DMARC record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]]. Optionally, you can use the [https://app.inboxsys.com/domainchecker.php domainchecker] to check your DMARC record.<br />
<br />
==DMARC reports with InboxSys==<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for DMARC and [[TLSRPT]]. <br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://tools.ietf.org/html/rfc7489 RFC 7489]: DMARC RFC<br />
* [https://dmarc.org/overview/ dmarc.org]: Functionality of DMARC<br />
* [https://inboxsys.com/authentication-and-alignment/ InboxSys blog]: Authentication and alignment<br />
* [https://inboxsys.com/dmarc-explained/ InboxSys blog]: DMARC explained<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [https://app.inboxsys.com/domainchecker.php domainchecker]<br />
* [[wikipedia:DMARC]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=361Brand Indicators for Message Identification (BIMI)2025-02-01T03:32:51Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS record=<br />
<br />
A BIMI DNS record is set on a subdomain named '''default._bimi'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==BIMI logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| No<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| Yes<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=360Brand Indicators for Message Identification (BIMI)2025-02-01T03:30:47Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS record=<br />
<br />
A BIMI DNS record is set on a subdomain named '''default._bimi'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==BIMI logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| Unknown<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| Yes<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=359Brand Indicators for Message Identification (BIMI)2025-02-01T03:19:31Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS record=<br />
<br />
A BIMI DNS record is set on a subdomain named '''default._bimi'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==BIMI logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| Unknown<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| No<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=358Brand Indicators for Message Identification (BIMI)2025-02-01T03:17:40Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS Record=<br />
<br />
A BIMI DNS record is set on a subdomain named '''default._bimi'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==BIMI Logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI Certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI Adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| Unknown<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| No<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=357Brand Indicators for Message Identification (BIMI)2025-02-01T03:17:22Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS Record=<br />
<br />
A BIMI DNS record is set on a subdomain named '''default._bimi'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==BIMI Logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI Certificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organization name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI Adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| Unknown<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| No<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Brand_Indicators_for_Message_Identification_(BIMI)&diff=356Brand Indicators for Message Identification (BIMI)2025-02-01T02:59:40Z<p>Sebastian: Created page with "Category:InboxSys Category:Deliverability Category:Authentication Category:Reputation '''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft]. =Prerequisites= BIMI requires a valid and passing DMARC record, with the policy set to either "reject" or "qu..."</p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reputation]]<br />
<br />
'''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft].<br />
<br />
=Prerequisites=<br />
<br />
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". <br />
<br />
=DNS Record=<br />
<br />
A BIMI DNS record is set on a subdomain named '''default._bimi'''. It contains the following elements:<br />
<br />
* A BIMI version (Currently only '''BIMI1''' is available).<br />
* A link to a BIMI '''logo'''.<br />
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC''').<br />
<br />
BIMI DNS records looks like this:<br />
<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==BIMI Logo==<br />
<br />
The logo that's included in the "v"-switch of the BIMI DNS record must comply to the folowing: <br />
<br />
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format.<br />
* The "version" attribute must be set to "1.2"<br />
* A <title> element must be included that reflects the company name.<br />
* A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.<br />
* The image must be sqare. Length and width should have the same value.<br />
* The image size shouldn't exceed 32 Kb.<br />
* No external links or references (other than to the specified XML namespaces) should be included.<br />
* No scripts, animation, or other interactive elements should be included.<br />
* No "x=" or "y=" attributes should be included within the <svg> root element.<br />
* The image should not have a transparent background.<br />
<br />
==BIMI Cerificate==<br />
<br />
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organization name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. <br />
<br />
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt].<br />
<br />
===Difference between VMC and CMC certificates===<br />
<br />
{| class="wikitable"<br />
|+ VMC vs. CMC<br />
! Requirement !! VMC !! CMC<br />
|-<br />
! scope="row"| Trademark Registration<br />
| Yes<br />
| No <br />
|-<br />
! scope="row"| Logo in use<br />
| Can be used immediately<br />
| Must have been in use since 1 year<br />
|}<br />
<br />
=BIMI Adoption by ISPs=<br />
<br />
{| class="wikitable"<br />
|+ Email clients supporting BIMI<br />
! Client !! VMC !! CMC !! Self-Asserted !! Comment<br />
|-<br />
! scope="row"| AOL / Yahoo!<br />
| No<br />
| No<br />
| Yes<br />
| Only for bulk messages from high-reputation domains<br />
|-<br />
! scope="row"| Apple Mail<br />
| Yes<br />
| No<br />
| Unknown<br />
|-<br />
! scope="row"| Fastmail<br />
| No<br />
| No<br />
| Yes<br />
|-<br />
! scope="row"| Gmail<br />
| Yes<br />
| Yes<br />
| No<br />
| Only VMC certificates get a blue checkmark.<br />
|-<br />
! scope="row"| La Poste<br />
| No<br />
| No<br />
| Yes<br />
| Domains without VMCs must be submitted and manually verified by La Poste.<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ BIMI draft]<br />
* [[wikipedia:Brand_Indicators_for_Message_Identification]]<br />
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain-based_Message_Authentication,_Reporting,_and_Conformance_(DMARC)&diff=355Domain-based Message Authentication, Reporting, and Conformance (DMARC)2025-02-01T00:42:41Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reporting]]<br />
A '''DMARC (Domain-based Message Authentication, Reporting, and Conformance)''' record is a [[DNS]] TXT record for a subdomain named ''_dmarc'' on any senderdomain ([[RFC5322.From]]). [[SPF]] ''or'' [[DKIM]] are requirements. At least one of both methods needs to align for DMARC to pass. <br />
<br />
Example:<br />
<br />
<pre><br />
$ host -t txt _dmarc.senderdomain.TLD<br />
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"<br />
</pre><br />
<br />
=On which domains to set a DMARC record=<br />
<br />
DMARC records can be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.<br />
<br />
[https://tools.ietf.org/html/rfc7489#section-3.1 RFC7489 Section 3.1] states: <br />
<br />
<blockquote><br />
DMARC authenticates use of the RFC5322.From domain by requiring that<br />
it match (be aligned with) an Authenticated Identifier. The<br />
RFC5322.From domain was selected as the central identity of the DMARC<br />
mechanism because it is a required message header field and therefore<br />
guaranteed to be present in compliant messages, and most Mail User<br />
Agents (MUAs) represent the RFC5322.From field as the originator of<br />
the message and render some or all of this header field's content to<br />
end users.<br />
</blockquote><br />
<br />
[https://tools.ietf.org/html/rfc7489#section-2.2 RFC7489 Section 2.2] mentions to be "out of scope":<br />
<br />
<blockquote><br />
evaluation of anything other than RFC5322.From;<br />
</blockquote><br />
<br />
=Switches=<br />
<br />
Each DMARC record consists of various switches. The most important switches are: <br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DMARC record switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=DMARC1</code> || Version || Required<br />
|-<br />
! scope="row"| p <br />
|| <code>p=reject</code> || Policy || Required<br />
|-<br />
! scope="row"| rua <br />
|| <code>rua=mailto:dmarc@dmarc.example.com</code> || Aggregated reports || Optional<br />
|-<br />
! scope="row"| ruf <br />
|| <code>ruf=mailto:dmarc@dmarc.example.com</code> || Failure / forensic reports || Optional<br />
|-<br />
! scope="row"| adkim <br />
|| <code>adkim=s</code> || DKIM alignment || Optional<br />
|-<br />
! scope="row"| aspf <br />
|| <code>aspf=r</code> || SPF alignment || Optional<br />
|-<br />
! scope="row"| rf <br />
|| <code>rf=afrf</code> || Reporting format || Optional<br />
|-<br />
! scope="row"| pct <br />
|| <code>pct=100</code> || Percentage || Optional<br />
|}<br />
<br />
==Policy (p)==<br />
<br />
The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:<br />
<br />
* '''none''': to do nothing when authentication fails<br />
* '''quarantine''': to put the mail in the [[wikipedia:Email_spam|SPAM]] folder when authentication fails<br />
* '''reject''': to the message when authentication fails.<br />
<br />
Only by using the ''reject'' policy can a domain be fully protected. "'''Unauthenticated'''" means, SPF and / or DKIM do not align.<br />
<br />
DMARC allows ISPs to rely not only on IP reputation, but also on '''domain reputation'''. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Without a DMARC record it is impossible for ISPs to reliably measure reputation for a domain.<br />
