SAAS: tooling to validate SPF, DKIM and DMARC record #1977
Description
Why: prevent customer from sending invalid mails in our name.
We revalidate before sending any email remotly.
How:
<mailet notmatch="HasDmarcRecord=p=quarantine" class"..."\>
<mailet notmatch="HasDKIMRecord=s1=\"v=DKIM1; h=sha256; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSPh6V9i9BYlhrqBT428R4RFkd4RgpKn/VtdZjZ+ZHnFvVofP2CtIcsfXLOL8KzcbeRw8a0uJ73v4MI7czcalN1vnilfLRO1rkQps/gtH/R2yI3y6CZLsLA5AQYbw\" \"N84uP5SVDj9SDdTy/eNyF7ZrjIdlBQiJekbaYoLe+LvBKnwIDAQAB\" class"..."\>
<mailet notmatch="AllowsSPF=ip4:109.197.176.0/21 ip4:54.36.8.0/24" class"..."\>
Where s1 is the dkim selector.
For SPF we accept extra entries but the minimum address ranges need to be tolerated.
Wil allow configuring bounces directly in TWP for SaaS. That way we enforce never to send email with invalid SPF / DKIM.