电子邮件邮箱设置 域名密钥识别邮件(DKIM) 电子邮件验证系统 防止电子邮件被伪造和篡改 减少垃圾邮件或钓鱼攻击的风险 Zoho Mail 视频教程设置邮箱

cab

域名密钥识别邮件 (DKIM) 是一种电子邮件验证系统，它通过加密来验证电子邮件是否是由域名管理员配置的授权服务器发送的。要启用 DKIM，您需要在 DNS 提供商那里添加一个选择器，并指定生成的 TXT 记录的值，以激活您域名的 DKIM。
DKIM 的作用：

• DKIM 有助于防止电子邮件被伪造和篡改，它确保收件人能够确认邮件确实来自于指定的域名。
• 通过添加加密签名，接收方的服务器可以验证邮件的真实性，减少垃圾邮件或钓鱼攻击的风险。
  
  

状态：要不要开启？建议开启 DKIM，特别是对于企业或商业电子邮件账户，因为它能显著提高电子邮件的送达率，并增强电子邮件安全性，防止邮件被标记为垃圾邮件或伪造。

DKIM - 域名密钥识别邮件

DKIM 是一种身份验证方法，它使用公钥/私钥的电子邮件加密来验证邮件是否来自被发送域的管理员认可和配置的授权服务器。此身份验证方法能够实现安全的电子邮件通信，并防止垃圾邮件的发送。

目录
为什么要配置 DKIM？
电子邮件欺骗
电子邮件反弹
DKIM 的工作原理
DKIM 选择器
添加 DKIM 签名的步骤
在 Zoho Mail 中生成 DKIM 密钥值
在您域名的 DNS 提供商处创建并发布 TXT 记录
在 Zoho Mail 中验证并启用 DKIM
多个 DKIM 选择器
基于用户的 DKIM 选择器
SPF/DKIM 问题的故障排除

为什么要配置 DKIM？垃圾邮件发送者通常会发送看似来自真实邮件发件人的邮件。这些邮件通常是为了让收件人查看，或以合法发件人的名义从收件人那里收集敏感信息（如密码、电子邮件地址等）。垃圾邮件发送者常用的两种方法包括电子邮件欺骗和邮件反弹。
电子邮件欺骗（Email Spoofing）：电子邮件欺骗是一种垃圾邮件发送者用来伪装邮件的方法，使邮件看似来自一个合法的域名或电子邮件地址，而实际上并不属于他们。这是通过伪造电子邮件头部来实现的，目的是让收件人相信并打开这些邮件。垃圾邮件发送者采用这种方式，因为发件人看起来可信，更多人会查看邮件。然而，如果他们试图获取用户的敏感信息，可能会带来严重后果。通过配置 SPF 和 DKIM，可以检测并避免欺骗邮件。如果 DKIM 已配置，则可以验证每条消息关联的域名身份。如果 DKIM 验证失败，系统会根据您设置的条件，将此类邮件隔离或拒绝。
邮件回溯（Email Backscattering）：垃圾邮件发送者伪装域名并使用篡改后的邮件地址发送邮件。如果收件人域名拒收该邮件，它将发送退信给被伪造的域名。用户收到的这些退信，称为邮件反弹（邮件回溯），即用户从未发送过的邮件退信。例如，如果垃圾邮件发送者伪造了您的电子邮件地址并向另一个域名发送垃圾邮件，当这些垃圾邮件被发送到无效的电子邮件地址时，收件人域名将退信给被伪造的域名，而不是发送给垃圾邮件发送者。这样，伪造的域名不仅会收到退信，还可能被收件人域名屏蔽。如果配置了 DKIM，您的域名的真实性可以得到验证，避免域名被阻止。如果您收到了这些垃圾邮件，DKIM 也能帮助检测邮件的真实性，非真实的邮件将不会投递到您的邮箱。
电子邮件欺骗和邮件回溯是垃圾邮件发送者常用的两种手段，配置 SPF 和 DKIM 可以在一定程度上防止这些问题。