<br />
It is a common mistake to configure DMARC for reporting (with "p" set to "none" or "quarantine") and to forget about it afterwards. Loss in reputation comes gradually over time and is often only noticed when it's already too late. By thumb of fist it takes about as long to fix a broken reputation as it has taken this reputation to break.<br />
<br />
==Reporting==<br />
<br />
===Aggregated reports (ruf/rua)===<br />
<br />
A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:<br />
<br />
* '''rua''': aggregated reports (recommended)<br />
* '''ruf''': forensic reports (not recommended)<br />
<br />
Bot ruf and rua switch should contain a functional '''mailto-link''' where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only (test-mode):<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
DMARC reporting alone - as in the above example - does not provide protection against phishing and consequent loss in reputation. It provides reporting functionality only. Such a setting can be useful when evaluating the impact of switching the policy to reject. It is not useful in protecting your domain.<br />
<br />
Once the reports show it's safe to reject unauthenticated mail, the following example provides full protection: <br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
===Failure (or forensic) reports (ruf)===<br />
<br />
Forensic reports (ruf) are very rare for 2 reasons:<br />
<br />
* High volume: failure reports generate a single report for each individual mail that failed authentication.<br />
* Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.<br />
<br />
It is generally recommended to refrain from setting a ruf-switch at all.<br />
<br />
==Alignment (adkim/aspf)==<br />
''Main article: [[Alignment]]''<br />
<br />
Alignment means, domains used for authentication mechanisms match with the sender domain (RFC5321.MailFrom or "returnpath"). DMARC only passes when either SPF identifiers or DKIM align.<br />
<br />
* The domain used to authenticate '''SPF''' is the [[RFC5321.MailFrom]] domain or "sender domain". To see SPF identifier aligment, it's required for the RFC5321.MailFrom domain to match the [[RFC5322.From]] domain.<br />
* The domain used to authenticate '''DKIM''' is the domain used by the sending mail server to sign DKIM. To see DKIM identifier aligment, it's required for the domain used to sign DKIM to match the RFC5322.From domain.<br />
<br />
Here is an example of a DMARC record with aspf and adkim switches set to "strict":<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s;"<br />
</pre><br />
<br />
# '''aspf''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
# '''adkim''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
<br />
* '''Strict''' alignment means, the matching domains are exactly the same.<br />
* '''Relaxed''' alignment means, the matching domains have a same superior domain. For example, ''mail.example.com'' and ''bounce.example.com'' would align relaxed.<br />
<br />
The adkim and aspf switches are optional. The default value for adkim and aspf is "r".<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=Brand Indicators for Message Identification (BIMI)=<br />
''Main article: [[Brand_Indicators_for_Message_Identification_(BIMI)]]''<br />
<br />
DMARC=pass with a policy set to either "reject" or "quarantine" is a prerequisite for BIMI to work.<br />
<br />
=DMARC in InboxSys app=<br />
<br />
To check your DMARC record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]].<br />
<br />
==DMARC reports with InboxSys==<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for DMARC and [[TLSRPT]]. <br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://tools.ietf.org/html/rfc7489 RFC 7489]: DMARC RFC<br />
* [https://dmarc.org/overview/ dmarc.org]: Functionality of DMARC<br />
* [https://inboxsys.com/authentication-and-alignment/ InboxSys blog]: Authentication and alignment<br />
* [https://inboxsys.com/dmarc-explained/ InboxSys blog]: DMARC explained<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:DMARC]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Category:Authentication&diff=354Category:Authentication2025-02-01T00:40:15Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:E-Mail_analysis]]<br />
<strong>E-Mail Authentication</strong><br />
<br />
With E-Mail Authentication we refer to:<br />
<br />
* [[SPF]]<br />
* [[DKIM]]<br />
* [[DMARC]]<br />
<br />
=Authentication results in InboxSys=<br />
<br />
The Authentication results section shows the following items:<br />
<br />
* [[MX-Record]]<br />
* SPF<br />
* [[SPF identifier alignment]]<br />
* DKIM<br />
* [[DKIM identifier alignment]]<br />
* DMARC<br />
* [[BIMI]]<br />
<br />
=E-Mail From-addresses explained=<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ From-address naming table<br />
|-<br />
! Postal Letter !! Email Part !! Precise Term !! Loose phrasing<br />
|-<br />
| Sender on envelope || Message Envelope || [https://tools.ietf.org/html/rfc5321 RFC5321].MailFrom || Bounce address / Returnpath / Envelope-From<br />
|-<br />
| Addressee on envelope || Message Envelope || RFC5321.RcptTo || Recipient<br />
|-<br />
| Sender on letter || Message Header || [https://tools.ietf.org/html/rfc5322 RFC5322].From || Sender address / From:-Header<br />
|}<br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ ECO whitepaper]: E-Mail authentication for senders<br />
* [https://international.eco.de/download/209121/ ECO whitepaper]: E-Mail authentication for recipients<br />
* [https://inboxsys.com/authentication-and-alignment/ InboxSys blog]: Authentication and alignment<br />
* [https://inboxsys.com/dmarc-explained/ InboxSys blog]: DMARC explained</div>Sebastianhttps://docs.inboxsys.com/index.php?title=BIMI&diff=353BIMI2025-02-01T00:38:34Z<p>Sebastian: Redirected page to Brand Indicators for Message Identification (BIMI)</p>
<hr />
<div>#REDIRECT [[Brand_Indicators_for_Message_Identification_(BIMI)]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain_Name_System_(DNS)&diff=352Domain Name System (DNS)2025-02-01T00:36:01Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
The '''Domain Name System''' is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers only. <br />
<br />
=Hierarchy=<br />
<br />
DNS is a hierarchical system. On top of the hierarchy-stryucture of a domain name is the '''[[wikipedia:DNS_root_zone|toplevel domain (TLD)]]'''. Examples of toplevel domains are "[[wikipedia:.com|com]]", "[[wikipedia:.net|net]]", "[[wikipedia:.org|org]]", "[[wikipedia:.nl|nl]]", "[[wikipedia:.berlin|berlin]]" and many more. TLDs are provided by [[wikipedia:Internet_Assigned_Numbers_Authority|IANA]].<br />
<br />
In the example "example.com", "com" is the toplevel domain and "example" is the '''second level domain (SLD)''' or '''public suffix domain (PSD)'''. The PSD is also called "'''organisational domain'''".<br />
<br />
SLD and PSD are not exactly the same thing, because some toplevel domains have a second-level domain included in their hierarchy. One famous example is "[[wikipedia:.uk#Second-level_domains|co.uk]]". <br />
<br />
* In "example.co.uk", "[[wikipedia:.uk|uk]]" is the TLD, "co" is the SLD and "example" is the PSD.<br />
* In "example.com", the TLD is "com" and "example" is the SLD/PSD.<br />
<br />
The '''responsible domain''' is the domain that's on top of a zone. Any responsible domain can have almost infinite subdomains. In our example "sub.example.com", "example.com" is the responsible domain and "sub" is the subdomain. In "sub1.sub2.sub3.example.com", "example.com" is the responsible domain for all subdomain levels. However, if I create a separate zone for "sub.example.com", then "sub.example.com" is a responsible domain on top of it's own hierarchy (see also [[#Domain delegation]]).<br />
<br />
=Record types=<br />
<br />
There are various [[wikipedia:List_of_DNS_record_types|types of records]] with a variety of functions. The most important ones are:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DNS Record Types<br />
|-<br />
! Name !! Purpose !! Lookup result example<br />
|-<br />
! scope="row"| A <br />
|| Assigns an IPv4 address to a name || <pre>$ host -t a example.com<br />
example.com has address 192.168.10.34</pre><br />
|-<br />
! scope="row"| AAAA <br />
|| Assigns an IPv6 address to a name || <pre>host -t aaaa example.com<br />
example.com has IPv6 address fe80::1ff:fe23:4567:890a</pre><br />
|-<br />
! scope="row"| MX <br />
|| Assigns mail-receiving hostnames with priorities to a name || <pre>$ host -t mx example.com<br />
example.com mail is handled by 10 mx2.example.com.<br />
example.com mail is handled by 5 mx1.example.com.</pre><br />
|-<br />
! scope="row"| CNAME <br />
|| Causes this domain to be an alias of another domain || <pre>$ host -t cname aliasdomain.example.net<br />
aliasdomain.example.net is an alias for example.com.</pre><br />
|-<br />
! scope="row"| TXT <br />
|| Holds a piece of text || <pre>$ host -t txt example.com<br />
example.com descriptive text "lorem ipsum"</pre><br />
|-<br />
! scope="row"| PTR <br />
|| Reverse DNS assigns a name to an IP || <pre>$ host -t ptr 192.168.10.34<br />
34.10.168.192.in-addr.arpa domain name pointer example.com.</pre><br />
|-<br />
! scope="row"| NS <br />
|| Delegates a subdomain to one or more nameservers || <pre>$ host -t ns example.com<br />
example.com name server dns2.example.net.<br />
example.com name server dns1.example.net.<br />
</pre><br />
|}<br />
<br />
==A- and AAAA-Record==<br />
<br />
Those two record types assign IPs to domain names. For example, if my domain name is "example.com" and my website is hosted at "192.168.10.34", I need to set an A-Record with the content "192.168.10.34" on "example.com".<br />
<br />
==MX-Record==<br />
<br />
MX Records assign mail servers (MTAs) to a domain. MX records consist of a domain name and a priority:<br />
<br />
* The domain name should contain an A and/or AAAA record with the IP address of the MTA.<br />
