Skip to content

Spam protection

Receiver

DNSBL lists can be used to avoid or reduce spam mails. In these lists, server/IPs are collected that have been reported for spam, for example.

A good collection of DNSBL lists is the one used by Mailcow.

For integration with Postfix, the following part must be included in the Postfix file main.cf.

postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
  list.dnswl.org=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].1*-4
  list.dnswl.org=127.0.[0..255].2*-6
  list.dnswl.org=127.0.[0..255].3*-8
  ix.dnsbl.manitu.net*2
  bl.spamcop.net*2
  bl.suomispam.net*2
  hostkarma.junkemailfilter.com=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.4*2
  hostkarma.junkemailfilter.com=127.0.1.2*1
  backscatter.spameatingmonkey.net*2
  bl.ipv6.spameatingmonkey.net*2
  bl.spameatingmonkey.net*2
  b.barracudacentral.org=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
postscreen_dnsbl_threshold = 6
postscreen_dnsbl_ttl = 5m

Additionally, a Recursive DNS Revolve should be installed on the mail server. Some Recursive Resolvers are unbound or Powerdns Recrusor.

Sender

To avoid that mails from your own server are recognized as spam, some countermeasures can be taken.

Some simple options are RDNS, SPF, DKIM and DMARC.

To check the mail server configuration I can recommend the test from internet.nl. First of all, make sure that the mail server IP is not on any DNSBL list. A site to check some lists is dnsbl.info or multirbl.valli.org.

RDNS (Reverse DNS)

Reverse DNS (PTR record) is the resolution of the IP of the sender into a hostname. This hostname must correspond to the FQDN of the own mail server.

As an example, my mail server has the FQDN mx.lars-lehmann.net, the IPv4 is 213.95.149.188 and the IPv6 is 2001:780:250::dead, the PTR record must look like this. 

188.149.95.213.in-addr.arpa. 86400 IN PTR mx.lars-lehmann.net.
d.a.e.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.2.0.0.8.7.0.1.0.0.2.ip6.arpa. 3600 IN PTR mx.lars-lehmann.net.

SPF

The SPF records in the DNS determine which mail servers are allowed to send mail for the domain. The SPF record is stored as a simple TXT record in the DNS. For example, to authorize only the mail servers entered via the MX record to send, the following entry would be sufficient. 

lars-lehmann.net. 86400 IN TXT "v=spf1 mx -all"
A simple generator can be found here.

DKIM

DKIM is a method by which it can be checked whether a mail comes from a specific mail server. A public key is stored in the DNS in the zone of the sender. When the mail is sent, the mail server adds a signature calculated with the private key to the mail, which can be validated with the key in the DNS.

DMARC

DMARC is a rule that is stored as a TXT record in the DNS of the sender and determines what should be done in the event of a violation of SPF or DKIM. This can be used to determine what should happen to a mail if the SPF or DKIM check has failed, indicating that the sender server is not authorized for the domain.