惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LangChain Blog
W
WeLiveSecurity
P
Proofpoint News Feed
月光博客
月光博客
NISL@THU
NISL@THU
L
LINUX DO - 最新话题
Webroot Blog
Webroot Blog
T
Threatpost
Y
Y Combinator Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Vercel News
Vercel News
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
J
Java Code Geeks
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
小众软件
小众软件
MyScale Blog
MyScale Blog
N
News and Events Feed by Topic
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
Schneier on Security
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Securelist
T
The Exploit Database - CXSecurity.com
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
雷峰网
雷峰网
量子位
Google DeepMind News
Google DeepMind News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Spread Privacy
Spread Privacy
L
Lohrmann on Cybersecurity
I
Intezer
T
The Blog of Author Tim Ferriss
G
GRAHAM CLULEY
D
DataBreaches.Net
V
Vulnerabilities – Threatpost
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
罗磊的独立博客

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Generate 2048-bit DKIM key pair
Dhiraj Chatp · 2026-05-19 · via DEV Community

Why Email Authentication Matters More Than Ever in 2026

Email was designed in 1982 with no authentication. Anyone could send email claiming to be from any address — the "From" field was (and remains) trivially forgeable. This is why email spam, phishing, and spoofing became existential problems.

Authentication mechanisms solve this by cryptographically proving that:

  1. The sending server is authorized to send for the claimed domain (SPF)
  2. The message was not altered in transit (DKIM)
  3. The domain's published policies are being followed (DMARC)

Without these, your sending domain is a forgery risk — and ISPs know it.

2024 Gmail/Yahoo requirements (mandatory for bulk senders):

  • SPF or DKIM must pass for your domain
  • DMARC alignment required (From domain matches DKIM domain)
  • One-click unsubscribe in headers (RFC 8058)
  • Valid TLS connection required

Failure to comply means your emails are classified as spam or rejected entirely, regardless of content quality.


SPF: Sender Policy Framework

How SPF Works

SPF allows domain owners to publish a list of IP addresses authorized to send email for their domain. Receiving mail servers check the SPF record and reject or flag mail from unauthorized IPs.

DNS lookup flow:

  1. Receiving server sees From: sender@example.com
  2. DNS query: example.com TXT record
  3. SPF record specifies: v=spf1 ip4:203.0.113.0/24 include:_spf.example.com ~all
  4. If sending IP is in the allowed range → SPF pass
  5. If not → SPF fail (what happens next is determined by DMARC policy)

SPF Record Syntax

Basic SPF record:

v=spf1 ip4:203.0.113.0/24 ~all

Enter fullscreen mode Exit fullscreen mode

Mechanism Example Meaning
ip4 ip4:192.0.2.0/24 Specific IPv4 or CIDR
ip6 ip6:2001:db8::/32 IPv6 range
include include:_spf.example.com Include another domain's SPF
mx mx Authorized MX servers
a a A record of the domain
all ~all (softfail), -all (fail) Default result

Important: Avoid ~all for production. Use -all (fail) once you've confirmed all legitimate senders are included. -all tells receiving servers to reject unauthorized mail.

SPF for Multiple IP Ranges and Third-Party Senders

If you send through multiple services (KumoMTA, SendGrid, Mailgun), include them all:

v=spf1 ip4:203.0.113.0/24 include:sendgrid.net include:servers.mcsv.net -all

Enter fullscreen mode Exit fullscreen mode

SPF Lookup Limit Issue

Critical: SPF has a 10 DNS lookup limit (RFC 7208). Each include: counts as a lookup. Exceeding 10 lookups causes permerror — the receiving server ignores your SPF record entirely.

Solution: Use include: sparingly. If you have many third-party senders, use dedicated subdomains for each (e.g., sendgrid._spf.example.com) with their own SPF records.

SPF in KumoMTA

KumoMTA respects SPF for relay and forwarding scenarios. Ensure your KumoMTA server's IP is in your domain's SPF record:

v=spf1 ip4:203.0.113.0/24 ip4:198.51.100.0/24 include:_spf.example.com -all

Enter fullscreen mode Exit fullscreen mode


DKIM: DomainKeys Identified Mail

How DKIM Works

DKIM attaches a cryptographic signature to every outbound message. The receiving server verifies the signature using the public key published in DNS. If the signature is valid and the From domain matches the DKIM domain → DKIM pass.