* The priority is used to prioritise one MTA over another. In the above example, "mx1.example.com" has the lowest priority (5) and will be tried first. Only if "mx1.example.com" is unavailable, "mx2.example.com" is used. When multiple domains in an MX record have the same priority, a random choice is made (round robin).<br />
<br />
==CNAME Record==<br />
<br />
CNAME records are aliases. Let's stick with the example from the above table and "aliasdomain.example.net" is an alias of "example.com", as you can see from the CNAME record. If we now first query the A-Records and then the MX records for "aliasdomain.example.net", this will be the output:<br />
<br />
<pre><br />
$ host aliasdomain.example.net<br />
aliasdomain.example.net is an alias for example.com.<br />
example.com has address 192.168.10.34<br />
example.com has IPv6 address fe80::1ff:fe23:4567:890a<br />
<br />
$ host -t mx aliasdomain.example.net<br />
aliasdomain.example.net is an alias for example.com.<br />
example.com mail is handled by 10 mx2.example.com.<br />
example.com mail is handled by 5 mx1.example.com.<br />
</pre><br />
<br />
A CNAME record ona domain renders A-, MX- and TXT-records on the same domain invalid. In fact, it's recommended to remove all other records once a CNAME record is available.<br />
<br />
Common use cases for CNAME records are:<br />
<br />
* [[Link- and Imagedomain tracking]]<br />
* [[DKIM key rotation]]<br />
<br />
In both use cases, [[Domain Delegation|domain delegation]] could offer a much better solution. <br />
<br />
==TXT Record==<br />
<br />
TXT records are records that can hold various pieces of text. The most common use case is for domain verification, whereby a provider provides a code and when this code is later found in a DNS TXT record, domain ownership has been verified. Common use cases in E-Mail are:<br />
<br />
===SPF records===<br />
''Main article: [[Sender Policy Framework (SPF)]]''<br />
<br />
Example:<br />
<pre><br />
$ host -t txt _spf.example.com<br />
_spf.example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"<br />
</pre><br />
<br />
===DKIM records===<br />
''Main article: [[DomainKeys Identified Mail (DKIM)]]''<br />
<br />
Example:<br />
<pre><br />
host -t txt selector._domainkey.example.com<br />
selector._domainkey.example.com descriptive text "v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB"<br />
</pre><br />
<br />
===DMARC records===<br />
''Main article: [[Domain-based Message Authentication, Reporting, and Conformance (DMARC)]]''<br />
<br />
Example:<br />
<pre><br />
$ host -t txt _dmarc.example.com<br />
_dmarc.example.com descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"<br />
</pre><br />
<br />
===BIMI records===<br />
''Main article: [[Brand Indicators for Message Identification (BIMI)]]''<br />
<br />
Example:<br />
<pre><br />
$ host -t txt default._bimi.example.com<br />
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"<br />
</pre><br />
<br />
==PTR Record==<br />
<br />
The reverse lookup is meant to find a name to an IP, instead of the other way around. Because it's not possible to create a DNS zone with an IP, an alias (canonical name) is used for each IP. This alias always has the TLD "arpa", which is reserved for this purpose. IPv4 uses "in-addr.arpa" and IPv6 uses "ip6.arpa".<br />
<br />
Each sending IP should resolve recursively to a domain. This domain is the "hostname". Each hostname should resolve to an IP. This IP should be the same sending IP we started from. <br />
<br />
Example from Gmail with sending IP ''2a00:1450:4864:20::632'':<br />
<br />
<pre><br />
$ host -t ptr 2a00:1450:4864:20::632<br />
2.3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.ip6.arpa domain name pointer mail-ej1-x632.google.com.<br />
<br />
$ host -t aaaa mail-ej1-x632.google.com<br />
mail-ej1-x632.google.com has IPv6 address 2a00:1450:4864:20::632<br />
</pre><br />
<br />
==NS Record==<br />
<br />
Nameserver records are found on responsible domains. They define which nameserver stores the zone file with resource records for this domain. <br />
<br />
=Domain delegation=<br />
<br />
If you create an NS record for a subdomain, this subdomain now is responsible for it's own zone, on top of it's own hierarchy. What used to be a subdomain, is now a responsible domain. <br />
<br />
Because of that, with DNS delegation it's possible for - for example - Jake's nameservers (dns[1|2].example.com) to host the zone for "example.com", while Andrew's nameservers (dns[1|2].example.net) host the zone for "sub.example.com". While Jake still owns "example.com" and all its subdomains, Andrew is now the only person who can set resource records for the subdomain "sub.example.com", until Jake revokes the delegation by removing the NS records from the subdomain.<br />
<br />
=Useful links=<br />
<br />
* [[wikipedia:Domain_Name_System]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Sending_a_message_to_the_seedlist&diff=351Sending a message to the seedlist2024-11-28T16:32:48Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Configuration]]<br />
[[Category:E-Mail_analysis]]<br />
[[Category:Seeds]]<br />
<strong>Sending a message to the seedlist</strong><br />
<br />
Campaigns are analysed in [[:Category:InboxSys|InboxSys]] app by sending them to a [[:Category:Seeds|seedlist]]. This list consists of 2 parts:<br />
<br />
* The trigger - this is an address ending with @app.inboxsys.com.<br />
* The [[:Category:Reputation|ISP]] seeds - those are the ISP seeds that are sent to Gmail, Outlook.com, Yahoo, Orange.fr and many others.<br />
<br />
=Seedlist=<br />
<br />
You can find your personal seedlist in your InboxSys account by clicking on the cogwheels icon in the far right top.<br />
<br />
The ISP seeds are showing in the "Inbox Delivery"-section on the individual campaign results. This section shows if the seeds have arrived to the inbox, the [[wikipedia:Email_spam|spam]]-folder, or somewhere else. For all mails received, it is possible to show full mail headers.<br />
<br />
In case you would like to test delivery to any ISP not on the list, please don't hesitate to create a [https://support.inboxsys.com/login?back_url=https%3A%2F%2Fsupport.inboxsys.com%2Fissues%2Fnew support ticket].<br />
<br />
Messages to the trigger address are the messages that get actually [[:Category:E-Mail_analysis|analysed]]. <br />
* A message that is not sent to the trigger address, will not be displayed in InboxSys at all. <br />
* Messages sent to the trigger address only will arrive, but show all ISP seeds as "missing".<br />
<br />
Messages to the seedlist should be sent as list - in single messages. Adding seeds to CC or BCC will distort the final analysis. If you don't have access to an ESP, you can use [https://support.microsoft.com/en-us/office/use-mail-merge-for-bulk-email-letters-labels-and-envelopes-f488ed5b-b849-4c11-9cff-932c49474705 Mail Merge for Microsoft] or [https://addons.thunderbird.net/en-US/thunderbird/addon/mail-merge/ Mail Merge for Thunderbird] to simulate list-sending.<br />
<br />
=Methods of matching triggers to ISP-seeds=<br />
<br />
By default, seeds are matched based on the sender address ''and'' [[subject]]line, it is important that all subjectlines are exactly the same. If [[personalisation]] on the subjectline is being used, personalization variables for each address in the seedlist should have the same content.<br />
<br />
In case your test messages have different sender addresses and/or subject line, you can choose to set a specific X-Header in order to invoke a different method of matching. Available X-Headers/methods are: <br />
<br />
==X-Campaign-ID (BETA)==<br />
<br />
Each time you press "send to list", it's a new "campaign". The X-Campaign-ID contains a unique identifier for a single campaign. Let's say, the campaign ID is "12345678-a". In that case, the X-Campaign-ID should look like this:<br />
<br />
<pre><br />
X-Campaign-ID: <12345678-a><br />
</pre><br />
<br />
Because the campaign ID alone doesn't allow us to match to a specific user account reliably, it's required the campaign has at least one more identifier. This can be the sender address ''or'' the subject. One of both is sufficient, it doesn't matter which one.<br />
<br />
==X-InboxSys-ID (BETA)==<br />
<br />
The X-InboxSys-ID allows you to send your user-ID along with your campaign ID. This way, the campaign can be directly matched to your user account and no further identifiers are required. In this example, those are your user IDs:<br />
<br />
{| class="wikitable" style="margin:auto"<br />
|-<br />
!Account name!!Account ID<br />
|-<br />
|main_account||1234<br />
|-<br />
|sub_account||1235<br />
|}<br />
<br />
Let's say, for example, the trigger of your seedlist is sub_account@app.inboxsys.com and your unique campaign ID is "12345678-b". In that case, your X-InboxSys-ID should look like this:<br />
<br />
<pre><br />
X-InboxSys-ID: <1235_12345678-b><br />
</pre><br />
<br />
As long as your campaign ID is unique, this matches both your user account and the campaign in question. In this case, no further matching is required. Subject, sender and content can be entirely different.<br />
<br />
=InboxSys trigger seed unsubscribes=<br />
<br />
InboxSys calls the headers of all links in all seeds, in order to test if links work. InboxSys is not calling the ''body'' of that link! If this little check unsubscribes immediately, that indicates a few severe flaws in the unsubscribe mechanism.<br />
<br />
First of all, no-one uses a single-click [[unsubscribe]] in the bottom of an E-Mail. It's legally allowed to use a dual-click unsubscribe, so that is the common standard. When you click on an unsusbscribe link, the landing page should show a confirmation dialog. Otherwise, you get bot-unsubscribes! That is basically what we have here: a bot-unsubscribe.<br />
<br />
Secondly, we are calling the header of the page, but not the body. Even if there is no dialog, calling the header should only send back header information, but not execute actions that are typically taken ''after'' the ''full page'' has loaded.<br />
<br />
An immediate unsubscribe upon only calling the header of a page looks symptomatic to a [[List-Unsubscribe]] link. LU have opposite requirements and best practices from standard unsubscribe links. InboxSys never calls a List-Unsubscribe link, for this exact, obvious reason.<br />
