zoho配置dmarc_停止[营销]电子邮件反弹！如何配置SPF，DMARC和DKIM

zoho配置dmarc

Setup Requirements:

设置要求：

Your Domain Name System (DNS) Editor (i.e. GoDaddy Admin that has the email addresses registered)您的域名系统(DNS)编辑器(即已注册电子邮件地址的GoDaddy Admin)
3rd Party e-mail Admin Accounts (e-mail Blast Service [Mailchimp, ConstantContact, etc.], Additional Mail Server you might be using, etc.)第三方电子邮件管理员帐户(电子邮件Blast服务[Mailchimp，ConstantContact等]，您可能正在使用的其他邮件服务器等)

You might be reading this because you want help resolving an error you just received. This error might be stating something about your DMARC records and that the e-mail was not authenticated. And most likely you attempted to e-mail someone with a ‘@gmail.com’ or ‘@yahoo.com’ address or similar free, big e-mail providers which have higher default guidelines than an e-mail server you would set up through your own company.

您可能正在阅读此书，因为您需要帮助来解决刚刚收到的错误。该错误可能表明您的DMARC记录有关，并且该电子邮件未经身份验证。并且最有可能您尝试通过电子邮件发送具有'@ gmail.com'或'@ yahoo.com'地址的人或类似的免费大型电子邮件提供商，这些提供商的默认准则比您设置的电子邮件服务器更高通过您自己的公司。

I was there too and struggled quite some time to get this figured out — not just what you need, but also how to get it done, the right way.

我也在那里，并且花了很多时间才能弄清楚这个问题-不仅是您需要的东西，还有如何以正确的方式完成它。

配置SPF，DMARC和DKIM之前和之后的统计信息： (Our Statistics before and after configuring SPF, DMARC & DKIM:)

As you will be able to see in the following pictures these implementations show us that:

如您将在以下图片中看到的，这些实现向我们展示了：

Bounce Rate was 70% before implementation, a whole 21441 E-mails that never made it into the subscribers inbox.在实施之前，跳出率是70％，共有21441封电子邮件从未进入订阅者收件箱。
After implementation the Bounce Rate was only 5.6%, down to only 1855 Bouncebacks.实施后，跳出率仅为5.6％，降至1855次反弹。
The bouncebacks are not all just due to security, some e-mails are deleted or the subscriber made a typo (mail.com instead of gmail.com is a typical one).退回不仅是出于安全性考虑，一些电子邮件已删除或订户输入错误(典型的是mail.com而不是gmail.com)。

充分讨论实现的重要性-让我们开始吧！ (Enough talk about how important the implementation is - lets get to it! )

In order to be 100% compliant in terms of e-mail authentication, you need 3 things configured:

为了使100％符合电子邮件身份验证，您需要配置三件事：

SPF (Sender Policy Framework): a framework used to prevent e-mail forgery aka Spoofing. Spoofing is when someone is pretending to be sent from your e-mail address.

SPF(发件人策略框架)：一种用于防止电子邮件伪造或欺骗的框架。欺骗是指假装有人从您的电子邮件地址发送邮件。
DKIM (DomainKeys Identified Mail): This will allow a server to send e-mails in your name while being authenticated to make sure it’s really you. For example, if you use MailChimp or ConstantContact for newsletter blasts and say it’s from ‘john@doecompany.com’, the e-mails will still be sent from MailChimp or ConstantContacts server. However, you verified with your Blast e-mail service that is indeed you and not someone pretending to be you. This is the most important one to set up correctly for businesses, as otherwise there will be a high bounce-back rate!

DKIM(DomainKeys标识邮件)：这将允许服务器在通过身份验证时以您的名义发送电子邮件，以确保它确实是您。例如，如果您使用MailChimp或ConstantContact进行新闻发布，并说它来自“ john@doecompany.com”，则电子邮件仍将从MailChimp或ConstantContacts服务器发送。但是，您已经使用您的Blast电子邮件服务进行了验证，该服务确实是您自己，而不是假装是您的人。 这是为企业正确设置的最重要的一项，否则将有很高的反弹率！
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Also an Anti-Spoofing mechanism that will work in conjunction with SPF. Having one or the other is ineffective — you will need both to be properly protected.

