电邮地址
First, you use a mail user agent, or MUA to read and send email from your device (such as gmail, or the mail app on Apple devices). These programs are only active when you're using them.
首先,您使用邮件用户代理或MUA从设备(例如gmail或Apple设备上的邮件应用程序)读取和发送电子邮件。 这些程序仅在使用时才处于活动状态。
Generally, they communicate with a mail transfer agent, or MTA (also known as a mail server, MX host, and mail exchanger), which serves to receive and store your emails.
通常,它们与邮件接收代理或MTA(也称为邮件服务器,MX主机和邮件交换器)进行通信,后者用于接收和存储您的电子邮件。
Emails are stored remotely until you open your MUA in order to check your email. Emails are delivered by mail delivery agents (MDA), which are generally packaged with the MTA.
电子邮件将远程存储,直到您打开MUA以便检查电子邮件为止。 电子邮件由邮件传递代理(MDA)传递,通常与MTA打包在一起。
Mail used to be sent to a mail server using SMTP, or Simple Mail Transfer Protocol. SMTP is a communication protocol for email.
以前使用SMTP或简单邮件传输协议将邮件发送到邮件服务器。 SMTP是电子邮件的通信协议。
Even now, while many proprietary systems like Microsoft Exchange and webmail programs like Gmail use their own protocols internally, they use SMTP to transfer messages outside their systems (for example, if a Gmail user wants to send an email to an Outlook client).
即使到现在,尽管许多专有系统(如Microsoft Exchange)和Webmail程序(如Gmail)在内部使用其自己的协议,但它们仍使用SMTP在系统外传输邮件(例如,如果Gmail用户希望向Outlook客户端发送电子邮件)。
Mail would then be downloaded from the server using Post Office Protocol (POP3) POP3 is an application-layer protocol which provides access via an internet protocol (IP) network for a user application to contact a mailbox on a mail server. It can connect, retrieve messages, store them on the client's computer, and delete or retain them on the server.
然后使用邮局协议(POP3)从服务器下载邮件POP3是一种应用程序层协议,它通过Internet协议(IP)网络提供访问权限,以使用户应用程序可以与邮件服务器上的邮箱联系。 它可以连接,检索消息,将其存储在客户端计算机上,以及将其删除或保留在服务器上。
It was designed to be able to manage temporary internet connections, such as dial-up (so it would just connect and retrieve email when connected, and allow you to view the messages when you were offline). This was more popular when dial-up access was more widespread.
它被设计为能够管理诸如拨号之类的临时Internet连接(因此它仅在连接时就可以连接和检索电子邮件,并允许您在脱机时查看消息)。 当拨号访问更为广泛时,这种方式更为流行。
Now, IMAP, Internet Message Access Protocol, has mostly replaced POP3. IMAP can allow multiple clients to manage the same mailbox (so you can read your email from your desktop, laptop, and phone, etc. and all of your messages will be there, organized in the same way).
现在,IMAP(Internet邮件访问协议)已基本取代了POP3。 IMAP可以允许多个客户端管理同一个邮箱(因此,您可以从台式机,笔记本电脑和电话等中读取电子邮件,并且所有邮件都将以相同的方式组织在那里)。
Eventually, webmail replaced both. Webmail allows you to login to a website and receive messages from anywhere or any device (yay!), however you need to be connected to the internet while using it. If the website (like gmail) is your MUA, you don't need to know SMTP or IMAP server settings.
最终,网络邮件取代了两者。 Webmail允许您登录到网站并从任何地方或任何设备(是!)接收消息,但是您需要在使用Internet时连接到Internet。 如果网站(例如gmail)是您的MUA,则无需了解SMTP或IMAP服务器设置。
如何确保电子邮件安全? (How is email secured?)
Unfortunately, security wasn't really built into mail protocols from the beginning (like most beginning internet protocols). Servers just expected to take any message from anyone and pass it along to any other server which could help route the message to its final destination (the recipient in the to: field).
不幸的是,安全性并不是一开始就真正内置在邮件协议中的(就像大多数最开始的互联网协议一样)。 服务器只是希望从任何人那里获取任何消息,然后将其传递到任何其他有助于将消息路由到其最终目的地(“收件人:”字段中的收件人)的服务器。
Unsurprisingly, this became an issue when the internet expanded from a few government and research groups into something most of the world uses to do essentially everything. Pretty soon spam and phishing emails became (and remain) a huge problem for everyone.
