DEV Community

丁久
丁久

Posted on • Originally published at dingjiu1989-hue.github.io

Email Security

#devops #security #cloud

This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Email Security

Email Security

Email Security

Email Security

Email Security

Email Security

Email Security

Email Security

Email Security

Email Security

Email Security

Introduction

Email remains the primary attack vector for most organizations. Phishing, business email compromise (BEC), and spam represent significant risks. A robust email security strategy combines authentication protocols, gateway filtering, and user awareness training.

SPF, DKIM, and DMARC

These three DNS-based authentication protocols work together to verify email sender legitimacy and prevent domain spoofing.

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email for a domain via DNS TXT records.

example.com. TXT "v=spf1 ip4:203.0.113.0/24 include:_spf.google.com ~all"

Mechanisms: ip4, ip6, include, a, mx, exists. Qualifiers: + (pass), - (fail), ~ (softfail), ? (neutral). Use -all for strict enforcement after testing with ~all.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to email headers, allowing receivers to verify the message was not modified in transit.

Generate DKIM key pair with OpenSSL

openssl genrsa -out dkim-private.pem 2048

openssl rsa -in dkim-private.pem -pubout -out dkim-public.pem

Extract public key for DNS record

openssl rsa -pubin -in dkim-public.pem -outform DER | base64

DNS record for DKIM:

default._domainkey.example.com. TXT "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC tells receiving mail servers how to handle messages that fail SPF or DKIM checks, and provides reporting on authentication results.

_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; pct=100; fo=1"

Key tags: p (policy: none/quarantine/reject), rua (aggregate reports), ruf (forensic reports), pct (sampling percentage), sp (subdomain policy), adkim/aspf (strict alignment).

Email Gateway Deployment

Email gateways filter inbound and outbound traffic, applying policy controls, antivirus scanning, URL rewriting, and attachment sandboxing.

Sample gateway filtering policy

inbound_policies:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.

Top comments (0)