注解：这个翻译问题。"邮件反弹" 不是 "backscattering" 的最佳翻译。Backscattering 通常被翻译为**“邮件回溯”或“邮件反向散射”**。它指的是垃圾邮件发送者伪造发件人的地址，当目标服务器无法投递邮件时，将退信发送到伪造的发件人邮箱，而这些退信其实并不是伪造发件人发送的邮件。因此，"邮件回溯" 或 "邮件反向散射" 更能准确描述 backscattering 的情况。

DKIM 如何工作
在 DKIM 过程中，域名的 DNS 管理器（域名注册商或 DNS 提供商）会将一个公钥发布为 TXT 记录。每封发出的邮件都会使用该域名的私钥生成一个唯一的签名。接收邮件的服务器使用这对私钥和公钥来验证邮件来源。如果验证失败，接收方服务器可能会拒绝邮件，或者根据服务器的行为，将邮件归类为垃圾邮件或伪造邮件。
启用并使用 DKIM 后，确保通过 Zoho 发送的合法邮件不会在接收端被归类为垃圾邮件。
DKIM 选择器
选择器用于识别域名的公钥 DKIM 详细信息。它是 DKIM 签名的一个属性，并包含在邮件的 DKIM 头部中。对于单个域名，您可以使用多个选择器，以便为不同用户组提供特殊的签名控制。
一旦添加并验证选择器后，您需要将其设为默认，并为域名启用它。启用后，所有基于该域名发出的邮件都将由默认选择器签名，除非某些用户在用户部分中被分配了不同的选择器。
为域名添加 DKIM 签名的步骤：
您可以通过 Zoho Mail 的控制面板为域名启用 DKIM，步骤如下：

• 在 Zoho Mail 中使用默认选择器生成唯一的公钥值。
• 在域名的 DNS 管理器（域名注册商/DNS 提供商）中创建一个 TXT 记录。
• 验证选择器并在 Zoho Mail 中启用 DKIM。
  

I. 在 Zoho Mail 生成唯一域密钥的步骤：

• 以管理员或超级管理员身份登录到 Zoho Mail 控制面板。
• 从左侧菜单中选择 Domains，然后选择您想配置 DKIM 的域名。
• 在 Email Configuration（电子邮件配置）选项卡中，选择 DKIM。
• 点击 Add，为该域名添加新的选择器。
• 提供该域名的选择器名称，例如：zoho。
• 点击 Add。选择器会被添加，并在已添加的选择器旁边生成并显示一个 TXT 记录。
• 复制 TXT value 字段中的文本。
• 在点击 Verify（验证）之前，您需要在 DNS 管理器中用该值创建一个 TXT 记录。
  

II. 在 DNS 管理器中创建 TXT 记录的步骤：

• 登录到您的域名的 DNS 管理器，确保您的域名服务器指向该管理器。
• 在 DNS 中创建一个 TXT 记录，标题格式为：<selector>._domainkey.<yourdomainname.com>。
  
  • 例如，如果选择器名称为 zoho，域名为 zylker.org，那么 TXT 记录名称应为：zoho._domainkey.zylker.org。将这些字段替换为您的自定义值（不包括尖括号）。
    
• 如果您的 DNS 托管在 GoDaddy、WIX、Squarespace、Namecheap 等，您可以将 TXT 记录的名称提供为 zoho._domainkey，因为这些提供商会自动添加域名。
• 在 TXT 记录的值中，粘贴您从 Zoho 中 TXT Record Value 文本字段复制的全部内容。
• 在 DNS 管理器中保存该 TXT 记录。
• 您可以使用 [url=]DKIM 检查工具[/url] 检查 DKIM 的有效性。
  

注意：

• 创建 TXT 记录的过程取决于您使用的 DNS 提供商或管理器。
• 某些 DNS 提供商会自动附加域名。在这些情况下，您只需将 <selector>._domainkey 提供为 TXT 记录的名称。
• 某些 DNS 提供商可能要求创建子域，而不是 TXT 记录。
  