<br />
==Troubleshooting unsubscribes==<br />
<br />
* Check your logs to see the reason for the unsubscription<br />
* Request Information from your ESP to explain why this has happened<br />
* InboxSys can assist to converse with ESP to see if their approach can be changed<br />
* Ensure the InboxSys trigger seed is safe-listed<br />
<br />
=Useful links=<br />
<br />
* [https://inboxsys.com/what-is-a-seed-list/ Blog article on seedlists]<br />
* [https://app.inboxsys.com/login.php InboxSys login]<br />
* [https://app.inboxsys.com/login.php?showform=createaccount InboxSys registration]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=350TLSRPT2024-11-01T20:52:45Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
<br />
TLSRPT is used to send back feedback reports about TLS connections made while sending E-Mail. It's used to gain insight on the implementation of [[MTA-STS]] and or [[DANE]]. In praxis, many reporting organisations require a valid MTA-STS policy ("testing", "enforce" or "none"), before any reports are sent.<br />
<br />
MTA-STS was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461], which states that <q>MTA-STS is intended to be used along with TLSRPT</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=349TLSRPT2024-11-01T20:52:27Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
<br />
TLSRPT is used to send back feedback reports about TLS connections made while sending E-Mail. It's used to gain insight on the implementation of [[MTA-STS]] and or [[DANE]]. In praxis, many reporting organisations require a valid MTA-STS policy ("testing", "enforce" or "none"), before any reports are sent.<br />
<br />
MTA-STS was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461], which states that <q>MTA-STS is intended to be used along with TLSRPT</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot DANE.<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=348TLSRPT2024-11-01T20:52:10Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
<br />
TLSRPT is used to send back feedback reports about TLS connections made while sending E-Mail. It's used to gain insight on the implementation of [[MTA-STS]] and or [[DANE]]. In praxis, many reporting organisations require a valid MTA-STS policy ("testing", "enforce" or "none"), before any reports are sent.<br />
<br />
MTA-STS was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461], which states that <q>MTA-STS is intended to be used along with TLSRPT</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot [[DANE]].<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=MTA-STS&diff=347MTA-STS2024-11-01T20:45:36Z<p>Sebastian: Created page with "Category:Deliverability Category:Authentication In modern E-Mail communication, Opportunistic TLS is common. This means that TLS encryption for the transition of E-Mail is negotiated by MTAs on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. MTA-STS was introduced in [https://tools.ietf.org/h..."</p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that [[TLS]] encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
MTA-STS was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to secure TLS connections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails.<br />
<br />
=Configuration and setup=<br />
<br />
MTA-STS is set up on a so-called "policy domain". This is the domain that holds the policy. Each [[RFC5322.From]] domain should have it's own MTA-STS policy configuration. Subdomains don't automatically inherit MTA-STS settings. <br />
<br />
MTA-STS consists of two components:<br />
<br />
* Policy file<br />
* DNS record<br />
<br />
==Policy file==<br />
<br />
The policy file is stored on a webhost in the ".well-known" webdirectory with a subdomain of the policy domain named "mta-sts" and the filename named "mta-sts.txt". It must be reachable from outside and contain the following keys: <br />
<br />
* version: This is the mta-sts version used. Currently, "STSv1" is the only valid value.<br />
* mode: This can be either<br />
** testing: Testing mode,<br />
** enforce: Enforced TLS, or<br />
** none: MTA-STS is disabled. May be useful to receive TLSRPT reports only.<br />
* mx: Each MX has its own line.<br />
* max_age: Should not exceed 31557600 (~1 year).<br />
<br />
For example, the policy domain for policydomain.TLD is located at https://mta-sts.policydomain.TLD/.well-known/mta-sts.txt and contains the following text: <br />
<br />
<pre><br />
version: STSv1<br />
mode: enforce<br />
mx: mta1.policydomain.TLD<br />
mx: mta2.policydomain.TLD<br />
max_age: 86400<br />
</pre><br />
<br />
==DNS record==<br />
<br />
In order to tell the world that a particular domain is an MTA-STS policy domain, it's required to create another subdomain with a TXT record present. The subdomain is "_mta-sts" and the TXT record syntax has two switches: <br />
<br />
* v: For "version". This is exactly the same key/value pair as in the policy file. "STSv1" currently is the only valid value.<br />
* id: A unique and incremental number, indicating the version update of the policy. This number should be changed each time the policy file is modified. It's recommended to use a generic value, such as date and time. <br />
<br />
For example, policy domain "policydomain.TLD" could have the following DNS TXT MTA-STS record: <br />
<br />
<pre><br />
_mta-sts.policydomain.TLD. IN TXT "v=STSv1; id=202403010850;"<br />
</pre><br />
<br />
=TLS reporting=<br />
<br />
''Main article: [[TLSRPT]]<br />
<br />
RFC 8461 states that <q>MTA-STS is intended to be used along with TLS reporting (TLSRPT)</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=346TLSRPT2024-11-01T19:53:59Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that [[TLS]] encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
[[MTA-STS]] was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to assure TLS connections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails. RFC 8461 states that <q>MTA-STS is intended to be used along with TLSRPT</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot [[DANE]]. Unfortunately, without a valid MTA-STS policy ("testing", "enforce" or "none"), most reporting organisations don't send reports at all.<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=345TLSRPT2024-11-01T19:42:10Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that [[TLS]] encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
[[MTA-STS]] was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to assure TLS connections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails. RFC 8461 states that <q>MTA-STS is intended to be used along with TLSRPT</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot [[DANE]].<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=SSL/TLS&diff=344SSL/TLS2024-10-10T16:20:15Z<p>Sebastian: Redirected page to TLS</p>
<hr />
<div>#REDIRECT [[TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=343TLSRPT2024-10-08T22:29:58Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that [[TLS]] encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
[[MTA-STS]] was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to assure TLS connections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails. RFC 8461 states that <q>MTA-STS is intended to be used along with TLSRPT</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot [[DANE]].<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, DNSSEC, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain_and_IP_settings&diff=342Domain and IP settings2024-10-07T18:49:43Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Configuration]]<br />
[[Category:Authentication]]<br />
[[Category:IP monitor]]<br />
<strong>How to configure domains and IPs in InboxSys</strong><br />
<br />
"Domain settings" in InboxSys are used to:<br />
<br />
* Configure the [[domainchecker]]<br />
* [[:Category:IP_monitor|Monitor IPs]]<br />
* Set an [[SNDS]] API Key<br />
<br />
Domain settings are found by clicking the cogwheels in the far right top, selecting "account settings" and "Domain settings". The form shown has 3 sections with the following options:<br />
<br />
# Link domain template<br />
## Cname<br />
# Sender domain template<br />
## [[MX-Record|MX-record]]<br />
## Default [[SPF]] / [[SenderID]] record<br />
## Alternative SPF /SenderID record<br />
## Default [[DKIM]] [[DomainKeys_Identified_Mail_(DKIM)#Selector|selector]]<br />
## Default DKIM key<br />
## Alternative DKIM selector<br />
## Alternative DKIM key<br />
# Formatting<br />
<br />
=Template system=<br />
<br />
The dropdown menus for linkdomains and senderdomains how all link- and senderdomains that can be found in the messages in your account. Picking an option from the linkdomain template automatically changes the CNAME field to show the setting from the selected domain. Picking an option from the senderdomain template automatically changes the MX, default SPF, alternative SPF, default DKIM Key and default DKIM selector fields to show the settings from the selected domain. The alternative DKIM key and the alternative DKIM selector remain unchanged.<br />
<br />
The template system is the way to configure all fields at once, especially when you are unsure what to set. However, it is only possible to use the template system after you have [[Sending_a_message_to_the_seedlist|received one or more campaigns to the seedlist trigger address]].<br />
<br />
=Cname=<br />
<br />
Cname's are used for link redirection. All CNAME records that should be considered "correct" by the domainchecker can be entered in this field, separated by pipes.<br />
<br />
Example: 2 domains are used for redirection across all messages: '''link.example.com''' and '''image.example.com'''. The following lookups apply:<br />
<br />
<pre><br />
$ host -t cname link.example.com<br />
link.example.com is an alias for example.org.<br />
<br />
$ host -t cname image.example.com<br />
image.example.com is an alias for example.net.<br />
</pre><br />
<br />
In this constellation, the correct setting to put in this field is: "'''example.org|example.net'''"<br />