毫不奇怪,当互联网从几个政府和研究团体扩展到世界上大部分地区用来做所有事情的事情时,这成为一个问题。 很快,垃圾邮件和网络钓鱼电子邮件成为(并且仍然是)每个人都面临的巨大问题。
In response, we've collectively tried to implement several measures which prevent people from reading other's messages (encryption) and validate that messages actually came from the purported sender (authentication).
作为回应,我们共同尝试实施多种措施,以防止人们读取他人的消息(加密)并验证消息实际上来自声称的发件人(身份验证)。
Most places use TLS (transport layer security, the replacement for SSL, secure sockets layer), a cryptographic protocol which provides encryption in transit. It provides protection for when the message is being transmitted, but not when the data is at rest, (for example, being stored on your computer).
大多数地方使用TLS(传输层安全性,SSL的替代品,安全套接字层),这是一种加密协议,可在传输过程中提供加密。 它为消息的传输时间提供保护,而不是在数据静止时(例如,存储在计算机上)提供保护。
This ensures that a message isn't altered or snooped on while it's traveling from MTA to MTA. However, this doesn't verify that the message wasn't modified during the trip.
这样可以确保从MTA到MTA的邮件不会被更改或监听。 但是,这不能验证在旅途中未修改消息。
For example, if the email goes through multiple mail servers before it reaches its final destination, using TLS will ensure it is encrypted between the servers, but each server could alter the message content. In order to address that, we've created SPF, DKIM, and DMARC.
例如,如果电子邮件在到达最终目的地之前先经过多个邮件服务器,则使用TLS可以确保在服务器之间对其进行加密,但是每个服务器都可以更改邮件内容。 为了解决这个问题,我们创建了SPF,DKIM和DMARC。
SPF(发送方政策框架) (SPF (Sender Policy Framework) )
SPF allows the owner of a domain (like google.com) to set a TXT record in its DNS that states which servers are allowed to send mail from that domain (for instructions on how to do this for a variety of hosting providers check out this site).
SPF允许域的所有者(例如google.com)在其DNS中设置TXT记录,该记录指出允许哪些服务器从该域发送邮件(有关如何为各种托管服务提供商执行此操作的说明,请查看此信息)站点 )。
这是如何运作的? (How does this work?)
This record lists the devices (typically by IP) that are allowed and can end in one of the following options:
该记录列出了允许的设备(通常是IP),可以以下列选项之一结尾:
-all = If the check fails (the source of the email is not one of the listed devices) the result is a HardFail. Most mail systems will mark these messages as spam.
-all =如果检查失败(电子邮件的来源不是列出的设备之一),则结果为HardFail。 大多数邮件系统会将这些邮件标记为垃圾邮件。
?all = = If the check fails (the source of the email is not one of the listed devices) the result is neutral. This is typically used for testing, not production domains.
?all = =如果检查失败(电子邮件的来源不是列出的设备之一),结果为中性。 通常用于测试,而不是生产域。
~all = If the check fails (the source of the email is not one of the listed devices) the result is a SoftFail. This means that this message is suspicious, but isn't necessarily a known bad. Some mail systems will mark these messages as spam, but most will not.
〜all =如果检查失败(电子邮件的来源不是列出的设备之一),则结果为SoftFail。 这意味着该消息是可疑的,但不一定是已知的坏消息。 某些邮件系统会将这些邮件标记为垃圾邮件,但大多数不会。
SPF headers can be helpful to the servers themselves, as they're processing messages. For example if a server is at the edge of a network, it knows messages it receives should come from servers in the sender's SPF record. This helps servers get rid of spam faster. While this sounds great, unfortunately, there are a few major problems with SPF.
SPF标头可以帮助服务器本身,因为它们正在处理消息。 例如,如果服务器位于网络边缘,则它知道接收到的消息应该来自发件人SPF记录中的服务器。 这有助于服务器更快地清除垃圾邮件。 听起来不错,但是不幸的是,SPF存在一些主要问题。
- SPF doesn't tell a mail server what to do with the message - meaning that a message can fail an SPF check and still be delivered. SPF不会告诉邮件服务器如何处理邮件-意味着邮件可能无法通过SPF检查,但仍然可以传递。
An SPF record isn't looking at the 'from' address that the user sees, it's looking at the 'return-path'. This is basically the equivalent of the return address you write on a letter. It tells mail servers that handle the letter where to return the message (and it is stored in the email headers - essentially technical information servers use to process email).
