Plesk 支援多個防垃圾郵件解決方案來驗證郵件資訊身份:

  • DKIM (DomainKeys Identified Mail) 方案用於將域名身份與發送資訊建立關聯,並通過密碼驗證方式驗證與接收資訊相關聯的域名身份。
  • SPF (Sender Policy Framework) 方案用於阻止偽造寄件者位址,例如使用偽造的寄件者位址。該方案允許郵件伺服器檢查發自某個域名的接收郵件是否來自該域名管理員授權的某個主機。此外,Plesk 會使用 SRS (Sender Rewriting Scheme) 以保證被轉發資訊可以通過 SPF 檢查。
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) 技術可擴展 SPF 和 DKIM 方案的功能。DMARC 執行策略以根據 DKIM 和 SPF 檢查的結果來處理郵件資訊。

要使用這些方案對郵件伺服器的要求如下:

郵件伺服器 DKIM SPF SRS DMARC
Postfix (Linux)
Qmail
MailEnable Professional
MailEnable Standard 9.16 或更新版本
SmarterMail
IceWarp

在該表格中,‘+’ 表示 Plesk Onyx 支援的所有版本都支援該方案。‘-‘ 表示不支援該方案。

DKIM

DKIM (DomainKeys Identified Mail) 方案用於驗證與某個資訊相關聯的某個域名身份。該方案通過附加一個自動生成的數位簽章來讓某個機構對發送的資訊負責,同時使用加密技術驗證該機構以確定簽名的存在。

為了提供 DKIM 支援,Plesk 會使用外部庫 (Linux) 或 Plesk 提供的郵件伺服器(Windows) 的功能。

Warning: 如果您使用外部的 DNS 服務,DKIM 簽名將會用於發送資訊,但是內送郵件伺服器將無法驗證這些資訊。可以嘗試一個解決方案,那就是關閉 Plesk DNS 伺服器並在外部的 DNS 服務上添加一個 DKIM 相關的 DNS 記錄。這樣接收伺服器將可以驗證資訊。 瞭解如何為使用了外部DNS伺服器的域名啟用DKIM電子郵件簽名

啟用或禁用伺服器上的 DKIM

若要在伺服器上啟用 DKIM 功能,請轉入 工具與設定 > 郵件伺服器設定 (在 郵件 組裡)並向下滾動到 DKIM 垃圾郵件防護 小節。通過以下選項可以管理伺服器上的 DKIM:

  • 允許簽名發送的郵件 。這能夠讓客戶啟用以每個域名為基礎為發送郵件進行 DKIM 簽名的功能。不會自動啟用對所有發送郵件資訊進行簽名的功能。如要使用 DKIM,用戶必須為單個域名啟用該功能。
  • 核查接收郵件 (Plesk for Linux)。該選項會為所有接收郵件啟用 DKIM 檢查功能。會檢查所有的資訊,如果檢查失敗,則會使用特殊的標頭進行標記。

注意每個選項可獨立選擇。您可以選擇啟用簽名發送郵件,而檢查接收郵件,或兩者。

Note: 如果啟用了 DMARC 則無法對接收郵件禁用 DKIM 檢查。

在升級Plesk後啟用DKIM

當您從早於Plesk Onyx的版本升級Plesk後,DomainKeys則會自動被DKIM替代。如果在Plesk中啟用了DomainKeys功能,將也會啟用DKIM。

為域名啟用 DKIM 郵件簽名功能

如果在伺服器上啟用了 DKIM 簽名(請查看 啟用或禁用伺服器上的 DKIM 部分),客戶可以簽名其域名的發送郵件。

若要為單個域名啟用 DKIM 簽名發送郵件,請如下操作:

  1. 請打開相應的訂閱。
  2. 轉到 郵件 > 郵件設定 標籤。
  3. 選擇域名並點按 啟動/停用服務
  4. 選擇 啟用 DKIM 垃圾郵件防護系統簽名發送的郵件資訊 核取方塊並點按 確定

Note: 必須在某個域名上啟動 DNS 服務。

您為某個域名啟動 DKIM 後,Plesk 會添加以下兩個記錄到域名的 DNS 區域:

  • default._domainkey.<example.com> - 包含已生成金鑰的公共部分。
  • _ domainkey.<example.com> - 包含 DKIM 策略。

SPF and SRS

SPF (Sender Policy Framework) is a method used to prevent sender address forgery, i.e. using fake sender addresses. SPF allows a domain’s administrator to set a policy that authorizes particular hosts to send mail from the domain. A receiving mail server checks that the incoming mail from a domain comes from a host authorized by that domain’s administrator. SPF is based on the rules specified by the administrator in the sender’s DNS zone.

In Plesk, you can set up an SPF policy for outgoing mail by specifying rules in a DNS record. Additionally, on Linux, you can enable SPF to check incoming mail.

When you enable SPF to check incoming mail, the mail server performs DNS lookup on the sender’s host to search for an SPF-related DNS record. The following sets of rules can be defined:

  • Local rules - the rules that are used by the spam filter before the SPF check is actually done by the mail server.

    Note: These rules are concatenated with the rules specified in the SPF-related DNS record or the sender. For example, if the sender has the following SPF policy: example.com. TXT v=spf1 +a +mx -all and the local rule is a:test.plesk.com, then the resulting policy will be example.com. TXT v=spf1 +a +mx +a:test.plesk.com -all.