<br />
=MX record=<br />
<br />
All MX records that should be considered "correct" by the domainchecker can be entered in this field, separated by pipes.<br />
<br />
=SPF / SenderID (default and alternative)=<br />
[[File:ip2cidr1.png|thumb|Converting an IP range starting with 1]]<br />
<br />
All IP networks that should be considered "correct" by the domainchecker when checking for SPF or SenderID can be entered in this field, separated by pipes.<br />
<br />
Example: Mail is primarilly sent from IPS A. Some streams go out via ISP B and rarely, Mails are being sent out from the local infrastructure. ESP A allows sending via the networks 127.0.0.0/24, 127.0.1.0/23 and 127.0.3.0/24. ESP B is allows sending via the networks 127.1.0.0/24 and 127.1.1.0/24 and the IP for the local infrastructure is 127.5.5.123. We want to set IPs fom ESP A as default and all other IPs as alternative. The correct settings are:<br />
<br />
<pre><br />
Default SPF: 127.0.0.0/24|127.0.1.0/23|127.0.3.0/24<br />
<br />
Alternative SPF: 127.1.0.0/24|127.1.1.0/24|127.5.5.123/32<br />
</pre><br />
<br />
==Adding multiple IPs to the IP monitor==<br />
[[File:Ip2cidr2.png|thumb|Converting an IP range starting with 0]]<br />
<br />
IPs can be added individually or in correct [[CIDR]] ranges. CIDR stands for "Classless Inter-Domain Routing".<br />
<br />
* A /24 CIDR range starts from 0 in the fourth octet (class D as in A.B.C.D) and has 255 wildcard bits (Mask: 255.255.255.0).<br />
* A /32 range is a single address with 0 wildcard bits (Mask: 255.255.255.255).<br />
* The /0 range holds all IPs worldwide (that's 4.294.967.296 IPs) it starts from 0.0.0.0, ends with 255.255.255.255 and 255.255.255.255 also covers its wildcard bits (Mask: 0.0.0.0).<br />
<br />
Use [https://www.calculator.net/ip-subnet-calculator.html a subnet calculator] to calculate CIDR ranges.<br />
<br />
Example: <br />
<br />
Let's say, we want to monitor the following list of IPs: <br />
<br />
* 192.168.236.1 to 192.168.236.32<br />
* 192.168.236.49 to 192.168.236.50<br />
* 192.168.236.65 to 192.168.236.88<br />
* 192.168.236.97 to 192.168.236.104<br />
* 192.168.236.113 to 192.168.236.114<br />
* 192.168.236.129 to 192.168.236.152<br />
* 192.168.236.161 to 192.168.236.168<br />
* 192.168.236.177<br />
* 192.168.236.181<br />
* 192.168.236.193 to 192.168.236.200<br />
* 192.168.236.209 to 192.168.236.232<br />
* 192.168.236.245<br />
<br />
Let's start with the first line. That line contains the first 32 IPs in the /24 CIDR range, which includes 254 IPs. In fact, I found a nice website to help doing so: If you look at [https://ipaddressguide.com/cidr ipaddressguide.com], you can convert an address range to CIDR. I did this with the exact range provided. If I take the result and split the ranges with pipes, the following should be added to InboxSys: <br />
<br />
<pre><br />
192.168.236.1/32|192.168.236.2/31|192.168.236.4/30|192.168.236.8/29|192.168.236.16/28|192.168.236.32/32<br />
</pre><br />
<br />
However, there is one thing to notice here. CIDR ranges typically start from 0 and not from 1. If we take in the 0, as in the second thumbnail on this page, then this is all we need to add to get the exact same result:<br />
<br />
<pre><br />
192.168.236.0/27|192.168.236.32/32<br />
</pre><br />
<br />
The following example adds '''159''' IPs to the monitor, including the '''138''' IPs from the list above:<br />
<br />
<pre><br />
192.168.236.0/27|192.168.236.32/32|192.168.236.49/32|192.168.236.50/32|192.168.236.64/27|192.168.236.96/27|192.168.236.113/32|192.168.236.114/32|192.168.236.128/27|192.168.236.161/29|192.168.236.168/32|192.168.236.177/32|192.168.236.181/32|192.168.236.192/29|192.168.236.200/32|192.168.236.208/28|192.168.236.224/29|192.168.236.232/32|192.168.236.245/32<br />
</pre><br />
<br />
The following example adds '''254''' IPs to the monitor, including the '''138''' IPs from the list above. It's a full /24 CIDR range:<br />
<br />
<pre><br />
192.168.236.0/24<br />
</pre><br />
<br />
=DKIM selector (default and alternative)=<br />
<br />
Each DKIM selector field can hold one selector. This way, it is possible to add max. 2 selectors, for the domainchecker to consider "correct" on your domains.<br />
<br />
=DKIM key (default and alternative)=<br />
<br />
Each DKIM key field can hold one DKIM key. This way, it is possible to add max. 2 public keys, for the domainchecker to consider "correct" when checking DKIM settings on your domains.<br />
<br />
=Formatting=<br />
<br />
This dropdown menu shows all possible output formats for the copy/paste section in the domainchecker and other query outputs. This feature was designed to paste query results directly from InboxSys in a ticket, formatted according to the ticket system used. In case you need any format which is not in the list, or you need any other help configuring the Domain Settings, please don't hesitate to create a [https://support.inboxsys.com/login?back_url=https%3A%2F%2Fsupport.inboxsys.com%2Fissues%2Fnew support ticket].<br />
<br />
=Useful links=<br />
<br />
* https://www.calculator.net/ip-subnet-calculator.html - a subnet calculator<br />
* [[wikipedia:Classless_Inter-Domain_Routing]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=341TLSRPT2024-10-07T16:10:49Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that TLS encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
[[MTA-STS]] was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to assure TLS connections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails. RFC 8461 states that <q>MTA-STS is intended to be used along with TLSRPT</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot [[DANE]].<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, DNSSEC, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=340TLSRPT2024-10-07T16:03:07Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that TLS encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
[[MTA-STS]] was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to assure TLS connnections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails. RFC 8461 states that <q>MTA-STS is intended to be used along with TLSRPT</q> ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot [[DANE]].<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, DNSSEC, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=339TLSRPT2024-10-07T16:01:11Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that TLS encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement can be reached, mail is transferred unencrypted. <br />
<br />
[[MTA-STS]] was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to assure TLS connnections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails. RFC 8461 states that _MTA-STS is intended to be used along with TLSRPT_ ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot [[DANE]].<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, DNSSEC, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=TLSRPT&diff=338TLSRPT2024-10-07T16:00:34Z<p>Sebastian: Created page with "Category:Deliverability Category:Reporting In modern E-Mail communication, Opportunistic TLS is common. This means that TLS encryption for the transition of E-Mail is negotiated by MTAs on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement van be reached, mail is transferred unencrypted. MTA-STS was introduced in [https://tools.ietf.org/html/rf..."</p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Reporting]]<br />
In modern E-Mail communication, [[wikipedia:Opportunistic_TLS|Opportunistic TLS]] is common. This means that TLS encryption for the transition of E-Mail is negotiated by [[MTA]]s on both ends. If two MTAs can agree on a TLS encryption method and cypher, transit proceeds TLS encrypted. If, however, no agreement van be reached, mail is transferred unencrypted. <br />
<br />
[[MTA-STS]] was introduced in [https://tools.ietf.org/html/rfc8461 RFC 8461]. It's main purpose is to assure TLS connnections. MTA-STS compliant Mail is returned to the sender if the TLS negotiation fails. RFC 8461 states that _MTA-STS is intended to be used along with TLSRPT_ ([https://tools.ietf.org/html/rfc8460 RFC 8460]). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.<br />
<br />
TLSRPT is also used to monitor and troubleshoot [[DANE]].<br />
<br />
=Configuring TLSRPT=<br />
<br />
TLSRPT is configured with a DNS record on a specific subdomain of your [[Organisational Domain|organisational domain]], which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this: <br />
<br />
<pre><br />
$ host -t txt _smtp._tls.senderdomain.TLD<br />
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"<br />
</pre><br />
<br />
Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about: <br />
<br />
* Volume / Reporting organisations<br />
* TLS successes and failures<br />
* Information about policies used (MTA-STS, TLSA, DANE, DNSSEC, etc.)<br />
<br />
=TLS reports with InboxSys=<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for [[DMARC]] and TLSRPT. <br />
<br />
=Useful links=<br />
<br />
* [https://tools.ietf.org/html/rfc8460 RFC 8460]: TLSRPT RFC<br />
* [https://tools.ietf.org/html/rfc8461 RFC 8461]: MTA-STS RFC<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:Opportunistic_TLS]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain-based_Message_Authentication,_Reporting,_and_Conformance_(DMARC)&diff=337Domain-based Message Authentication, Reporting, and Conformance (DMARC)2024-10-07T15:04:28Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reporting]]<br />
A '''DMARC (Domain-based Message Authentication, Reporting, and Conformance)''' record is a [[DNS]] TXT record for a subdomain named ''_dmarc'' on any senderdomain ([[RFC5322.From]]). [[SPF]] ''or'' [[DKIM]] are requirements. At least one of both methods needs to align for DMARC to pass. <br />
<br />
Example:<br />
<br />
<pre><br />
$ host -t txt _dmarc.senderdomain.TLD<br />
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"<br />
</pre><br />
<br />
=On which domains to set a DMARC record=<br />
<br />
DMARC records can be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.<br />