SPF记录不是在查看用户看到的“发件人”地址,而是在查看“返回路径”。 这基本上相当于您写在一封信上的寄信人地址。 它告诉处理信件的邮件服务器将邮件返回到何处(它存储在电子邮件标题中,本质上是技术信息服务器用来处理电子邮件)。
That means I can put whatever I want into the from: address and it won't impact the SPF check. In fact, both of those email addresses can be relatively spoofed by a hacker. Because there is no encryption involved, SPF headers can't be fully trusted.
这意味着我可以将所需的内容放入发件人:地址,并且不会影响SPF检查。 实际上,这两个电子邮件地址都可能被黑客相对欺骗。 由于不涉及加密,因此无法完全信任SPF标头。
- SPF records need to be keep constantly up to date which can be difficult in large, ever changing organizations. SPF记录需要不断更新,这在不断变化的大型组织中可能很难。
- Forwarding breaks SPF. This is because if an email from, say google.com, is forwarded by bob@bobsburgers.com, the envelope sender remains unchanged (the from address still says google.com). The receiving mail server thinks it is claiming to be from google.com, but is coming from bobsburgers.com, so it fails the SPF check (even though the mail actually is coming from google.com). 转发会中断SPF。 这是因为如果bob@bobsburgers.com转发了来自google.com的电子邮件,则信封发件人保持不变(发件人地址仍为google.com)。 接收邮件服务器认为它声称来自google.com,但来自bobsburgers.com,因此无法通过SPF检查(即使该邮件实际上来自google.com)。
For more reading on SPF check out these articles. You can check if a specific domain has SPF and DMARC records configured here.
有关SPF的更多信息,请查看这些 文章 。 您可以检查特定的域是否在此处配置了 SPF和DMARC记录。
DKIM(DomainKeys标识邮件) (DKIM (DomainKeys Identified Mail))
DKIM is similar to SPF. It uses TXT records in the sending domain's DNS as well, and it provides some authentication of the message itself. It attempts to provide verification that messages weren't altered in transit.
DKIM与SPF相似。 它还在发送域的DNS中使用TXT记录,并提供消息本身的某些身份验证。 它尝试提供验证消息在传输过程中没有被更改。
这是如何运作的? (How does this work?)
The sending domain generates a public/private key pair and puts the public key in the domain's DNS TXT record (if you don't know what a public/private key pair is, check out this article on cryptography).
发送域会生成一个公钥/私钥对,并将公钥放入域的DNS TXT记录中(如果您不知道什么是公钥/私钥对,请查阅这篇关于密码学的文章 )。
Then, the domain's mail servers (on the outer boundary - the servers which are sending mail outside of the domain (ex. from gmail.com to outlook.com)) use the private key to generate a signature of the entire message body, including headers.
然后,域的邮件服务器(在外部边界上-在域外发送邮件的服务器(例如,从gmail.com到Outlook.com))使用私钥生成整个邮件正文的签名,包括标头。
Generating a signature usually requires the text to be hashed and encrypted (for more details on this process, check out this article).
生成签名通常需要对文本进行哈希处理和加密(有关此过程的更多详细信息,请参阅本文 )。
Receiving mail servers use the public key in the DNS TXT record to decrypt the signature and then hash the message and relevant headers (any headers which were created while the mail was inside the sender's infrastructure - for example if multiple gmail servers processed the email before it was sent externally to outlook.com).
接收邮件服务器使用DNS TXT记录中的公钥解密签名,然后对邮件和相关标头(在邮件位于发件人的基础结构内时创建的任何标头进行散列进行哈希处理-例如,如果多个gmail服务器在其之前处理了电子邮件,已从外部发送到outlook.com)。
The server will then check to make sure the two hashes match. If they do, the message is likely unaltered (unless someone has compromised the sender's private key) and legitimately from the purported sender. If the hashes do not match, the message is was either not from the purported sender, or it was altered by some other server in transit, or both.
然后,服务器将检查以确保两个哈希值匹配。 如果是这样,则该消息很可能不会更改(除非有人破坏了发件人的私钥),并且合法地来自声称的发件人。 如果哈希值不匹配,则表明该消息不是来自声称的发件人,或者是由其他正在传输的服务器更改的,或者两者均是。
DKIM does a very good job at one very specific task - answering the question 'was this email altered in transit or not from the purported sender?'. However, that's all it does. It doesn't tell you how to deal with emails which fail this test, which server may have altered the message, or what alterations were made.
