Difference between revisions of "AWS SES"

From Indie IT Wiki
imported>Plittlefield
 
 
(6 intermediate revisions by the same user not shown)
Line 15: Line 15:
 
Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):
 
Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):
  
* '''SPF''' specifies the servers that can send email for a domain.
+
* '''SPF''': Specifies the servers and domains that are authorized to send email on behalf of your organization.
* '''DKIM''' verifies that message content is authentic and not changed.
+
* '''DKIM''': Adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization.
* '''DMARC''' specifies how your domain handles suspicious incoming emails.
+
* '''DMARC''': Lets you tell receiving servers what to do with outgoing messages from your organization that don't pass SPF or DKIM.
  
 
# [https://docs.aws.amazon.com/ses/latest/DeveloperGuide/troubleshoot-receiving.html Problems with Emails Received from Amazon SES]
 
# [https://docs.aws.amazon.com/ses/latest/DeveloperGuide/troubleshoot-receiving.html Problems with Emails Received from Amazon SES]
Line 30: Line 30:
  
 
  example.com TXT "v=spf1 include:amazonses.com ~all"
 
  example.com TXT "v=spf1 include:amazonses.com ~all"
 +
 +
[http://www.open-spf.org/action_browse_id_FAQ/Common_mistakes_revision_26/#helo Common SPF Mistakes]
  
 
[https://dmarcian.com/spf-survey/ SPF Checker]
 
[https://dmarcian.com/spf-survey/ SPF Checker]
Line 36: Line 38:
  
 
https://aws.amazon.com/premiumsupport/knowledge-center/ses-dmarc-spf-dkim-alignment/
 
https://aws.amazon.com/premiumsupport/knowledge-center/ses-dmarc-spf-dkim-alignment/
 +
 +
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/troubleshoot-dkim.html
 +
 +
https://serverfault.com/questions/579879/how-to-avoid-554-error-duplicate-header
  
 
=== DMARC ===
 
=== DMARC ===
Line 43: Line 49:
 
  _dmarc.example.com TXT "<nowiki>v=DMARC1;p=quarantine;pct=25;rua=mailto:dmarcreports@example.com</nowiki>"
 
  _dmarc.example.com TXT "<nowiki>v=DMARC1;p=quarantine;pct=25;rua=mailto:dmarcreports@example.com</nowiki>"
  
[https://mxtoolbox.com/DmarcReportAnalyzer.aspx DMARC Report Analyzer]
+
[https://us.dmarcian.com/xml-to-human-converter/ DMARC Report Analyzer]
 +
 
 +
=== MTA-STS ===
 +
 
 +
https://www.checktls.com/TestReceiver
 +
 
 +
https://dmarcian.com/mta-sts/
 +
 
 +
https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04
 +
 
 +
https://www.naut.ca/blog/2020/04/07/mta-sts-in-5-minutes/
  
 
== Certificates ==
 
== Certificates ==

Latest revision as of 09:38, 16 May 2022

Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails. It is a reliable, cost-effective service for businesses of all sizes that use email to keep in contact with their customers.

DNS

A reverse Domain Name System (DNS) lookup is used by email servers to track where a message originated from, and confirm that it's not spam or malicious. A reverse DNS lookup returns the domain name of an IP address. This is in contrast to a forward DNS lookup, which returns the IP address of a domain.

Configuring reverse DNS for an email server

Amazon Lightsail Configuring Reverse DNS For Email

AWS Console Support Reverse DNS Limit Request Form

Authentication

Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):

  • SPF: Specifies the servers and domains that are authorized to send email on behalf of your organization.
  • DKIM: Adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization.
  • DMARC: Lets you tell receiving servers what to do with outgoing messages from your organization that don't pass SPF or DKIM.
  1. Problems with Emails Received from Amazon SES
  2. Authenticating Your Email in Amazon SES
  3. Authenticating Email with DKIM in Amazon SES
  4. Authenticating Email with SPF in Amazon SES
  5. Complying with DMARC Using Amazon SES

SPF

Example...

example.com TXT "v=spf1 include:amazonses.com ~all"

Common SPF Mistakes

SPF Checker

DKIM

https://aws.amazon.com/premiumsupport/knowledge-center/ses-dmarc-spf-dkim-alignment/

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/troubleshoot-dkim.html

https://serverfault.com/questions/579879/how-to-avoid-554-error-duplicate-header

DMARC

Example...

_dmarc.example.com TXT "v=DMARC1;p=quarantine;pct=25;rua=mailto:dmarcreports@example.com"

DMARC Report Analyzer

MTA-STS

https://www.checktls.com/TestReceiver

https://dmarcian.com/mta-sts/

https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04

https://www.naut.ca/blog/2020/04/07/mta-sts-in-5-minutes/

Certificates

You may need to help sendmail to find the chain certificate, when you see the warning 'verify=FAIL'...

May 22 11:38:04 server1 sendmail[8726]: STARTTLS=client, relay=email-smtp.eu-west-1.amazonaws.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256

Check that the system can find the chain...

$ openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25
CONNECTED(00000003)
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:0

Check you have the certificates installed...

ls -lah /etc/ssl/certs | grep 'Amazon'

Now check again, using the -CApath parameter to help the client...

$ openssl s_client -CApath /etc/ssl/certs -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.eu-west-1.amazonaws.com
verify return:1
250 Ok

Amazon Trust Services Repository

SPF DKIM Testing

https://www.mail-tester.com/

...and...

Send a blank email to check-auth@verifier.port25.com and it will reply with test results...

==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
SpamAssassin check: ham

OpenDKIM

https://petermolnar.net/article/howto-spf-dkim-dmarc-postfix/