在 GoDaddy 域名管理器中添加 TXT 记录的步骤：

• 登录到您的 GoDaddy DNS 管理器。
• 选择 My Account（我的账户）菜单，然后选择 Domains（域名）。
• 展开 Domains，并点击您想要验证的域名旁边的 Manage DNS 按钮。
• 将打开 DNS Manager（DNS 管理器）页面，页面上会显示现有的 DNS 记录信息。
• 向下滚动到 Records（记录）部分，点击 Add 按钮以添加新的 DNS 记录。
• 在 Record Type（记录类型）下拉菜单中，选择 TXT。
• 在 Host 字段中输入：<selector>._domainkey（例如，zoho._domainkey）。
• 在 TXT Value 字段中，输入在 Zoho Mail 控制面板中生成的 TXT Record value。
• 保存此记录，等待 DNS 更改生效。
  

通过这些步骤，您可以在 GoDaddy 的 DNS 管理器中成功添加 TXT 记录，以进行 DKIM 验证。

III. 启用 DKIM 为域名签署电子邮件

• 如果在第三方网站上的 DKIM 验证 成功，请登录到 Zoho Mail 控制面板。
• 点击特定选择器旁边的 Verify 按钮。此时 TXT 记录将被修改为已验证状态。
• 验证成功后，系统会提示您立即启用 DKIM 或稍后启用。建议立即启用 DKIM，以开始为从您域名发出的电子邮件签署 DKIM 签名。
• 一旦启用，DKIM 签名将自动添加到所有从该域名生成的电子邮件中。
  

---

多个 DKIM 选择器的配置：
您可以为同一个域名配置多个 DKIM 选择器，针对不同地点的办公室或不同用户组，提供独立的 DKIM 签名。
示例：

• ukoffice._domainkey.zylker.com
• usoffice._domainkey.zylker.com
• hrteam._domainkey.zylker.com
• marketing._domainkey.zylker.com
  

通过这种方式，您可以为不同的用户组或不同办公地点设置专属的 DKIM 密钥。

---

基于用户的域选择器：
当您设置了多个 DKIM 选择器后，您可以根据需要将不同的选择器分配给不同的用户组。默认选择器会自动应用于所有用户，因此不会显示在下拉列表中。当添加了额外的选择器后，您可以从用户列表部分为特定用户组分配选择器。

排查 SPF/DKIM 问题

• 较长的 TTL 值：
  
  • TTL（生存时间）是 DNS 中指定的每次 DNS 更改生效所需的时间。如果 TTL 值较大（例如 24 小时或 48 小时），则 TXT/SPF 记录可能需要较长时间传播。通常，基于设置的 TTL，DNS 更改可能需要 12 到 24 小时才能生效。
    
• 不正确的值：
  
  • 不同 DNS 提供商对 SPF 记录的添加方式可能有所不同。因此，建议查看您注册商的帮助页面或说明手册，或联系 DNS 提供商的支持团队，确保正确添加 SPF/DKIM 记录。
    
• 拼写错误或错别字：
  
  • 检查是否正确复制了 Zoho 设置页面中的信息。对于 DKIM，您需要复制显示的整个密钥，并将其作为 TXT 记录的值。TXT 记录名称应遵循建议的命名约定。
    
• 注意事项：
  
  • 任何中间传递电子邮件的服务器对电子邮件内容的更改，可能会修改签名，使 DKIM 在收件人端验证时无效。
  • 当前，DKIM 仅支持在 Zoho 生成并直接发送到外部服务器的电子邮件。对于配置了邮件路由和外发网关的域名（邮件未直接发送或由其他服务器生成的邮件），DKIM 不受支持。
    

英语原文

DKIM - DomainKeys Identified Mail

DKIM is an authentication method, which uses email encryption with public/ private keys, to validate whether the emails are generated from the authorized servers, recognized and configured by the administrators of the sending domains. This authentication method enables secure email communication and prevents spam.

Table of Contents

• Why configure DKIM?
  
  • Email Spoofing
  • Email Backscattering
    
• How DKIM Works
• DKIM Selector
• Steps to add DKIM Signature
  
  • Generate DKIM Key value in Zoho Mail
  • Create and publish the TXT Record in DNS Provider of your domain
  • Validate and Enable DKIM in Zoho Mail
    
• Multiple DKIM Selectors
• User-Based DKIM Selectors
• Troubleshoot SPF/ DKIM Problems
  

Why configure DKIM?