DKIM在一项非常具体的任务上做得非常好-回答了这个问题:“这封电子邮件是在传输中更改过,还是从声称的发件人那里未更改?”。 但是,仅此而已。 它不会告诉您如何处理未通过此测试的电子邮件,哪个服务器可能更改了邮件或进行了哪些更改。
DKIM is also used by some ISPs, or Internet Service Providers, to determine the reputation of your domain (are you sending lots of spam? Do you have low engagement? How often do your emails bounce?).
某些ISP或Internet服务提供商还使用DKIM来确定您的域的信誉(您是否发送大量垃圾邮件?参与度是否低?电子邮件退信的频率如何?)。
For more reading on DKIM check out this article. You can validate a DKIM record here.
有关DKIM的更多信息,请查看本文 。 您可以在此处验证DKIM记录。
DMARC(基于域的消息身份验证,报告和一致性) (DMARC (Domain-Based Message Authentication, Reporting, and Conformance))
DMARC is essentially instructions for mail servers on how to handle SPF and DKIM records. It doesn't perform any tests of its own, but it tells mail servers how to handle the checks which SPF and DKIM perform.
DMARC本质上是针对邮件服务器的有关如何处理SPF和DKIM记录的说明。 它不会自行执行任何测试,但是会告诉邮件服务器如何处理SPF和DKIM执行的检查。
Participating ISPs will look at published DMARC records and use them to determine how to deal with DKIM or SPF fails. So for example, a commonly spoofed brand might publish a DMARC record which says that if DKIM or SPF fail, drop the message.
参与的ISP将查看已发布的DMARC记录,并使用它们来确定如何处理DKIM或SPF失败。 因此,例如,一个经常被欺骗的品牌可能会发布DMARC记录,该记录表明如果DKIM或SPF失败,则删除该消息。
Often ISPs will also send reports on your domain's activity to you with source of the email and whether it passed/failed DKIM/SPF. This means that you'll get to see when people are spoofing (purporting to send from) your domain or altering your messages.
ISP通常还会向您发送有关您域活动的报告,并附上电子邮件的来源以及是否通过/未通过DKIM / SPF。 这意味着您将看到人们何时在欺骗您的域(或声称从其发送)或更改您的消息。
In order to implement DMARC, you need to create a DMARC record, based on your needs (from monitoring your email traffic to figure out what all your email sources are to asking actions be taken, like rejecting any emails which fail DKIM or SPF). You can learn more about doing that here and here.
为了实施DMARC,您需要根据需要创建DMARC记录(从监视电子邮件流量以找出所有电子邮件来源到采取措施,例如拒绝所有未通过DKIM或SPF的电子邮件)。 您可以在此处和此处了解有关执行此操作的更多信息。
For more reading on DMARC check out this article. You can check if a specific domain has SPF and DMARC records configured here.
有关DMARC的更多阅读,请查看本文 。 您可以检查特定的域是否在此处配置了 SPF和DMARC记录。
结语 (Wrap up)
None of these security measures are perfect, but together, they do a decent job of helping us to improve the security of email systems worldwide.
这些安全措施中没有一个是完美的,但是它们一起在帮助我们提高全球电子邮件系统的安全性方面做得不错。
The more organizations that adopt these measures (either using open source implementations or paying for a product) the better off everyone will be. Security added on after a protocol or product is developed is usually more expensive, less effective, and harder to implement, than is security built into the product.
采取这些措施的组织越多(使用开源实现或为产品付费),每个人的利益就会更好。 与产品中内置的安全性相比,在开发协议或产品后添加的安全性通常更昂贵,效率更低且难以实施。
However, most of the protocols which the current internet relies upon were designed for the early internet - for a small group of enthusiasts, scientists, and government folks - not a worldwide network on which we run buildings, smart devices, public transit, nuclear plants(!), and so on.
但是,当前互联网所依赖的大多数协议都是为早期的互联网而设计的-只是一小部分的爱好者,科学家和政府人员-而不是我们在其上运行建筑物,智能设备,公共交通,核电站的全球网络(!), 等等。
Thus, as the internet has continued to expand, we need to continue to adapt and develop new ways to secure the systems we rely upon.
因此,随着Internet的不断扩展,我们需要继续适应和开发新方法来保护我们所依赖的系统。
电邮地址
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