<br />
[https://tools.ietf.org/html/rfc7489#section-3.1 RFC7489 Section 3.1] states: <br />
<br />
<blockquote><br />
DMARC authenticates use of the RFC5322.From domain by requiring that<br />
it match (be aligned with) an Authenticated Identifier. The<br />
RFC5322.From domain was selected as the central identity of the DMARC<br />
mechanism because it is a required message header field and therefore<br />
guaranteed to be present in compliant messages, and most Mail User<br />
Agents (MUAs) represent the RFC5322.From field as the originator of<br />
the message and render some or all of this header field's content to<br />
end users.<br />
</blockquote><br />
<br />
[https://tools.ietf.org/html/rfc7489#section-2.2 RFC7489 Section 2.2] mentions to be "out of scope":<br />
<br />
<blockquote><br />
evaluation of anything other than RFC5322.From;<br />
</blockquote><br />
<br />
=Switches=<br />
<br />
Each DMARC record consists of various switches. The most important switches are: <br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DMARC record switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=DMARC1</code> || Version || Required<br />
|-<br />
! scope="row"| p <br />
|| <code>p=reject</code> || Policy || Required<br />
|-<br />
! scope="row"| rua <br />
|| <code>rua=mailto:dmarc@dmarc.example.com</code> || Aggregated reports || Optional<br />
|-<br />
! scope="row"| ruf <br />
|| <code>ruf=mailto:dmarc@dmarc.example.com</code> || Failure / forensic reports || Optional<br />
|-<br />
! scope="row"| adkim <br />
|| <code>adkim=s</code> || DKIM alignment || Optional<br />
|-<br />
! scope="row"| aspf <br />
|| <code>aspf=r</code> || SPF alignment || Optional<br />
|-<br />
! scope="row"| rf <br />
|| <code>rf=afrf</code> || Reporting format || Optional<br />
|-<br />
! scope="row"| pct <br />
|| <code>pct=100</code> || Percentage || Optional<br />
|}<br />
<br />
==Policy (p)==<br />
<br />
The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:<br />
<br />
* '''none''': to do nothing when authentication fails<br />
* '''quarantine''': to put the mail in the [[wikipedia:Email_spam|SPAM]] folder when authentication fails<br />
* '''reject''': to the message when authentication fails.<br />
<br />
Only by using the ''reject'' policy can a domain be fully protected. "'''Unauthenticated'''" means, SPF and / or DKIM do not align.<br />
<br />
DMARC allows ISPs to rely not only on IP reputation, but also on '''domain reputation'''. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Without a DMARC record it is impossible for ISPs to reliably measure reputation for a domain.<br />
<br />
It is a common mistake to configure DMARC for reporting (with "p" set to "none" or "quarantine") and to forget about it afterwards. Loss in reputation comes gradually over time and is often only noticed when it's already too late. By thumb of fist it takes about as long to fix a broken reputation as it has taken this reputation to break.<br />
<br />
==Reporting==<br />
<br />
===Aggregated reports (ruf/rua)===<br />
<br />
A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:<br />
<br />
* '''rua''': aggregated reports (recommended)<br />
* '''ruf''': forensic reports (not recommended)<br />
<br />
Bot ruf and rua switch should contain a functional '''mailto-link''' where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only (test-mode):<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
DMARC reporting alone - as in the above example - does not provide protection against phishing and consequent loss in reputation. It provides reporting functionality only. Such a setting can be useful when evaluating the impact of switching the policy to reject. It is not useful in protecting your domain.<br />
<br />
Once the reports show it's safe to reject unauthenticated mail, the following example provides full protection: <br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
===Failure (or forensic) reports (ruf)===<br />
<br />
Forensic reports (ruf) are very rare for 2 reasons:<br />
<br />
* High volume: failure reports generate a single report for each individual mail that failed authentication.<br />
* Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.<br />
<br />
It is generally recommended to refrain from setting a ruf-switch at all.<br />
<br />
==Alignment (adkim/aspf)==<br />
''Main article: [[Alignment]]''<br />
<br />
Alignment means, domains used for authentication mechanisms match with the sender domain (RFC5321.MailFrom or "returnpath"). DMARC only passes when either SPF identifiers or DKIM align.<br />
<br />
* The domain used to authenticate '''SPF''' is the [[RFC5321.MailFrom]] domain or "sender domain". To see SPF identifier aligment, it's required for the RFC5321.MailFrom domain to match the [[RFC5322.From]] domain.<br />
* The domain used to authenticate '''DKIM''' is the domain used by the sending mail server to sign DKIM. To see DKIM identifier aligment, it's required for the domain used to sign DKIM to match the RFC5322.From domain.<br />
<br />
Here is an example of a DMARC record with aspf and adkim switches set to "strict":<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s;"<br />
</pre><br />
<br />
# '''aspf''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
# '''adkim''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
<br />
* '''Strict''' alignment means, the matching domains are exactly the same.<br />
* '''Relaxed''' alignment means, the matching domains have a same superior domain. For example, ''mail.example.com'' and ''bounce.example.com'' would align relaxed.<br />
<br />
The adkim and aspf switches are optional. The default value for adkim and aspf is "r".<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=DMARC in InboxSys app=<br />
<br />
To check your DMARC record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]].<br />
<br />
==DMARC reports with InboxSys==<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for DMARC and [[TLSRPT]]. <br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://tools.ietf.org/html/rfc7489 RFC 7489]: DMARC RFC<br />
* [https://dmarc.org/overview/ dmarc.org]: Functionality of DMARC<br />
* [https://inboxsys.com/authentication-and-alignment/ InboxSys blog]: Authentication and alignment<br />
* [https://inboxsys.com/dmarc-explained/ InboxSys blog]: DMARC explained<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:DMARC]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain-based_Message_Authentication,_Reporting,_and_Conformance_(DMARC)&diff=336Domain-based Message Authentication, Reporting, and Conformance (DMARC)2024-10-07T15:03:22Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reporting]]<br />
A '''DMARC (Domain-based Message Authentication, Reporting, and Conformance)''' record is a [[DNS]] TXT record for a subdomain named ''_dmarc'' on any senderdomain ([[RFC5322.From]]). [[SPF]] ''or'' [[DKIM]] are requirements. At least one of both methods needs to align for DMARC to pass. <br />
<br />
Example:<br />
<br />
<pre><br />
$ host -t txt _dmarc.senderdomain.TLD<br />
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"<br />
</pre><br />
<br />
=On which domains to set a DMARC record=<br />
<br />
DMARC records can be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.<br />
<br />
[https://tools.ietf.org/html/rfc7489#section-3.1 RFC7489 Section 3.1] states: <br />
<br />
<blockquote><br />
DMARC authenticates use of the RFC5322.From domain by requiring that<br />
it match (be aligned with) an Authenticated Identifier. The<br />
RFC5322.From domain was selected as the central identity of the DMARC<br />
mechanism because it is a required message header field and therefore<br />
guaranteed to be present in compliant messages, and most Mail User<br />
Agents (MUAs) represent the RFC5322.From field as the originator of<br />
the message and render some or all of this header field's content to<br />
end users.<br />
</blockquote><br />
<br />
[https://tools.ietf.org/html/rfc7489#section-2.2 RFC7489 Section 2.2] mentions to be "out of scope":<br />
<br />
<blockquote><br />
evaluation of anything other than RFC5322.From;<br />
</blockquote><br />
<br />
=Switches=<br />
<br />
Each DMARC record consists of various switches. The most important switches are: <br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DMARC record switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=DMARC1</code> || Version || Required<br />
|-<br />
! scope="row"| p <br />
|| <code>p=reject</code> || Policy || Required<br />
|-<br />
! scope="row"| rua <br />
|| <code>rua=mailto:dmarc@dmarc.example.com</code> || Aggregated reports || Optional<br />
|-<br />
! scope="row"| ruf <br />
|| <code>ruf=mailto:dmarc@dmarc.example.com</code> || Failure / forensic reports || Optional<br />
|-<br />
! scope="row"| adkim <br />
|| <code>adkim=s</code> || DKIM alignment || Optional<br />
|-<br />
! scope="row"| aspf <br />
|| <code>aspf=r</code> || SPF alignment || Optional<br />
|-<br />
! scope="row"| rf <br />
|| <code>rf=afrf</code> || Reporting format || Optional<br />
|-<br />
! scope="row"| pct <br />
|| <code>pct=100</code> || Percentage || Optional<br />
|}<br />
<br />
==Policy (p)==<br />
<br />
The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:<br />
<br />
* '''none''': to do nothing when authentication fails<br />
* '''quarantine''': to put the mail in the [[wikipedia:Email_spam|SPAM]] folder when authentication fails<br />
* '''reject''': to the message when authentication fails.<br />
<br />
Only by using the ''reject'' policy can a domain be fully protected. "'''Unauthenticated'''" means, SPF and / or DKIM do not align.<br />
<br />
DMARC allows ISPs to rely not only on IP reputation, but also on '''domain reputation'''. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Without a DMARC record it is impossible for ISPs to reliably measure reputation for a domain.<br />
<br />
It is a common mistake to configure DMARC for reporting (with "p" set to "none" or "quarantine") and to forget about it afterwards. Loss in reputation comes gradually over time and is often only noticed when it's already too late. By thumb of fist it takes about as long to fix a broken reputation as it has taken this reputation to break.<br />