Spammers often send out emails that claim to be from authentic email senders. These emails are mostly sent with the intent to make the recipients view the email, or sometimes to collect sensitive information (passwords, email addresses etc.) from the recipients under the pretext of being a legitimate sender. Two methods that are commonly used by spammers include email spoofing and backscattering.

Email Spoofing:

Email spoofing is a cheating method used by spammers to make emails appear to be sent from a legitimate domain/ email address, that does not belong to them. This is done by forging the email headers, to make it seem legit so that the recipients trust and open the emails.

Spammers follow this approach as it makes more people view the email since the sender appears to be authentic. But, sometimes, it may pose serious consequences if they try to retrieve sensitive information from the user. Spoofed emails can be detected and avoided by configuring SPF and DKIM. If DKIM is configured, the domain name identity associated with each message is validated.

If this DKIM validation fails, such emails are quarantined or rejected based on the conditions set by you when DKIM validation fails.

Email Backscattering:

Spammers spoof a domain name and send emails using the tampered email address. If the recipient domain rejects the email, it will send bounce messages to the domain that was spoofed. Such bounce messages which a user receives for emails that they never sent are called Email Backscatter.

Consider a case where a spammer has spoofed your email address and sent spam emails to another domain. When these spam emails are sent to invalid email addresses, the recipient domain sends a bounce message to the spoofed domain. This bounce message, instead of being sent to the spammer will be sent to the spoofed domain from which the user is claiming to send the email. The spoofed domain will also be blocked by the recipient domain. If DKIM is configured, the authenticity of your domain can be validated and your domain blocking can be avoided. In case you're on the receiving end of these spam emails, DKIM can help detect the authenticity of the emails, and those emails that are not genuine will not be delivered to your mailbox.

Email spoofing and backscattering, two methods that are commonly used by spammers, can be prevented to a certain extent by configuring SPF and DKIM for your domain.

​How DKIM Works

In the DKIM process, a public key is published as a TXT record for the domain's DNS Manager(registrar of the domain or DNS Provider). Every outgoing email includes a unique signature generated using the private key for the particular domain. The receiving email server uses this private-public key combination to validate the email source. If there is a validation failure, the recipient server may reject the email or classify it as Spam/ Forged email, based on the server behavior.

Enabling and using DKIM for your domain, ensures that valid emails sent using Zoho, are not classified as Spam at the recipient end.

​DKIM Selector

The selector is used to identify the public DKIM Key details of the Domain. It is an attribute for the DKIM Signature and is included in the DKIM header of the email. You can use multiple selectors for a single domain in cases where you need to provide Special Signatory Controls for different sets of users.

Once you have added a selector and verified the selector, you need to make it as default and enable it for the domain. Once enabled, all the outgoing emails based on the domain will be signed by the default selector, unless the users have been associated with a different selector in the Users section.

Steps to add DKIM Signature for your Domain:

You can enable DKIM for your domain from Zoho Mail's control panel, after creating the required text record in your domain's DNS manager. The DKIM configuration has three major steps:

• Generate unique public DKIM Key-value using a default selector in Zoho Mail.
• Create a TXT record in your Domain's DNS Manager (Domain registrar/ DNS Provider).
• Validate the selector and Enable DKIM in Zoho Mail.
  
  

I.Generate Unique Domain Key in Zoho Mail:

• Log in to the Control Panel from https://mailadmin.zoho.com as administrator or super administrator.
• Go to Domains from the left menu, and choose the domain for which you want to configure DKIM.
• In the Email Configuration tab, select DKIM
• Click on Add to add a new selector for the domain.
• Provide the selector name, for the domain to be used with Zoho Mail. Ex: zoho
• Click Add. The selector will be added and a TXT record will be generated and displayed across the added selector.
• You can copy the text in the TXT value field.
• You need to create a TXT record with this value in the DNS Manager before you click Verify.
  