DMARC(基于域的消息身份验证，报告和一致性)：也是一种反欺骗机制，可以与SPF结合使用。拥有一个或另一个是无效的-您将需要同时保护两者。

DNS Editor / DNS Zone Editor, GoDaddy Screenshot Examples (Login and navigate to your Admin Dashboard first):

DNS编辑器/ DNS区域编辑器，GoDaddy屏幕截图示例(首先登录并导航到您的管理控制台)：

Select the Domain you need to add the DNS entries to in the screen after clicking on Manage Zones.

单击“管理区域”后，在屏幕中选择要将DNS条目添加到的域。

On the bottom of your records on the right-hand side, you will see an ‘Add’ button which will lead to the following dialog menu in which you will enter the SPF, DMARC & DKIM entries each individually:

在右侧记录的底部，您将看到一个“添加”按钮，该按钮将转到以下对话框菜单，在其中您将分别输入SPF，DMARC和DKIM条目：

For other guides for Zone Editors, just go to the knowledge base/support center of your Domain Provider.

有关区域编辑器的其他指南，只需转到域提供商的知识库/支持中心。

设置SPF： (Setting up SPF:)

The SPF is the easiest to set up. You will need 2 things:

SPF是最容易设置的。您将需要两件事：

Your DNS Editor (i.e. GoDaddy Admin Portal)您的DNS编辑器(即GoDaddy管理员门户)
The IP address of your e-mail server电子邮件服务器的IP地址

After accessing your DNS Editor (also called DNS Zone Editor in CPanel), you want to create a new TXT entry. In this TXT Entry, you should have 3 possible fields: Host, TXT Value / Value & TTL (Time-To-Live). What you will enter in these fields is the following (some details might vary, this is based on a GoDaddy installation):Host: @ TXT Value: v=spf1 +a +mx +ip4:<ip of your e-mail server>~allTTL: 1 Hour

访问DNS编辑器(在CPanel中也称为DNS区域编辑器)后，您要创建一个新的TXT条目。在此TXT条目中，您应该有3个可能的字段：主机，TXT值/值和TTL(生存时间)。您将在这些字段中输入的内容如下(某些细节可能有所不同， 这取决于GoDaddy的安装 )：主机：@ TXT值：v = spf1 + a + mx + ip4：<电子邮件服务器的IP> 〜allTTL：1小时

Explanation / Meaning of these settings:

这些设置的解释/含义：

‘@’ is the designation within GoDaddy that refers to the Domain you are working in. So if you are working inside ‘doecompany.com’ you could replace ‘@’ with ‘doecompany.com’ and the result would be the same. However, it is best practice to use the ‘@’ symbol instead in the case of GoDaddy.

“ @”是GoDaddy中指代您正在使用的域的名称。因此，如果您在“ doecompany.com”内部工作，则可以将“ @”替换为“ doecompany.com”，结果将是相同的。但是，对于GoDaddy，最好的做法是使用“ @”符号。

<ip of your e-mail server> is the IP of where your e-mails are being sent from. This is not necessarily the same IP that the actual website is hosted on.

<电子邮件服务器的IP>是发送电子邮件的IP。这不一定与实际网站所托管的IP相同。

+a: Includes A record

+ a：包括A记录

+mx: Includes Mail Server record

+ mx：包括邮件服务器记录

+ip4: Designates from which IPv4 server

+ ip4：指定来自哪个IPv4服务器

~all: Records outside of the prior declared ones will fail.

〜all：先前声明的记录之外的记录将失败。

TTL = 1 hour (or 3600 seconds): Time-To-Live, or how often this should expire. If you were to change e-mail servers, you would be glad that there is only a maximum gap of 1 hour of not being authenticated.