<br />
==Reporting==<br />
<br />
===Aggregated reports (ruf/rua)===<br />
<br />
A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:<br />
<br />
* '''rua''': aggregated reports (recommended)<br />
* '''ruf''': forensic reports (not recommended)<br />
<br />
Bot ruf and rua switch should contain a functional '''mailto-link''' where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only (test-mode):<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
DMARC reporting alone - as in the above example - does not provide protection against phishing and consequent loss in reputation. It provides reporting functionality only. Such a setting can be useful when evaluating the impact of switching the policy to reject. It is not useful in protecting your domain.<br />
<br />
Once the reports show it's safe to reject unauthenticated mail, the following example provides full protection: <br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
===Failure (or forensic) reports (ruf)===<br />
<br />
Forensic reports (ruf) are very rare for 2 reasons:<br />
<br />
* High volume: failure reports generate a single report for each individual mail that failed authentication.<br />
* Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.<br />
<br />
It is generally recommended to refrain from setting a ruf-switch at all.<br />
<br />
==Alignment (adkim/aspf)==<br />
''Main article: [[Alignment]]''<br />
<br />
Alignment means, domains used for authentication mechanisms match with the sender domain (RFC5321.MailFrom or "returnpath"). DMARC only passes when either SPF identifiers or DKIM align.<br />
<br />
* The domain used to authenticate '''SPF''' is the [[RFC5321.MailFrom]] domain or "sender domain". To see SPF identifier aligment, it's required for the RFC5321.MailFrom domain to match the [[RFC5322.From]] domain.<br />
* The domain used to authenticate '''DKIM''' is the domain used by the sending mail server to sign DKIM. To see DKIM identifier aligment, it's required for the domain used to sign DKIM to match the RFC5322.From domain.<br />
<br />
Here is an example of a DMARC record with aspf and adkim switches set to "strict":<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s;"<br />
</pre><br />
<br />
# '''aspf''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
# '''adkim''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
<br />
* '''Strict''' alignment means, the matching domains are exactly the same.<br />
* '''Relaxed''' alignment means, the matching domains have a same superior domain. For example, ''mail.example.com'' and ''bounce.example.com'' would align relaxed.<br />
<br />
The adkim and aspf switches are optional. The default value for adkim and aspf is "r".<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=DMARC in InboxSys app=<br />
<br />
To check your DMARC record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]].<br />
<br />
==DMARC reports with InboxSys==<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for DMARC and [TLSRPT]. <br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://tools.ietf.org/html/rfc7489 RFC 7489]: DMARC RFC<br />
* [https://dmarc.org/overview/ dmarc.org]: Functionality of DMARC<br />
* [https://inboxsys.com/authentication-and-alignment/ InboxSys blog]: Authentication and alignment<br />
* [https://inboxsys.com/dmarc-explained/ InboxSys blog]: DMARC explained<br />
* [https://inboxsys.com/dmarc-monitor/ InboxSys DMARC Monitor]<br />
* [[wikipedia:DMARC]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain-based_Message_Authentication,_Reporting,_and_Conformance_(DMARC)&diff=335Domain-based Message Authentication, Reporting, and Conformance (DMARC)2024-10-07T15:01:55Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reporting]]<br />
A '''DMARC (Domain-based Message Authentication, Reporting, and Conformance)''' record is a [[DNS]] TXT record for a subdomain named ''_dmarc'' on any senderdomain ([[RFC5322.From]]). [[SPF]] ''or'' [[DKIM]] are requirements. At least one of both methods needs to align for DMARC to pass. <br />
<br />
Example:<br />
<br />
<pre><br />
$ host -t txt _dmarc.senderdomain.TLD<br />
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"<br />
</pre><br />
<br />
=On which domains to set a DMARC record=<br />
<br />
DMARC records can be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.<br />
<br />
[https://tools.ietf.org/html/rfc7489#section-3.1 RFC7489 Section 3.1] states: <br />
<br />
<blockquote><br />
DMARC authenticates use of the RFC5322.From domain by requiring that<br />
it match (be aligned with) an Authenticated Identifier. The<br />
RFC5322.From domain was selected as the central identity of the DMARC<br />
mechanism because it is a required message header field and therefore<br />
guaranteed to be present in compliant messages, and most Mail User<br />
Agents (MUAs) represent the RFC5322.From field as the originator of<br />
the message and render some or all of this header field's content to<br />
end users.<br />
</blockquote><br />
<br />
[https://tools.ietf.org/html/rfc7489#section-2.2 RFC7489 Section 2.2] mentions to be "out of scope":<br />
<br />
<blockquote><br />
evaluation of anything other than RFC5322.From;<br />
</blockquote><br />
<br />
=Switches=<br />
<br />
Each DMARC record consists of various switches. The most important switches are: <br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DMARC record switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=DMARC1</code> || Version || Required<br />
|-<br />
! scope="row"| p <br />
|| <code>p=reject</code> || Policy || Required<br />
|-<br />
! scope="row"| rua <br />
|| <code>rua=mailto:dmarc@dmarc.example.com</code> || Aggregated reports || Optional<br />
|-<br />
! scope="row"| ruf <br />
|| <code>ruf=mailto:dmarc@dmarc.example.com</code> || Failure / forensic reports || Optional<br />
|-<br />
! scope="row"| adkim <br />
|| <code>adkim=s</code> || DKIM alignment || Optional<br />
|-<br />
! scope="row"| aspf <br />
|| <code>aspf=r</code> || SPF alignment || Optional<br />
|-<br />
! scope="row"| rf <br />
|| <code>rf=afrf</code> || Reporting format || Optional<br />
|-<br />
! scope="row"| pct <br />
|| <code>pct=100</code> || Percentage || Optional<br />
|}<br />
<br />
==Policy (p)==<br />
<br />
The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:<br />
<br />
* '''none''': to do nothing when authentication fails<br />
* '''quarantine''': to put the mail in the [[wikipedia:Email_spam|SPAM]] folder when authentication fails<br />
* '''reject''': to the message when authentication fails.<br />
<br />
Only by using the ''reject'' policy can a domain be fully protected. "'''Unauthenticated'''" means, SPF and / or DKIM do not align.<br />
<br />
DMARC allows ISPs to rely not only on IP reputation, but also on '''domain reputation'''. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Without a DMARC record it is impossible for ISPs to reliably measure reputation for a domain.<br />
<br />
It is a common mistake to configure DMARC for reporting (with "p" set to "none" or "quarantine") and to forget about it afterwards. Loss in reputation comes gradually over time and is often only noticed when it's already too late. By thumb of fist it takes about as long to fix a broken reputation as it has taken this reputation to break.<br />
<br />
==Reporting==<br />
<br />
===Aggregated reports (ruf/rua)===<br />
<br />
A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:<br />
<br />
* '''rua''': aggregated reports (recommended)<br />
* '''ruf''': forensic reports (not recommended)<br />
<br />
Bot ruf and rua switch should contain a functional '''mailto-link''' where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only (test-mode):<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
DMARC reporting alone - as in the above example - does not provide protection against phishing and consequent loss in reputation. It provides reporting functionality only. Such a setting can be useful when evaluating the impact of switching the policy to reject. It is not useful in protecting your domain.<br />
<br />
Once the reports show it's safe to reject unauthenticated mail, the following example provides full protection: <br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
===Failure (or forensic) reports (ruf)===<br />
<br />
Forensic reports (ruf) are very rare for 2 reasons:<br />
<br />
* High volume: failure reports generate a single report for each individual mail that failed authentication.<br />
* Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.<br />
<br />
It is generally recommended to refrain from setting a ruf-switch at all.<br />
<br />
==Alignment (adkim/aspf)==<br />
''Main article: [[Alignment]]''<br />
<br />
Alignment means, domains used for authentication mechanisms match with the sender domain (RFC5321.MailFrom or "returnpath"). DMARC only passes when either SPF identifiers or DKIM align.<br />
<br />
* The domain used to authenticate '''SPF''' is the [[RFC5321.MailFrom]] domain or "sender domain". To see SPF identifier aligment, it's required for the RFC5321.MailFrom domain to match the [[RFC5322.From]] domain.<br />
* The domain used to authenticate '''DKIM''' is the domain used by the sending mail server to sign DKIM. To see DKIM identifier aligment, it's required for the domain used to sign DKIM to match the RFC5322.From domain.<br />
<br />
Here is an example of a DMARC record with aspf and adkim switches set to "strict":<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s;"<br />
</pre><br />
<br />
# '''aspf''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
# '''adkim''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
<br />
* '''Strict''' alignment means, the matching domains are exactly the same.<br />
* '''Relaxed''' alignment means, the matching domains have a same superior domain. For example, ''mail.example.com'' and ''bounce.example.com'' would align relaxed.<br />
<br />
The adkim and aspf switches are optional. The default value for adkim and aspf is "r".<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=DMARC in InboxSys app=<br />
