Difference between revisions of "AWS SES"

From Indie IT Wiki
Line 38: Line 38:
  
 
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/troubleshoot-dkim.html
 
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/troubleshoot-dkim.html
 +
 +
https://serverfault.com/questions/579879/how-to-avoid-554-error-duplicate-header
  
 
=== DMARC ===
 
=== DMARC ===

Revision as of 13:01, 13 January 2022

Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails. It is a reliable, cost-effective service for businesses of all sizes that use email to keep in contact with their customers.

DNS

A reverse Domain Name System (DNS) lookup is used by email servers to track where a message originated from, and confirm that it's not spam or malicious. A reverse DNS lookup returns the domain name of an IP address. This is in contrast to a forward DNS lookup, which returns the IP address of a domain.

Configuring reverse DNS for an email server

Amazon Lightsail Configuring Reverse DNS For Email

AWS Console Support Reverse DNS Limit Request Form

Authentication

Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):

  • SPF specifies the servers that can send email for a domain.
  • DKIM verifies that message content is authentic and not changed.
  • DMARC specifies how your domain handles suspicious incoming emails.
  1. Problems with Emails Received from Amazon SES
  2. Authenticating Your Email in Amazon SES
  3. Authenticating Email with DKIM in Amazon SES
  4. Authenticating Email with SPF in Amazon SES
  5. Complying with DMARC Using Amazon SES

SPF

Example...

example.com TXT "v=spf1 include:amazonses.com ~all"

SPF Checker

DKIM

https://aws.amazon.com/premiumsupport/knowledge-center/ses-dmarc-spf-dkim-alignment/

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/troubleshoot-dkim.html

https://serverfault.com/questions/579879/how-to-avoid-554-error-duplicate-header

DMARC

Example...

_dmarc.example.com TXT "v=DMARC1;p=quarantine;pct=25;rua=mailto:dmarcreports@example.com"

DMARC Report Analyzer

MTA-STS

https://www.checktls.com/TestReceiver

https://dmarcian.com/mta-sts/

https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04

https://www.naut.ca/blog/2020/04/07/mta-sts-in-5-minutes/

Certificates

You may need to help sendmail to find the chain certificate, when you see the warning 'verify=FAIL'...

May 22 11:38:04 server1 sendmail[8726]: STARTTLS=client, relay=email-smtp.eu-west-1.amazonaws.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256

Check that the system can find the chain...

$ openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25
CONNECTED(00000003)
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:0

Check you have the certificates installed...

ls -lah /etc/ssl/certs | grep 'Amazon'

Now check again, using the -CApath parameter to help the client...

$ openssl s_client -CApath /etc/ssl/certs -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.eu-west-1.amazonaws.com
verify return:1
250 Ok

Amazon Trust Services Repository

SPF DKIM Testing

https://www.mail-tester.com/

...and...

Send a blank email to check-auth@verifier.port25.com and it will reply with test results...

==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
SpamAssassin check: ham

OpenDKIM

https://petermolnar.net/article/howto-spf-dkim-dmarc-postfix/