TTL = 1小时 (或3600秒)：生存时间，或终止时间。如果要更改电子邮件服务器，您将很高兴未认证的最大间隔为1小时。

设置DKIM： (Setting up DKIM:)

This is the most tedious of the three to set up and the most critical one. You will authenticate the 3rd party to send on behalf of your e-mail name, i.e. ‘john@doecompany.com’.

这是要设置的三个文件中最繁琐的一个，也是最关键的一个。您将对第三方进行身份验证，以代表您的电子邮件名称“ john@doecompany.com”进行发送。

I have 2 DKIMs currently set up:

我目前设置了2个DKIM：

For my actual Mail Server which lives on a different server than my actual website (this is more common in Enterprise environments).对于我的实际邮件服务器，该服务器与我的实际网站位于不同的服务器上(这在企业环境中更为常见)。
For my e-mail newsletter blast service provider (ConstantContact in this case, it could easily be Mailchimp or someone else in your case).对于我的电子邮件新闻速递服务提供商(在这种情况下为ConstantContact，很容易是Mailchimp或您所在的其他人)。

For both scenarios, your legwork is the same. You will have to contact the e-mail support of your Mail Server or Third Party e-mail sending service and have them install the DKIM on their end, for your account.

对于这两种情况，您的工作方式都是相同的。您将必须联系您的邮件服务器或第三方电子邮件发送服务的电子邮件支持，并让他们在自己的帐户的末端安装DKIM。

This is completely out of your hands and typically takes them 1–2 days to complete this task. Basically what is happening is that they will register and install an RSA of at least 1024-Bit encoding (2048 is better) on their server.

这完全由您掌控，通常需要1-2天才能完成此任务。基本上，发生的事情是他们将在服务器上注册并安装至少1024位编码(更好的是2048)的RSA。

After they got it set up, they will send you a Public Key that you will be using in the next step to set up your DKIM record.

设置好之后，他们会向您发送一个公共密钥，您将在下一步中使用它来设置DKIM记录。

Just like with the SPF & DMARC records you will access your DNS Editor (also called DNS Zone Editor in CPanel), and create a new TXT entry. In this TXT Entry, you should have 3 possible fields: Host, TXT Value / Value & TTL (Time-To-Live). What you will enter in these fields is the following (some details might vary, this is based on a GoDaddy installation with the e-mails being hosted on inmotionhosting.com and ConstantContact as Newsletter service). Remember to make 1 separate entry per DKIM record:Host: <provided by your 3rd party>._domainkeyTXT Value: v=DKIM1; k=rsa; p=<public key>TTL: 1 Hour

与SPF和DMARC记录一样，您将访问DNS编辑器(在CPanel中也称为DNS区域编辑器)，并创建一个新的TXT条目。在此TXT条目中，您应该有3个可能的字段：主机，TXT值/值和TTL(生存时间)。您将在以下字段中输入的内容(某些细节可能会有所不同，这是基于GoDaddy的安装，电子邮件存储在inmotionhosting.com上，ConstantContact作为时事通讯服务)。请记住，为每个DKIM记录分别创建1个条目：主机：<由您的第三方提供的>。 k = rsa; p = <公钥> TTL：1小时

Make sure not to leave any spaces after the ‘=’ symbols.

确保不要在“ =”符号后留任何空格。

Explanation / Meaning of these settings:

这些设置的解释/含义：

The host can be a name or number and is truly unique to the third party. When an e-mail is being sent on your behalf, that e-mail will have that name or number included in the header. That is the record it will be looking under your domain for.

主机可以是名称或号码，并且对于第三方而言确实是唯一的。代表您发送电子邮件时，该电子邮件将在标题中包含该名称或号码。那就是它将在您的域下查找的记录。

In layman’s terms and our example, the recipient server would go to ‘doecompany’s DNS records and look if what the 3rd party claims to be true will be there. Only if the public key properly validates with the key on their server, the e-mails will be sent out.

