Plesk 支持多个防垃圾邮件解决方案来验证邮件信息身份:

  • DKIM (DomainKeys Identified Mail) 方案用于将域名身份与发送信息建立关联,并通过密码验证方式验证与接收信息相关联的域名身份。
  • SPF (Sender Policy Framework) 方案用于阻止伪造发件人地址,例如使用伪造的发件人地址。该方案允许邮件服务器检查发自某个域名的接收邮件是否来自该域名管理员授权的某个主机。此外,Plesk 会使用 SRS (Sender Rewriting Scheme) 以保证被转发信息可以通过 SPF 检查。
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) 技术可扩展 SPF 和 DKIM 方案的功能。DMARC 执行策略以根据 DKIM 和 SPF 检查的结果来处理邮件信息。

要使用这些方案对邮件服务器的要求如下:

邮件服务器 DKIM SPF SRS DMARC
Postfix (Linux)
Qmail
MailEnable Professional
MailEnable Standard 9.16 或更新版本
SmarterMail
IceWarp

在该表格中,‘+’ 表示 Plesk Onyx 支持的所有版本都支持该方案。‘-‘ 表示不支持该方案。

DKIM

DKIM (DomainKeys Identified Mail) 方案用于验证与某个信息相关联的某个域名身份。该方案通过附加一个自动生成的数字签名来让某个机构对发送的信息负责,同时使用加密技术验证该机构以确定签名的存在。

为了提供 DKIM 支持,Plesk 会使用外部库 (Linux) 或 Plesk 提供的邮件服务器(Windows) 的功能。

Warning: 如果您使用外部的 DNS 服务,DKIM 签名将会用于发送信息,但是接收邮件服务器将无法验证这些信息。可以尝试一个解决方案,那就是关闭 Plesk DNS 服务器并在外部的 DNS 服务上添加一个 DKIM 相关的 DNS 记录。这样接收服务器将可以验证信息。 了解如何为使用了外部DNS服务器的域名启用DKIM电子邮件签名

启用或禁用服务器上的 DKIM

若要在服务器上启用 DKIM 功能,请转入 工具与设置 > 邮件服务器设置 (在 邮件 组里)并向下滚动到 DKIM 垃圾邮件防护 小节。通过以下选项可以管理服务器上的 DKIM:

  • 允许签名发送的邮件 。这能够让客户启用以每个域名为基础为发送邮件进行 DKIM 签名的功能。不会自动启用对所有发送邮件信息进行签名的功能。如要使用 DKIM,用户必须为单个域名启用该功能。
  • 核查接收邮件 (Plesk for Linux)。该选项会为所有接收邮件启用 DKIM 检查功能。会检查所有的信息,如果检查失败,则会使用特殊的标头进行标记。

注意每个选项可独立选择。您可以选择启用签名发送邮件,而检查接收邮件,或两者。

Note: 如果启用了 DMARC 则无法对接收邮件禁用 DKIM 检查。

在升级Plesk后启用DKIM

当您从早于Plesk Onyx的版本升级Plesk后,DomainKeys则会自动被DKIM替代。如果在Plesk中启用了DomainKeys功能,将也会启用DKIM。

为域名启用 DKIM 邮件签名功能

如果在服务器上启用了 DKIM 签名(请查看 启用或禁用服务器上的 DKIM 部分),客户可以签名其域名的发送邮件。

若要为单个域名启用 DKIM 签名发送邮件,请如下操作:

  1. 请打开相应的订阅。
  2. 转到 邮件 > 邮件设置 标签。
  3. 选择域名并点击 激活/停用服务
  4. 选择 启用 DKIM 垃圾邮件防护系统签名发送的邮件信息 复选框并点击 确定

Note: 必须在某个域名上激活 DNS 服务。

您为某个域名激活 DKIM 后,Plesk 会添加以下两个记录到域名的 DNS 区域:

  • default._domainkey.<example.com> - 包含已生成密钥的公共部分。
  • _ domainkey.<example.com> - 包含 DKIM 策略。

SPF and SRS

SPF (Sender Policy Framework) is a method used to prevent sender address forgery, i.e. using fake sender addresses. SPF allows a domain’s administrator to set a policy that authorizes particular hosts to send mail from the domain. A receiving mail server checks that the incoming mail from a domain comes from a host authorized by that domain’s administrator. SPF is based on the rules specified by the administrator in the sender’s DNS zone.

In Plesk, you can set up an SPF policy for outgoing mail by specifying rules in a DNS record. Additionally, on Linux, you can enable SPF to check incoming mail.

When you enable SPF to check incoming mail, the mail server performs DNS lookup on the sender’s host to search for an SPF-related DNS record. The following sets of rules can be defined:

  • Local rules - the rules that are used by the spam filter before the SPF check is actually done by the mail server.

    Note: These rules are concatenated with the rules specified in the SPF-related DNS record or the sender. For example, if the sender has the following SPF policy: example.com. TXT v=spf1 +a +mx -all and the local rule is a:test.plesk.com, then the resulting policy will be example.com. TXT v=spf1 +a +mx +a:test.plesk.com -all.

  • Guess rules - the rules that are applied to domains that do not publish SPF records.

The information on statuses of SPF checking can be found here.