Why DKIM matters more than SPF in 2026:

  • SPF fails for forwarded mail (the forwarding server's IP isn't in your SPF record)
  • DKIM survives forwarding because the signature is in the message headers
  • Gmail and Yahoo both require DKIM pass for bulk sender compliance

Generate DKIM Keys

# Generate 2048-bit DKIM key pair
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

# File naming convention: SELECTOR._domainkey.DOMAIN
# Example: mail._domainkey.example.com
mv dkim_private.pem mail._domainkey.example.com.pem

Enter fullscreen mode Exit fullscreen mode

Selector convention: Use mail as your default selector. For multiple sending systems, use distinct selectors: kumo._domainkey, sendgrid._domainkey, etc.

DKIM DNS Record

Publish the public key as a TXT record:

mail._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."

Enter fullscreen mode Exit fullscreen mode

Verify your DKIM:

# Using dig
dig TXT mail._domainkey.example.com +short

# Using a DKIM checker
# https://dkimcore.org/tools/

Enter fullscreen mode Exit fullscreen mode

DKIM Setup in KumoMTA

-- /etc/kumomta/kumomta.conf

-- DKIM signing configuration
kumo.configure_dkim_signing {
    domain = "example.com",
    selector = "mail",
    key_file = "/etc/kumomta/keys/mail._domainkey.example.com.pem",
    -- Sign these headers for best compatibility
    headers = {
        "From",
        "To",
        "Subject",
        "Date",
        "Message-ID",
        "Content-Type",
        "MIME-Version",
    },
}

-- Multi-tenant DKIM (different selectors per customer)
kumo.on("smtp_message_received", function(domain, meta)
    local tenant = meta.tenant or "default"
    local tenant_config = get_tenant_dkim_config(tenant)

    if tenant_config then
        kumo.sign_dkim(tenant_config.domain, tenant_config.selector, tenant_config.key_file)
    end
end)

Enter fullscreen mode Exit fullscreen mode

DKIM in PowerMTA

# /etc/pmta/config
domain-key example.com,mail,/etc/pmta/dkim/example.com.pem

# Sign all outbound mail
dkim-sign yes

Enter fullscreen mode Exit fullscreen mode

DKIM in Postfix (via OpenDKIM)

# /etc/opendkim.conf
KeyTable /etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table

# /etc/opendkim/key.table
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

# /etc/opendkim/signing.table
*@example.com mail._domainkey.example.com

Enter fullscreen mode Exit fullscreen mode


DMARC: Domain-based Message Authentication, Reporting & Conformance

How DMARC Works

DMARC ties SPF and DKIM together with domain alignment policy. It tells receiving servers what to do when SPF or DKIM fails, and sends you reports about authentication results.

DMARC record format:

_dmarc.example.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

Enter fullscreen mode Exit fullscreen mode

Parameters:

  • v=DMARC1 — Version (must be first)
  • p= — Policy: none (monitor only), quarantine (mark as spam), reject (block)
  • rua= — Aggregate report destination (email)
  • ruf= — Forensic report destination (detailed failures)
  • pct= — Percentage of mail subject to DMARC (start with 1-10%, increase gradually)
  • sp= — Subdomain policy (same as p, or different)
  • adkim= — Alignment mode: r (relaxed) or s (strict)
  • aspf= — Alignment mode: r (relaxed) or s (strict)

DMARC Alignment Modes

Relaxed alignment (r): The organizational domain must match. Subdomains are acceptable.

  • From: newsletter@example.com matches DKIM: example.com

Strict alignment (s): The domains must match exactly.

  • From: newsletter@example.com requires DKIM: example.com
  • From: newsletter@mail.example.com requires DKIM: mail.example.com

DMARC Reporting

DMARC aggregate reports (sent to rua=) tell you:

  • Which sources are sending mail for your domain
  • SPF pass/fail rates
  • DKIM pass/fail rates
  • Which messages pass or fail alignment

Free DMARC analyzers:

  • dmarcian.com (free tier)
  • mxtoolbox.com (DMARC lookup + reports)
  • postmarkapp.com (DMARC report parsing)

DMARC for Multi-Tenant Senders

If you send for multiple brands (SaaS platform), use subdomains for each customer:

_dmarc.customer1.example.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

Enter fullscreen mode Exit fullscreen mode

This isolates each customer's DMARC policy while you aggregate reports.


BIMI: Brand Indicators for Message Identification

BIMI displays your brand logo next to your emails in supporting mail clients (Apple Mail, FastMail, Google Workspace). Not required for deliverability, but improves open rates and brand trust.