用外行的术语和我们的示例来说，收件人服务器将转到“ doecompany”的DNS记录，并查看是否存在第三者声称的真实记录。仅当公钥正确地使用其服务器上的密钥进行验证时，电子邮件才会发送出去。

v=DKIM1: Simply specifies the version of DKIM being used to clarify further what to look for.

v = DKIM1：仅指定用于进一步阐明查找内容的DKIM版本。

k=rsa: RSA is the most typical one to use as the Key (k). Your 3rd party might opt-in to use something else. But RSA with a 2048 bit encryption is the most secure option you can have at the moment. 1024 bit is good, too.

k = rsa： RSA是最典型的用作密钥(k)的密钥。您的第三方可能会选择使用其他内容。但是，目前具有2048位加密的RSA是您最安全的选择。 1024位也很好。

p=<public key>: Instead of ‘<public key>’ you would be provided with either a 1024 bit or 2048 bit string of seemingly random text and numbers or other values suited to whatever encryption the 3rd party decided to utilize.

p = <公钥>：将为您提供1024位或2048位的看似随机的文本和数字或其他值，以适合第三方决定使用的任何加密方式，而不是“ <公钥>”。

TTL = 1小时 (或3600秒)：生存时间，或终止时间。如果要更改电子邮件服务器，您将很高兴未认证的最大间隔为1小时。

设置DMARC： (Setting up DMARC:)

Reminder: In order for the DMARC to do its job, you MUST setup SPF AND DKIM before. Because DMARC verifies SPF & DKIM settings and whether or not the sender suits these settings and is not a spoofer. If SPF & DKIM are not set up, DMARC won’t work and will result in rejected e-mails.

提醒：为了使DMARC能够完成其工作，您必须在之前设置SPF和DKIM。因为DMARC会验证SPF和DKIM设置以及发件人是否适合这些设置，而不是欺骗者。如果未设置SPF和DKIM，则DMARC将不起作用，并会导致电子邮件被拒绝。

Just like with the SPF records you will access your DNS Editor (also called DNS Zone Editor in CPanel), and create a new TXT entry. In this TXT Entry, you should have 3 possible fields: Host, TXT Value / Value & TTL (Time-To-Live). What you will enter in these fields is the following (some details might vary, this is based on a GoDaddy installation with the e-mails being hosted on inmotionhosting.com):Host: _dmarcTXT Value: v=DMARC1;p=reject;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400TTL: 1 Hour

就像使用SPF记录一样，您将访问DNS编辑器(在CPanel中也称为DNS区域编辑器)，并创建一个新的TXT条目。在此TXT条目中，您应该有3个可能的字段：主机，TXT值/值和TTL(生存时间)。您将在这些字段中输入的内容如下(某些细节可能有所不同，这是基于GoDaddy的安装，其中电子邮件托管在inmotionhosting.com上)：主机：_dmarcTXT值：v = DMARC1; p = reject; sp =无; adkim = r; aspf = r; pct = 100; fo = 0; rf = afrf; ri = 86400TTL：1小时

Explanation / Meaning of these settings:

这些设置的解释/含义：

The Host is declared as ‘_dmarc’ because within GoDaddy it will automatically add ‘.johndoe.com’ as a subdomain. This means when an e-mail is being sent out, the DMARC will always be checked under that selector against your domain. If this is not set up properly as ‘_dmarc’, the e-mail servers won’t be able to find your DMARC entry and will automatically fail your e-mail as they believe there is no entry to begin with.