To set up an SPF policy for outgoing mail:

Go to Tools & Settings > DNS Template and edit the TXT DNS record related to SPF. This DNS record is always present in the server-wide DNS template. Here is an example of SPF record created by Plesk:

example.com.    TXT    v=spf1 +a +mx +a:test.plesk.com -all

The parts of this record mean the following:

Part Description
v=spf1 The domain uses SPF of the version 1.
+a All the hosts from the “A” records are authorized to send mail.
+mx All the hosts from the “MX” records are authorized to send mail.
+a:test.plesk.com The domain test.plesk.com is authorized to send mail.
-all All other domains are not authorized to send mail.

More detailed information about the syntax of DNS record related to SPF can be found here:  http://www.openspf.org/SPF_Record_Syntax. The policy notation is available at RFC7208.

To enable SPF to check incoming mail on a Linux-based server:

  1. Go to Tools & Settings > Mail Server Settings (in the Mail group). The server-wide mail preferences screen will open on the Settings tab.

  2. In the SPF spam protection section, select the Enable SPF spam protection to check incoming mail checkbox.

  3. Select SPF checking continues when there are DNS lookup problems if you want SPF to continue checking if a DNS lookup fails. In this case, if the host cannot be resolved or no SPF-related records are found, the SPF guess rules may be applied.

  4. Select an option from the SPF checking mode drop-down box to specify how to deal with email when SPF applies local and guess rules:

    1. Only create Received SPF-headers, never block - to accept all incoming messages regardless of SPF check results.
    2. Use temporary error notices when you have DNS lookup problems - to accept all incoming messages regardless of SPF check results, even if SPF check failed due to DNS lookup problems.
    3. Reject mail if SPF resolves to “fail” (deny) - to reject messages from senders who are not authorized to use the domain in question.
    4. Reject mail if SPF resolves to “softfail” - to reject the messages from senders who cannot be identified by SPF system as authorized or are not authorized because the domain has no SPF records published.
    5. Reject mail if SPF resolves to “neutral” - to reject the messages from senders who cannot be identified by SPF system as authorized or are not authorized because the domain has no SPF records published.
    6. Reject mail if SPF does not resolve to “pass” - to reject the messages that do not pass SPF check for any reason (for example, when sender’s domain does not implement SPF and SPF checking returns the “unknown” status).
  5. To specify local rules, type the rules you need in the SPF local rules box.
    For example: include:spf.trusted-forwarder.org.

    For more information on SPF rules, visit http://tools.ietf.org/html/rfc4408.

  6. You can also specify the guess rules in the SPF guess rules box.

    For example: v=spf1 +a/24 +mx/24 +ptr ?all

  7. To specify an arbitrary error notice that is returned to the SMTP sender when a message is rejected, type it into the SPF explanation text box.

    If no value is specified, the default text will be used as a notification.

  8. To complete the setup, click OK.

To disable SPF checking for incoming mail:

  1. Go to Tools & Settings > Mail Server Settings (in the Mail group). The server-wide mail preferences screen will open on the Settings tab.
  2. In the SPF spam protection section, clear the Enable SPF spam protection to check incoming mail checkbox.

Note: On a Linux-based server, you cannot disable SPF checking for incoming mail if DMARC is enabled.

Using SRS

Additionally to SPF, some mail servers in Plesk support SRS (Sender Rewriting Scheme), a mechanism for rewriting sender addresses when an email is forwarded in such a way that the forwarded email continues to be SPF compliant. SRS helps to make sure that messages are delivered in case of using SPF.

SRS is used automatically when messages are forwarded from Plesk-hosted mailboxes.

To provide the SRS functionality, Plesk uses the capabilities of an external library (Linux) or of the mail server software (Windows).

DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a technology to extend the capabilities of the SPF and DKIM sender policies. The DMARC policy defines how the receiver should treat email messages depending on the results of DKIM and SPF checking. This technology is based on the rules specified in the sender’s DNS zone.

In Plesk, you can set up a DMARC policy for outgoing mail by specifying rules in a DNS record. Additionally, you can enable DMARC to check incoming mail on a Linux-based server (using any mail server supported by Plesk) or on a Windows-based server (using SmarterMail only).

To set up a custom DMARC policy for outgoing mail:

Go to Tools & Settings > DNS Template and edit the DNS records related to the DMARC policy. These DNS records are always present in the server-wide DNS template. (By contrast, DNS records related to DKIM are added to DNS zones of individual domains when you activate DKIM on the domain.)

For example, the Plesk default DMARC policy is defined in the following record:

_dmarc.<domain>.    TXT    v=DMARC1; p=none

This policy recommends that the receiving mail server does not delete messages even if they failed checking. You can specify a stricter policy. However, note that the receiving server is free to apply its own policy to incoming mail.

Hosting customers can edit the policies for individual domains.

For information on DMARC, including policy notations, refer to https://datatracker.ietf.org/doc/rfc7489/.

To enable DMARC to check incoming mail:

  1. Go to Tools & Settings > Mail Server Settings (in the Mail group). The server-wide mail preferences screen will open on the Settings tab.
  2. In the DMARC section, select the Enable DMARC to check incoming mail checkbox. On a Linux-based server, this option is available only when DKIM and SPF are enabled for incoming mail.

image-DMARC-DKIM-SPF