Customer subdomain authentication


EDIT: Now with a production-ready implementation I talk about more here.

On Tuesday I wrote about using DNS wildcards to implement customer-specific subdomains for email authentication.

As I said then, that approach isn’t perfect. You’d much prefer to have per-customer domain authentication, where each customer has their own DKIM d= and ideally their own SPF records, rather than having all customers sharing those records and relying on loose DMARC alignment to have them to work with a per-customer subdomain in the 5322 From: header.

But doing that with DNS wildcards would have some odd side effects, such as TXT records appearing where they weren’t expected, in ways that could trigger bugs in rarely tested code paths at mailbox providers and potentially even open up security problems.

I mentioned using a “stunt” DNS server would be one option to do that, and then quite a few people asked me what I meant by that. A stunt DNS server is one that doesn’t necessarily behave like a normal DNS server, rather it has special behaviour to provide a particular service. Geo load balancers that return different answers depending on the user asking a DNS question, so as to point them at a server that’s close to them would be one common example.

For customer-specific subdomains at scale I want a DNS server that will accept queries for customer-specific authentication records and synthesize appropriate DNS replies for those, without you needing to generate static DNS records for your hundreds of thousands of small customers.

What would our ideal for authenticating small customers for our ESP, SausageMail, look like?

We’d want to use a customer-specific subdomain in the 5322 From: header. We’d want per-customer authentication, which would mean a customer-specific return path, with a matching SPF text records, and customer specific DKIM public keys to allow DKIM signing with a customers subdomain in the d= field. And we’d like to do this in a way that doesn’t require us to modify thousands of records any time we want to add a new IP to our pool of MTAs or we want to rotate our DKIM keys.

So, for our customer “snufkin”, we’d want to have:

  • From: “Snufkin the Cat, Esq.” <>
  • Return-Path:
  • DKIM-Signature: … s=k1;

The message generation and DKIM signing for that is probably simple to do – it’s just inserting a customer name in some templated headers. But what DNS would we need?

; For replies to the email address in the From:         MX 10

; For the return path, bounce handling and SPF MX 10 TXT "v=spf1"

; DKIM public keys CNAME CNAME

; And DMARC TXT "v=DMARC1 p=none rua=..."

This gives us unique authentication domains for each customer, DMARC-aligned with the from address and shouldn’t require too much maintenance. Now we just need to stamp those records out a few hundred thousand times.

When I’m building stunt DNS servers (we have several as part of our onboarding infrastructure for clients, so that we can easily route their sample email streams into our databases, and monitor everything about their mail delivery, including DNS traffic) I usually write a dedicated app that serves DNS directly. But many off the shelf DNS servers support scripting and plugins to do the same sort of thing, so I wrote a simple backend for PowerDNS that’ll generate templated DNS responses in the way we need.

That backend is regexdns – boringly named because it serves DNS based on regular expressions. (You can grab the source and binaries from github to play with if you’d find it interesting / useful.)

It’s configured with something that looks sort of like a regular DNS zone file, but with some added patterns to match things in the request and return them in the response. 3600 IN SOA 2023102014 10800 3600 2592000 600

; Our actual bounce handler and reply handler 3600 IN A 3600 IN A

; Our DKIM public key    3600 IN TXT "v=DKIM1; k=RSA; p=key-goes-here"    3600 IN TXT "v=DKIM1; k=RSA; p=other-key-goes-here"

; Our SPF stuff 3600 IN TXT "v=spf1 ip4: ~all"

; Per-customer generation
; DKIM public keys
(?P<selector>[^.]+)\._domainkey\.(?P<customer>[^.]+)\.sausagemail\.com 3600 IN CNAME ${selector}

; Return path, point to bounce handler
bounces\.(?P<customer>[^.]+)\.sausagemail\.com 3600 IN MX 10

bounces\.(?P<customer>[^.]+)\.sausagemail\.com 3600 IN TXT "v=spf1"

; The domain in the From: header, for replies
(?P<customer>[^.]+)\.sausagemail\.com 3600 IN MX 10

; And DMARC, because why not?
_dmarc\.(?P<customer>[^.]+)\.sausagemail\.com 3600 IN TXT "v=DMARC1 p=none rua=rua+${customer}"Code language: PHP (php)

(If it’s tricky to read in the blog embed you can see the actual configuration file here.)

On the left hand side of each line the incantation (?P<customer>[^.]+) means “in an incoming DNS query there should be one component of a hostname here, let’s call it ‘customer’“, while on the right hand side ${customer} means “replace this with the customer name you just got, and send it as the DNS reply”.

This is all up and running live, at least when this post was written, so you can see what the DKIM public keys for snufkin look like: TXT

Or his SPF records: TXT

Or the DMARC records for toffle: TXT

This is a fairly general purpose approach any time you need to stamp out a lot of similar DNS records.

About the author

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By steve

Recent Posts


Follow Us