EDIT: Now with a production-ready implementation I talk about more here.
On Tuesday I wrote about using DNS wildcards to implement customer-specific subdomains for email authentication.
As I said then, that approach isn’t perfect. You’d much prefer to have per-customer domain authentication, where each customer has their own DKIM d= and ideally their own SPF records, rather than having all customers sharing those records and relying on loose DMARC alignment to have them to work with a per-customer subdomain in the 5322 From: header.
But doing that with DNS wildcards would have some odd side effects, such as TXT records appearing where they weren’t expected, in ways that could trigger bugs in rarely tested code paths at mailbox providers and potentially even open up security problems.
I mentioned using a “stunt” DNS server would be one option to do that, and then quite a few people asked me what I meant by that. A stunt DNS server is one that doesn’t necessarily behave like a normal DNS server, rather it has special behaviour to provide a particular service. Geo load balancers that return different answers depending on the user asking a DNS question, so as to point them at a server that’s close to them would be one common example.
For customer-specific subdomains at scale I want a DNS server that will accept queries for customer-specific authentication records and synthesize appropriate DNS replies for those, without you needing to generate static DNS records for your hundreds of thousands of small customers.
What would our ideal for authenticating small customers for our ESP, SausageMail, look like?
We’d want to use a customer-specific subdomain in the 5322 From: header. We’d want per-customer authentication, which would mean a customer-specific return path, with a matching SPF text records, and customer specific DKIM public keys to allow DKIM signing with a customers subdomain in the d= field. And we’d like to do this in a way that doesn’t require us to modify thousands of records any time we want to add a new IP to our pool of MTAs or we want to rotate our DKIM keys.
So, for our customer “snufkin”, we’d want to have:
- From: “Snufkin the Cat, Esq.” <snufkin@snufkin.sausagemail.com>
- Return-Path: bounces@bounces.snufkin.sausagemail.com
- DKIM-Signature: … s=k1; d=snufkin.sausagemail.com
The message generation and DKIM signing for that is probably simple to do – it’s just inserting a customer name in some templated headers. But what DNS would we need?
; For replies to the email address in the From: snufkin.sausagemail.com MX 10 replies.sausagemail.com ; For the return path, bounce handling and SPF bounces.snufkin.sausagemail.com MX 10 bounces.sausagemail.com bounces.snufkin.sausagemail.com TXT "v=spf1 include:_spf.sausagemail.com" ; DKIM public keys k1._domainkey.snufkin.sausagemail.com CNAME k1._dkim.sausagemail.com k2._domainkey.snufkin.sausagemail.com CNAME k2._dkim.sausagemail.com ; And DMARC _dmarc.snufkin.sausagemail.com TXT "v=DMARC1 p=none rua=..."
This gives us unique authentication domains for each customer, DMARC-aligned with the from address and shouldn’t require too much maintenance. Now we just need to stamp those records out a few hundred thousand times.
When I’m building stunt DNS servers (we have several as part of our onboarding infrastructure for clients, so that we can easily route their sample email streams into our databases, and monitor everything about their mail delivery, including DNS traffic) I usually write a dedicated app that serves DNS directly. But many off the shelf DNS servers support scripting and plugins to do the same sort of thing, so I wrote a simple backend for PowerDNS that’ll generate templated DNS responses in the way we need.
That backend is regexdns – boringly named because it serves DNS based on regular expressions. (You can grab the source and binaries from github to play with if you’d find it interesting / useful.)
It’s configured with something that looks sort of like a regular DNS zone file, but with some added patterns to match things in the request and return them in the response.
sausagemail.com 3600 IN SOA ns1.sausagemail.com steve.blighty.com. 2023102014 10800 3600 2592000 600
; Our actual bounce handler and reply handler
bounces.sausagemail.com 3600 IN A 10.11.12.13
replies.sausagemail.com 3600 IN A 10.11.12.14
; Our DKIM public key
k1._dkim.sausagemail.com 3600 IN TXT "v=DKIM1; k=RSA; p=key-goes-here"
k2._dkim.sausagemail.com 3600 IN TXT "v=DKIM1; k=RSA; p=other-key-goes-here"
; Our SPF stuff
_spf.sausagemail.com 3600 IN TXT "v=spf1 ip4:10.11.12.10 ~all"
; Per-customer generation
; DKIM public keys
(?P<selector>[^.]+)\._domainkey\.(?P<customer>[^.]+)\.sausagemail\.com 3600 IN CNAME ${selector}._dkim.sausagemail.com
; Return path, point to bounce handler
bounces\.(?P<customer>[^.]+)\.sausagemail\.com 3600 IN MX 10 bounces.sausagemail.com
; SPF
bounces\.(?P<customer>[^.]+)\.sausagemail\.com 3600 IN TXT "v=spf1 include:_spf.sausagemail.com"
; The domain in the From: header, for replies
(?P<customer>[^.]+)\.sausagemail\.com 3600 IN MX 10 replies.sausagemail.com
; And DMARC, because why not?
_dmarc\.(?P<customer>[^.]+)\.sausagemail\.com 3600 IN TXT "v=DMARC1 p=none rua=rua+${customer}@sausagemail.com"Code language: PHP (php)(If it’s tricky to read in the blog embed you can see the actual configuration file here.)
On the left hand side of each line the incantation (?P<customer>[^.]+) means “in an incoming DNS query there should be one component of a hostname here, let’s call it ‘customer’“, while on the right hand side ${customer} means “replace this with the customer name you just got, and send it as the DNS reply”.
This is all up and running live, at least when this post was written, so you can see what the DKIM public keys for snufkin look like:
k1._domainkey.snufkin.sausagemail.com TXT
Or his SPF records:
bounces.snufkin.sausagemail.com TXT
Or the DMARC records for toffle:
_dmarc.toffle.sausagemail.com TXT
This is a fairly general purpose approach any time you need to stamp out a lot of similar DNS records.
RSS - Posts