BIMI requirements:

  1. DMARC policy must be p=quarantine or p=reject
  2. You need a BIMI Record published in DNS
  3. You need a Verified Mark Certificate (VMC) — issued by Brand Indicators for Message Identification (Bimi) approved issuers

BIMI DNS record:

default._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/bimi.pem"

Enter fullscreen mode Exit fullscreen mode

VMC Issuers:

  • DigiCert
  • Entrust Datacard
  • Google (for Google Workspace domains)

MTA-STS: SMTP MTA Strict Transport Security

MTA-STS forces TLS encryption for email delivery between mail servers, preventing downgrade attacks. Unlike STARTTLS (which is opportunistic), MTA-STS requires a valid certificate.

MTA-STS policy file (host at https://mta-sts.example.com/.well-known/mta-sts.txt):

version: STSv1
mode: enforce
mx: mail.example.com
mx: mail2.example.com
max_age: 86400

Enter fullscreen mode Exit fullscreen mode

MTA-STS DNS record:

mta-sts.example.com IN TXT "v=1; id=1"

Enter fullscreen mode Exit fullscreen mode

MTA-STS in KumoMTA:

kumo.configure_tls {
    min_tls_version = "1.3",
    -- MTA-STS is enforced by the receiving server,
    -- but KumoMTA's TLS 1.3 config satisfies requirements
}

Enter fullscreen mode Exit fullscreen mode


DANE: DNS-based Authentication of Named Entities

DANE uses TLSA records in DNS to bind your TLS certificate to your domain, preventing MITM attacks on SMTP connections.

DANE TLSA record:

_25._tcp.mail.example.com IN TLSA 3 1 1 <certificate_hash>

Enter fullscreen mode Exit fullscreen mode

Not widely deployed yet, but important for high-security environments.


Authentication Checklist by Platform

Requirement KumoMTA PowerMTA Postfix SendGrid Amazon SES
SPF ✓ Config in DNS ✓ Config in DNS ✓ Config in DNS ✓ Built-in ✓ Built-in
DKIM ✓ Lua config ✓ Built-in ✗ OpenDKIM needed ✓ Built-in ✓ Built-in
DMARC ✓ DNS ✓ DNS ✓ DNS ✓ DNS ✓ DNS
TLS 1.3 ✓ Native ✓ Config ✓ Config
MTA-STS ✓ (receiving) ✓ (receiving) ✓ (receiving)
1-click unsubscribe ✓ Lua ✓ Config

Common Authentication Failures

SPF Failures

Symptom: SPF fails for some recipients
Common causes:

  • Sending from new IP not in SPF record → Add IP to record
  • Using third-party sender not in SPF → Add their include
  • Forwarding breaks SPF → Use DKIM as primary, SPF as secondary

DKIM Failures

Symptom: DKIM fail for valid signed mail
Common causes:

  • Selector mismatch → Check selector matches DNS record
  • Message altered after signing (e.g., adding headers) → Sign after all modifications
  • Key corruption → Regenerate key pair
  • Wrong domain in DKIM signature → Must align with From domain

DMARC Failures

Symptom: DMARC fails even with SPF and DKIM passing
Common causes:

  • Alignment issue → DKIM domain must match From domain (or subdomain)
  • Relaxed vs strict alignment → Use adkim=r initially
  • Subdomain mismatch → Add sp= record for subdomains

FAQ

Q: Can I have both SPF and DKIM fail and still pass DMARC?
A: No. DMARC requires AT LEAST one of SPF or DKIM to pass AND alignment. Both failing = DMARC fail.

Q: Should I start with DMARC policy p=none or go straight to p=quarantine?
A: Start with p=none for 2-4 weeks to collect aggregate reports and see your authentication baseline. Then move to p=quarantine, then p=reject.

Q: Does DMARC override SPF or DKIM?
A: No. DMARC is a reporting and policy layer on top of SPF and DKIM. You still need both SPF and DKIM configured correctly.

Q: How do I handle SPF for email forwarded by recipients?
A: This is a known limitation of SPF. Use DKIM as your primary authentication — it survives forwarding because the signature is in the message headers.

Q: What's the DMARC 10% pct limit for?
A: It lets you gradually enforce DMARC. Set pct=10 initially so 10% of failing mail is subject to policy. Increase to 100% once you've resolved all legitimate sending sources.


Get Help With Email Authentication

PostMTA audits and implements full email authentication for enterprise senders:

  • SPF, DKIM, DMARC audit and configuration
  • Multi-tenant DKIM setup for SaaS platforms
  • DMARC report analysis and policy optimization
  • Gmail/Yahoo 2024 compliance implementation
  • BIMI and MTA-STS deployment

👉 Schedule authentication audit →

For related guides, see KumoMTA Setup Guide, IP Warmup Strategies, and Bounce Rate Reduction Guide.

References: RFC 7208 (SPF) | RFC 6376 (DKIM) | RFC 7489 (DMARC) | Google Postmaster Tools