<br />
To check your DMARC record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]].<br />
<br />
==DMARC reports with InboxSys==<br />
<br />
[https://international.eco.de/download/223621/ This document] from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for DMARC and [TLSRPT]. <br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://tools.ietf.org/html/rfc7489 RFC 7489]: DMARC RFC<br />
* [https://dmarc.org/overview/ dmarc.org]: Functionality of DMARC<br />
* [https://inboxsys.com/authentication-and-alignment/ InboxSys blog]: Authentication and alignment<br />
* [https://inboxsys.com/dmarc-explained/ InboxSys blog]: DMARC explained<br />
* [[wikipedia:DMARC]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Domain-based_Message_Authentication,_Reporting,_and_Conformance_(DMARC)&diff=334Domain-based Message Authentication, Reporting, and Conformance (DMARC)2024-10-07T15:01:21Z<p>Sebastian: </p>
<hr />
<div>[[Category:Deliverability]]<br />
[[Category:Authentication]]<br />
[[Category:Reporting]]<br />
A '''DMARC (Domain-based Message Authentication, Reporting, and Conformance)''' record is a [[DNS]] TXT record for a subdomain named ''_dmarc'' on any senderdomain ([[RFC5322.From]]). [[SPF]] ''or'' [[DKIM]] are requirements. At least one of both methods needs to align for DMARC to pass. <br />
<br />
Example:<br />
<br />
<pre><br />
$ host -t txt _dmarc.senderdomain.TLD<br />
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"<br />
</pre><br />
<br />
=On which domains to set a DMARC record=<br />
<br />
DMARC records can be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.<br />
<br />
[https://tools.ietf.org/html/rfc7489#section-3.1 RFC7489 Section 3.1] states: <br />
<br />
<blockquote><br />
DMARC authenticates use of the RFC5322.From domain by requiring that<br />
it match (be aligned with) an Authenticated Identifier. The<br />
RFC5322.From domain was selected as the central identity of the DMARC<br />
mechanism because it is a required message header field and therefore<br />
guaranteed to be present in compliant messages, and most Mail User<br />
Agents (MUAs) represent the RFC5322.From field as the originator of<br />
the message and render some or all of this header field's content to<br />
end users.<br />
</blockquote><br />
<br />
[https://tools.ietf.org/html/rfc7489#section-2.2 RFC7489 Section 2.2] mentions to be "out of scope":<br />
<br />
<blockquote><br />
evaluation of anything other than RFC5322.From;<br />
</blockquote><br />
<br />
=Switches=<br />
<br />
Each DMARC record consists of various switches. The most important switches are: <br />
<br />
{| class="wikitable" style="margin:auto"<br />
|+ DMARC record switches<br />
|-<br />
! Switch !! Example !! Description !! Required<br />
|-<br />
! scope="row"| v <br />
|| <code>v=DMARC1</code> || Version || Required<br />
|-<br />
! scope="row"| p <br />
|| <code>p=reject</code> || Policy || Required<br />
|-<br />
! scope="row"| rua <br />
|| <code>rua=mailto:dmarc@dmarc.example.com</code> || Aggregated reports || Optional<br />
|-<br />
! scope="row"| ruf <br />
|| <code>ruf=mailto:dmarc@dmarc.example.com</code> || Failure / forensic reports || Optional<br />
|-<br />
! scope="row"| adkim <br />
|| <code>adkim=s</code> || DKIM alignment || Optional<br />
|-<br />
! scope="row"| aspf <br />
|| <code>aspf=r</code> || SPF alignment || Optional<br />
|-<br />
! scope="row"| rf <br />
|| <code>rf=afrf</code> || Reporting format || Optional<br />
|-<br />
! scope="row"| pct <br />
|| <code>pct=100</code> || Percentage || Optional<br />
|}<br />
<br />
==Policy (p)==<br />
<br />
The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:<br />
<br />
* '''none''': to do nothing when authentication fails<br />
* '''quarantine''': to put the mail in the [[wikipedia:Email_spam|SPAM]] folder when authentication fails<br />
* '''reject''': to the message when authentication fails.<br />
<br />
Only by using the ''reject'' policy can a domain be fully protected. "'''Unauthenticated'''" means, SPF and / or DKIM do not align.<br />
<br />
DMARC allows ISPs to rely not only on IP reputation, but also on '''domain reputation'''. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Without a DMARC record it is impossible for ISPs to reliably measure reputation for a domain.<br />
<br />
It is a common mistake to configure DMARC for reporting (with "p" set to "none" or "quarantine") and to forget about it afterwards. Loss in reputation comes gradually over time and is often only noticed when it's already too late. By thumb of fist it takes about as long to fix a broken reputation as it has taken this reputation to break.<br />
<br />
==Reporting==<br />
<br />
===Aggregated reports (ruf/rua)===<br />
<br />
A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:<br />
<br />
* '''rua''': aggregated reports (recommended)<br />
* '''ruf''': forensic reports (not recommended)<br />
<br />
Bot ruf and rua switch should contain a functional '''mailto-link''' where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only (test-mode):<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
DMARC reporting alone - as in the above example - does not provide protection against phishing and consequent loss in reputation. It provides reporting functionality only. Such a setting can be useful when evaluating the impact of switching the policy to reject. It is not useful in protecting your domain.<br />
<br />
Once the reports show it's safe to reject unauthenticated mail, the following example provides full protection: <br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com;"<br />
</pre><br />
<br />
===Failure (or forensic) reports (ruf)===<br />
<br />
Forensic reports (ruf) are very rare for 2 reasons:<br />
<br />
* High volume: failure reports generate a single report for each individual mail that failed authentication.<br />
* Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.<br />
<br />
It is generally recommended to refrain from setting a ruf-switch at all.<br />
<br />
==Alignment (adkim/aspf)==<br />
''Main article: [[Alignment]]''<br />
<br />
Alignment means, domains used for authentication mechanisms match with the sender domain (RFC5321.MailFrom or "returnpath"). DMARC only passes when either SPF identifiers or DKIM align.<br />
<br />
* The domain used to authenticate '''SPF''' is the [[RFC5321.MailFrom]] domain or "sender domain". To see SPF identifier aligment, it's required for the RFC5321.MailFrom domain to match the [[RFC5322.From]] domain.<br />
* The domain used to authenticate '''DKIM''' is the domain used by the sending mail server to sign DKIM. To see DKIM identifier aligment, it's required for the domain used to sign DKIM to match the RFC5322.From domain.<br />
<br />
Here is an example of a DMARC record with aspf and adkim switches set to "strict":<br />
<br />
<pre><br />
$ host -t txt _dmarc.sub.domain.TLD<br />
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s;"<br />
</pre><br />
<br />
# '''aspf''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
# '''adkim''': SPF alignment. Options are "'''s'''" for "'''strict'''" or "'''r'''" for "'''relaxed'''".<br />
<br />
* '''Strict''' alignment means, the matching domains are exactly the same.<br />
* '''Relaxed''' alignment means, the matching domains have a same superior domain. For example, ''mail.example.com'' and ''bounce.example.com'' would align relaxed.<br />
<br />
The adkim and aspf switches are optional. The default value for adkim and aspf is "r".<br />
<br />
=Controversy around SPF=<br />
''Main article: [[Controversy around SPF]]''<br />
<br />
=DMARC in InboxSys app=<br />
<br />
To check your DMARC record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]].<br />
<br />
==DMARC reports with InboxSys==<br />
<br />
[https://international.eco.de/download/223621/ This document from [https://international.eco.de/ ECO] explains in detail how to monitor DMARC reports with several open source tools. On request, [https://inboxsys.com/dmarc-monitor/ InboxSys hosts a DMARC monitor] consisting of [https://github.com/domainaware/parsedmarc Parsedmarc], [https://github.com/elastic/elasticsearch Elasticsearch] and a [https://github.com/elastic/kibana Kibana] dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for DMARC and [TLSRPT]. <br />
<br />
=Useful links=<br />
<br />
* [https://international.eco.de/download/223621/ E-Mail authentication for senders]<br />
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]<br />
* [https://tools.ietf.org/html/rfc7489 RFC 7489]: DMARC RFC<br />
* [https://dmarc.org/overview/ dmarc.org]: Functionality of DMARC<br />
* [https://inboxsys.com/authentication-and-alignment/ InboxSys blog]: Authentication and alignment<br />
* [https://inboxsys.com/dmarc-explained/ InboxSys blog]: DMARC explained<br />
* [[wikipedia:DMARC]]</div>Sebastianhttps://docs.inboxsys.com/index.php?title=Category:IP_monitor&diff=333Category:IP monitor2024-10-07T14:16:24Z<p>Sebastian: </p>
<hr />
<div>[[Category:InboxSys]]<br />
[[Category:Reporting]]<br />
[[:Category:InboxSys|InboxSys]] monitors IPs on a daily base and stores the results for 30 days. Not only the sending IPs of campaigns that have been sent to the [[:Category:Seeds|seedlist]] are tested, but also the IPs that can be found in the default and alternative IPs in your [[Domain and IP settings]] (account settings -> domain settings).<br />
<br />
The folowing items are being monitored:<br />
<br />
* PTR consistency<br />
* Blocklistings<br />
* Whitelistings<br />
* SenderScore<br />
* and if an [[SNDS|SNDS API key is present in account settings]], SNDS results<br />
<br />
Clicking on single IPs visualizes the IP history over the past 30 days. The Date-field allows switching the current view to any date in the past 30 days.<br />
<br />
The "search IPs" field can be used to search for single IPs. /24 Netblocks can be found by searching for the first 3 octetts in an IP address. In addition to that, the "search IPs" field will match non-numeric phrases, such as blacklists or whitelists, as well.<br />
<br />
The full list, or the current output, can be exported in CSV.</div>Sebastian