问题:外发邮件投递到Gmail报错,退信:
[08F8:0011-0964] 2024/12/26 15:24:03 [08F8:0011-0964] SMTPClient: ReceiveResponse: 550-5.7.26 Your email has been blocked because the sender is unauthenticated.
[08F8:0011-0964] 2024/12/26 15:24:03 [08F8:0011-0964] SMTPClient: ReceiveResponse: 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
[08F8:0011-0964] 2024/12/26 15:24:03 [08F8:0011-0964] SMTPClient: ReceiveResponse: 550-5.7.26
[08F8:0011-0964] 2024/12/26 15:24:03 [08F8:0011-0964] SMTPClient: ReceiveResponse: 550-5.7.26 Authentication results:
[08F8:0011-0964] 2024/12/26 15:24:03 [08F8:0011-0964] SMTPClient: ReceiveResponse: 550-5.7.26 DKIM = did not pass
[08F8:0011-0964] 2024/12/26 15:24:03 [08F8:0011-0964] SMTPClient: ReceiveResponse: 550-5.7.26 SPF [xyz.com.cn] with ip: [123.45.67.89] = did not pass
原因:Gmail为了防止垃圾邮件,默认开启了DKIM和SPF检查。
Domino外发服务器的DKIM设置步骤:
- 建Credstorei 存储加密解密需要的密钥(公钥、私钥)
keymgmt create nek 2025
keymgmt create nek credstorekey
keymgmt create credstore 2025
keymgmt create credstore credstorekey - 创建并导出DKIM Key
keymgmt create DKIM xyz.com.cn 2025 RSA 1024
keymgmt export DKIM DNS xyz.com.cn 20251 xyzdkim-20251.txt
注意:如果DNS允许设置的TXT记录长度没有限制,创建DKIM Key时可以将1024改为2048.
导出的xyzdkim-20251内容:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNN8zL0MuiUcrK+JVGAfAsbxa2DWW03mdjQvppga3mz0xdiSapLWIryDjwoDhvtnds5CIdDDrvpzQUfirhm4uJD55MuxeQ7YjJC0paY6eZOKxYJID0OLDXv68tLOgb9UOPQBKMSl/AfJhks35OZHnqqNu1LkVgNfJZUBnNl1Pj+wIDAQAB;
- 在Domino外发邮件服务器添加notes.ini参数
DKIM_KEY_xyz.com.cn=20251
DKIM_KEY_xyz.info=xyz.com.cn;20251
RouterDKIMSigning=1 - 修改DNS,添加TXT记录
20251._domainkey.xyz.com.cn TTL 600 IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNN8zL0MuiUcrK+JVGAfAsbxa2DWW03mdjQvppga3mz0xdiSapLWIryDjwoDhvtnds5CIdDDrvpzQUfirhm4uJD55MuxeQ7YjJC0paY6eZOKxYJID0OLDXv68tLOgb9UOPQBKMSl/AfJhks35OZHnqqNu1LkVgNfJZUBnNl1Pj+wIDAQAB”
检查DNS记录的网站:
https://www.whatsmydns.net/#TXT/20251._domainkey.xyz.com.cn
邮件外发的过程解析:
- 通过Domino SMTP添加DKIM签名,采用RSA算法,用私钥对邮件的摘要字段(发件人、收件人、抄送、邮件编号、日期、主题、MIME版本、回复地址、Content-Type)进行加密,存放在BH和B的值里
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xyz.com.cn; s=20251; t=1735265872; bh=ptOF1ptqdXcmCzgNYmW+s1cFgM0i0c7UeeUol3HqsaY=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:from:to:
cc:bcc:subject:date:message-id:reply-to:sender; b=SEM5qM1/LYDncC6zzCa9V0RcNlfA2YXpBeXGInVefoKkRIUnpB0bAwiBKGR9GSNkJ
YNMjCLo3mHOy/Sbkyemj/42eGh8iSl0bnNO2S9xa4CfVIlU6pXvQ/5jiGnXZ5FTyVt
cMJJRkz2IbNPaTZJSMXifbiHkKxrTI/8n5MRRlcg= - 收件方服务器对s进行反向查询匹配,以gmail.com来信为例,看到s是20230601,就去查询20230601._domainkey.gmail.com 的 TXT 记录,得到的结果是:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAntvSKT1hkqhKe0xcaZ0x+QbouDsJuBfby/S82jxsoC/SodmfmVs2D1KAH3mi1AqdMdU12h2VfETeOJkgGYq5ljd996AJ7ud2SyOLQmlhaNHH7Lx+Mdab8/zDN1SdxPARDgcM7AsRECHwQ15R20FaKUABGu4NTbR2fDKnYwiq5jQyBkLWP+LgGOgfUF4T4HZb2 PY2bQtEP6QeqOtcW4rrsH24L7XhD+HSZb1hsitrE0VPbhJzxDwI4JF815XMnSVjZgYUXP8CxI1Y0FONlqtQYgsorZ9apoW1KPQe8brSSlRsi9sXB/tu56LmG7tEDNmrZ5XUwQYUUADBOu7t1niwXwIDAQAB - 用p去解密bh的值,跟邮件的字段进行比对,如果一致则接收,反之拒收
备注:为了确保投递成功,务必请DNS管理员检查Sender Protect Framework (SPF) 设置是否完成。
前提是外发SMTP服务器需要固定公网IP,并且在DNS中添加TXT记录格式如下:
v=spf1 ip4:123.45.67.89 ip4:111.222.33.44 ~all
假设有两个外发IP,123.45.67.89 和 111.222.33.44
nslookup验证:
>set type=txt
>xyz.com.cn
非权威应答:
xyz.com.cn text =“v=spf1 ip4:123.45.67.89 ip4:111.222.33.44 ~all”
参考文档:
https://blog.csdn.net/sdexcel/article/details/140511902
https://www.whatsmydns.net/#TXT/20230601._domainkey.gmail.com
https://help.hcl-software.com/domino/12.0.0/admin/conf_dkimsigning.html