  • Guess rules - the rules that are applied to domains that do not publish SPF records.

The information on statuses of SPF checking can be found here.

To set up an SPF policy for outgoing mail:

Go to Tools & Settings > DNS Template and edit the TXT DNS record related to SPF. This DNS record is always present in the server-wide DNS template. Here is an example of SPF record created by Plesk:

example.com.    TXT    v=spf1 +a +mx +a:test.plesk.com -all

The parts of this record mean the following:

Part Description
v=spf1 The domain uses SPF of the version 1.
+a All the hosts from the 「A」 records are authorized to send mail.
+mx All the hosts from the 「MX」 records are authorized to send mail.
+a:test.plesk.com The domain test.plesk.com is authorized to send mail.
-all All other domains are not authorized to send mail.

More detailed information about the syntax of DNS record related to SPF can be found here:  http://www.openspf.org/SPF_Record_Syntax. The policy notation is available at RFC7208.

To enable SPF to check incoming mail on a Linux-based server:

  1. Go to Tools & Settings > Mail Server Settings (in the Mail group). The server-wide mail preferences screen will open on the Settings tab.

  2. In the SPF spam protection section, select the Enable SPF spam protection to check incoming mail checkbox.

  3. Select SPF checking continues when there are DNS lookup problems if you want SPF to continue checking if a DNS lookup fails. In this case, if the host cannot be resolved or no SPF-related records are found, the SPF guess rules may be applied.

  4. Select an option from the SPF checking mode drop-down box to specify how to deal with email when SPF applies local and guess rules:

    1. Only create Received SPF-headers, never block - to accept all incoming messages regardless of SPF check results.
    2. Use temporary error notices when you have DNS lookup problems - to accept all incoming messages regardless of SPF check results, even if SPF check failed due to DNS lookup problems.
    3. Reject mail if SPF resolves to 「fail」 (deny) - to reject messages from senders who are not authorized to use the domain in question.
    4. Reject mail if SPF resolves to 「softfail」 - to reject the messages from senders who cannot be identified by SPF system as authorized or are not authorized because the domain has no SPF records published.
    5. Reject mail if SPF resolves to 「neutral」 - to reject the messages from senders who cannot be identified by SPF system as authorized or are not authorized because the domain has no SPF records published.
    6. Reject mail if SPF does not resolve to 「pass」 - to reject the messages that do not pass SPF check for any reason (for example, when sender’s domain does not implement SPF and SPF checking returns the 「unknown」 status).
  5. To specify local rules, type the rules you need in the SPF local rules box.
    For example: include:spf.trusted-forwarder.org.

    For more information on SPF rules, visit http://tools.ietf.org/html/rfc4408.

  6. You can also specify the guess rules in the SPF guess rules box.

    For example: v=spf1 +a/24 +mx/24 +ptr ?all

  7. To specify an arbitrary error notice that is returned to the SMTP sender when a message is rejected, type it into the SPF explanation text box.

    If no value is specified, the default text will be used as a notification.

  8. To complete the setup, click OK.

To disable SPF checking for incoming mail:

  1. Go to Tools & Settings > Mail Server Settings (in the Mail group). The server-wide mail preferences screen will open on the Settings tab.
  2. In the SPF spam protection section, clear the Enable SPF spam protection to check incoming mail checkbox.

Note: On a Linux-based server, you cannot disable SPF checking for incoming mail if DMARC is enabled.

Using SRS

Additionally to SPF, some mail servers in Plesk support SRS (Sender Rewriting Scheme), a mechanism for rewriting sender addresses when an email is forwarded in such a way that the forwarded email continues to be SPF compliant. SRS helps to make sure that messages are delivered in case of using SPF.

SRS is used automatically when messages are forwarded from Plesk-hosted mailboxes.

To provide the SRS functionality, Plesk uses the capabilities of an external library (Linux) or of the mail server software (Windows).

DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a technology to extend the capabilities of the SPF and DKIM sender policies. The DMARC policy defines how the receiver should treat email messages depending on the results of DKIM and SPF checking. This technology is based on the rules specified in the sender’s DNS zone.

In Plesk, you can set up a DMARC policy for outgoing mail by specifying rules in a DNS record. Additionally, you can enable DMARC to check incoming mail on a Linux-based server (using any mail server supported by Plesk) or on a Windows-based server (using SmarterMail only).

To set up a custom DMARC policy for outgoing mail:

Go to Tools & Settings > DNS Template and edit the DNS records related to the DMARC policy. These DNS records are always present in the server-wide DNS template. (By contrast, DNS records related to DKIM are added to DNS zones of individual domains when you activate DKIM on the domain.)

For example, the Plesk default DMARC policy is defined in the following record:

_dmarc.<domain>.    TXT    v=DMARC1; p=none

This policy recommends that the receiving mail server does not delete messages even if they failed checking. You can specify a stricter policy. However, note that the receiving server is free to apply its own policy to incoming mail.

Hosting customers can edit the policies for individual domains.

For information on DMARC, including policy notations, refer to https://datatracker.ietf.org/doc/rfc7489/.

To enable DMARC to check incoming mail:

  1. Go to Tools & Settings > Mail Server Settings (in the Mail group). The server-wide mail preferences screen will open on the Settings tab.
  2. In the DMARC section, select the Enable DMARC to check incoming mail checkbox. On a Linux-based server, this option is available only when DKIM and SPF are enabled for incoming mail.

image-DMARC-DKIM-SPF