主机被声明为“ _dmarc”，因为在GoDaddy中它将自动添加“ .johndoe.com”作为子域。这意味着当发送电子邮件时，将始终根据您的域在该选择器下检查DMARC。如果未正确将其设置为“ _dmarc”，则电子邮件服务器将无法找到您的DMARC条目，并且由于认为没有任何条目而自动使您的电子邮件失败。

v=DMARC1: Declares the version of the DMARC to clarify what is being used and make authentication more legitimate.

v = DMARC1：声明DMARC的版本，以阐明正在使用的内容并使认证更加合法。

p=reject: E-mails will be rejected from the recipient e-mail server if they don’t match the DMARC records.

p = reject：如果电子邮件与DMARC记录不匹配，则将从收件人电子邮件服务器拒绝电子邮件。

sp=none: Do not check if subdomains and the main domain have aligned settings; this is optional.

sp = none：不检查子域和主域的设置是否对齐；这是可选的。

adkim=r: Whether to be strict (s) or relaxed (r) with the DKIM identifier settings; relaxed is the default.

adkim = r：对DKIM标识符设置是严格(r)还是宽松(r)；默认为宽松。

aspf=r: Whether to be strict (s) or relaxed (r) with the SPF identifier settings; relaxed is the default.

aspf = r：对SPF标识符设置是严格(r)还是宽松(r)；默认为宽松。

pct=100: 100 percent of e-mails are going to be affected by the DMARC. Integer values between 1 to 100 only. The smaller set would make sense only for testing; should be 100 for security purposes.

pct = 100： 100％的电子邮件将受到DMARC的影响。仅在1到100之间的整数值。较小的集合仅对测试有意义；为了安全起见，应为100。

fo=0: A DMARC error report is created if SPF & DKIM fail to be authenticated. 0 is the default value. Others are 1, d and s. 1 is if either one fails, to generate a record. d if the signature failed evaluation. s if SPF evaluation failed.

fo = 0：如果SPF和DKIM未能通过身份验证，则会创建DMARC错误报告。默认值为0。其他为1，d和s。 1是如果其中一个失败，则生成一条记录。 d如果签名评估失败。如果SPF评估失败。

rf=afrf: The formatting for the message failure reports. afrf is the only supported value at the point of this writing.

rf = afrf：消息失败报告的格式。在撰写本文时，afr是唯一受支持的值。

ri=86400: How many seconds passed between sending the report to the sender. 86400 is default which is 24 hours or 1 day. Many of the major mailbox providers such as Gmail, Yahoo, etc. will send more than one report a day.

ri = 86400：在将报告发送给发送方之间经过了几秒钟。默认为86400，即24小时或1天。许多主要的邮箱提供商，例如Gmail，Yahoo等，每天都会发送多个报告。

TTL = 1小时 (或3600秒)：生存时间，或终止时间。如果要更改电子邮件服务器，您将很高兴未认证的最大间隔为1小时。

And that is how you properly authenticate your e-mails. I hope this took some of the mystery and complication out for you. You will be on your way of not getting those troublesome kickbacks from your mailer-daemon anymore!

这就是您正确验证电子邮件的方式。我希望这能给您带来一些神秘和复杂的感觉。您将不再从邮件守护程序中获得麻烦的回扣！

Author:

作者：

Andreas Lopez — https://www.linkedin.com/in/andreaslopez/

安德烈亚斯·洛佩兹(Andreas Lopez)-https: //www.linkedin.com/in/andreaslopez/

Editors:

编辑：

Stevan Pupavac — https://www.linkedin.com/in/stevan-pupavac/

Stevan Pupavac- https: //www.linkedin.com/in/stevan-pupavac/

Frederick Alcantara — https://www.linkedin.com/in/frederick-alcantara/

弗雷德里克·阿尔坎塔拉(Frederick Alcantara)— https://www.linkedin.com/in/frederick-alcantara/

Sources:

资料来源：

GoDaddy Screenshots by DMARCanalyzer.com: https://www.dmarcanalyzer.com/dmarc/dmarc-record-setup-guides/dmarc-setup-guide-godaddy/

DMARCanalyzer.com的GoDaddy屏幕截图： https ：//www.dmarcanalyzer.com/dmarc/dmarc-record-setup-guides/dmarc-setup-guide-godaddy/

翻译自: https://www.freecodecamp.org/news/bananas-stop-email-bouncebacks-spf-dmarc-dkim/

zoho配置dmarc