  

II. Creating TXT Record in DNS Manager.

• Login to the domain's DNS Manager where your domain's name server is pointed.
• Create a TXT record in your DNS with the title as <selector>._domainkey.<yourdomainname.com>
  Ex: zoho._domainkey.zylker.org should be the name of the TXT record if the selector you choose is zoho and the domain name is zylker.org. Replace the text with your custom values without the brackets.
  If your DNS is hosted with GoDaddy/ WIX/ Squarespace/ Namecheap etc, provide the TXT record name as zoho._domainkey (These providers append the domain name automatically)
• In the TXT record value, paste the entire content you copied from the text field TXT Record Value in Zoho.
• Save the TXT record in the DNS Manager.
• You can check the validity of the DKIM using this DKIM checker.
  
  

Note:

The process to create a TXT record varies based on the DNS Provider/ Manager you use.

Some DNS providers (like GoDaddy, Wix, Squarespace, Namecheap, etc) append the domain name automatically. In such cases, you can just provide <selector>._domainkey as the TXT record name.

Certain DNS providers expect the subdomain to be created instead of a TXT record.

Steps to add TXT record in GoDaddy domain manager:

• Log in to your GoDaddy DNS Manager. Select the My Account menu and choose Domains.
• Expand Domains and click the Manage DNS button for the domain you want to verify.
• The DNS Manager page will open with information about existing DNS records.
• Scroll down to the Records section and click the Add button to add a DNS record.
• Select TXT from the Record Type drop-down menu.
• In the Host field, enter <selector>._domainkey
• In the TXT Value field, enter the TXT Record value generated in your Zoho Mail control panel.
  
• Click Finish.
  
  

III. Enabling DKIM for the domain

• If the Validation of the DKIM is successful on the third-party site, log in to Zoho Mail Control Panel.
• Click Verify across the particular selector. The text record will be modified to the verified state.
• Once verified, you will see a prompt to Enable DKIM immediately or later. You can enable DKIM immediately to start signing DKIM signatures for the emails from your domain.
• Once you enable, the DKIM signatures will be added to all the emails generated from the domain.
  
  

Multiple DKIM Selectors:

You can use multiple selectors for a single domain to provide separate DKIM signatures for multiple offices in different locations or provide separate DKIM signatures for a set of accounts.

Example:

• ukoffice._domainkey.zylker.com
• usoffice._domainkey.zylker.com
• hrteam._domainkey.zylker.com
• marketing._domainkey.zylker.com
  
  

You can add more selectors for specific DKIM keys for different sets of users or for different locations of offices.

User-based Domain Selectors:

When you have multiple selectors, you can associate the different sets of users with the selectors based on your requirements. The default selector is automatically applied for all users and hence it will not be listed in the drop-down.

Once you add an additional selector, you can associate for a specific set of users from the User List section.

Troubleshoot SPF/ DKIM ProblemsLonger TTL

TTL (Time To Live) is the time specified in your DNS for each change in your DNS to be effective. If you have a huge TTL value (24 hrs/ 48 hrs), then the TXT/ SPF Records might take a while to get propagated. It might take up to 12 - 24 hours for DNS changes to take effect, based on the TTL set.

Incorrect Values

The way the SPF records need to be added often varies with different DNS Providers.  Hence it is recommended to check the help pages or instruction manuals of your registrar or reach out to the support team of your DNS provider, to add the respective SPF/ DKIM records.

Typos/ Spelling Mistakes

Check if you have copy-pasted the correct information from Zoho Setup pages. In the case of DKIM, you need to copy the entire key displayed and provide it as a value of the TXT Record. The TXT Record name should follow the suggested naming conventions

Note:

Any alterations to the email content by the email servers which transit the emails in-between, might alter the signature and make the DKIM as invalid during verification at the recipient end.
Currently, the DKIM is supported only for emails generated in Zoho and directly delivered to external servers. For domains configured with Email Routing and Outbound Gateways, where the emails are not directly delivered or emails generated from other servers, DKIM is not supported.

https://www.zoho.com/mail/help/a ... -configuration.html