簡介
本檔案將說明如何使用 dig/nslookup 在郵件安全裝置(ESA)和雲郵件安全(CES)上查詢域的SPF、DKIM和DMARC記錄。
必要條件
需求
思科建議您瞭解以下主題:
- Async OS 10.0或更高版本上的ESA
- 對裝置的管理訪問許可權
採用元件
本文檔中的資訊基於Async OS 10.0或更高版本上所有支援的ESA硬體型號和虛擬裝置。
要從CLI驗證裝置的版本資訊,請輸入version命令。在GUI中,導航至 Monitor > System Status.
兩者 nslookup 和 dig 當前ESA/CES Async OS版本支援命令。這些命令可以通過裝置的SSH/CLI訪問執行。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
提供的輸出示例針對域 cisco.com 和 gmail.com,類似的命令也可用於其他域。
SPF
可以使用以下格式執行SPF查詢:
附註:S替換單詞 domain 要查詢的相應域。
對於已發佈多個TXT記錄的域, nslookup 可能無法列出SPF記錄。在這種情況下, dig 必須改用。
此處的輸出示例中顯示 cisco.com.
(Machine lab.esa.com)> nslookup cisco.com txt
TXT="google-site-verification=qPS9ZkoQ-Og1rBrM1_N7z-tNJNy2BVxE8lw6SB2iFdk"
TTL=21m 8s
(Machine lab.esa.com)> dig cisco.com txt
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.11.2 <<>> cisco.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20648
;; flags: qr rd ra; QUERY: 1, ANSWER: 25, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cisco.com. IN TXT
;; ANSWER SECTION:
cisco.com. 1782 IN TXT "fastly-domain-delegation-w049tcm0w48ds-341317-20210209"
cisco.com. 1782 IN TXT "v=spf1 redirect=spfa._spf.cisco.com"
cisco.com. 1782 IN TXT "MS=ms35724259"
cisco.com. 1782 IN TXT "amazonses:QbUv5pPHGQxRy1vKA0J7Y/biE9oR6MTxOTI1bZIfjsw="
cisco.com. 1782 IN TXT "fastly-domain-delegation-e9a758d22183504af2d5ab4d9a9853da-20210127"
cisco.com. 1782 IN TXT "QuoVadis=94d4ae74-ecd5-4a33-975e-a0d7f546c801"
cisco.com. 1782 IN TXT "atlassian-domain-verification=672RcADvt8BPqsb9gCN2ZC5DoTAhUT8abC1blYKQxi/MHMaGoA/BuvjFMaWRtgd7"
cisco.com. 1782 IN TXT "google-site-verification=9MlQU9MMQ1jHLMUkONKe6QzZ-ZIGRv0BCD1_rY1Zdmc"
cisco.com. 1782 IN TXT "SFMC-o7HX74BQ79k7glpt_qjlF2vmZO9DpqLtYxKLwg87"
cisco.com. 1782 IN TXT "926723159-3188410"
cisco.com. 1782 IN TXT "docusign=95052c5f-a421-4594-9227-02ad2d86dfbe"
cisco.com. 1782 IN TXT "amazonses:7LyiKZmpuGja4+KbA4xX3lN69yajYKLkHH4QJcWnuwo="
cisco.com. 1782 IN TXT "google-site-verification=qPS9ZkoQ-Og1rBrM1_N7z-tNJNy2BVxE8lw6SB2iFdk"
cisco.com. 1782 IN TXT "zpSH7Ye/seyY61hH8+Rq5Kb+ZJ9hDa+qeFBaD/6sPAAg+2POkGdP0byHb1pFVK9uZgYF2AIosUSZq4MB17oydQ=="
cisco.com. 1782 IN TXT "duo_sso_verification=AxenLdoqIXzjl2RJzE1BlOfkawDbDFlnbyvjAt8vcjKHBkvYwEMySDRk5QmBd66v"
cisco.com. 1782 IN TXT "facebook-domain-verification=1zoxo8z7t013gpruxmhc8dkerq47vh"
cisco.com. 1782 IN TXT "google-site-verification=lW5eqPMJI4VrLc28YW-JBkqA-FDNVnhFCXQVDvFqZTo"
cisco.com. 1782 IN TXT "facebook-domain-verification=qr2nigspzrpa96j1nd9criovuuwino"
cisco.com. 1782 IN TXT "apple-domain-verification=qOInipPgso3W8cmK"
cisco.com. 1782 IN TXT "identrust_validate=JnSSfW+y58dEQju6mVBe8lu1MGFepXI50P27OE1ZZQmL"
cisco.com. 1782 IN TXT "onetrust-domain-verification=20345dd0c33946f299f14c1498b41f67"
cisco.com. 1782 IN TXT "mixpanel-domain-verify=2c6cb1aa-a3fb-44b9-ad10-d6b744109963"
cisco.com. 1782 IN TXT "identrust_validate=Wns4/AOM0Ij2kQCQhzvNbMcoBzxItOa+44O7KF06lIp3"
cisco.com. 1782 IN TXT "docusign=5e18de8e-36d0-4a8e-8e88-b7803423fa2f"
cisco.com. 1782 IN TXT "amazonses:mX+ylQj+fJAfh9pr03yIR7YvjKZ1bOo5ABegqM/5pvI="
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 23 06:03:28 GMT 2021
;; MSG SIZE rcvd: 1756
(Machine lab.esa.com)> nslookup gmail.com txt
TXT="v=spf1 redirect=_spf.google.com"
TTL=30m
(Machine lab.esa.com)> dig gmail.com txt
; <<>> DiG 9.11.2 <<>> gmail.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14807
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;gmail.com. IN TXT
;; ANSWER SECTION:
gmail.com. 1800 IN TXT "v=spf1 redirect=_spf.google.com"
gmail.com. 1800 IN TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
;; Query time: 85 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 23 06:05:38 GMT 2021
;; MSG SIZE rcvd: 148
DKIM
可以使用以下格式執行DKIM查詢:
nslookup selector._domainkey.domain txtdig selector._domainkey.domain txt
附註: 替換單詞 selector 和 domain 使用DKIM選擇器和域,您要查詢。
(Machine lab.esa.com)> nslookup iport._domainkey.cisco.com txt
TXT="v=DKIM1;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCctxGhJnvNpdcQLJM6a/0otvdpzFIJuo73OYFuw6/8bXcf8/p5JG/iME1r9fUlrNZs3kMn9ZdPYvTyRbyZ0UyMrsM3ZN2JAIop3M7sitqHgp8pbORFgQyZxq+L23I2cELq+qw
tbanjWJzEPpVvrvbuz9QL8CUtS+V5N5ldq8L/lwIDAQAB;"
TTL=1d
(Machine lab.esa.com)> dig iport._domainkey.cisco.com txt
; <<>> DiG 9.11.2 <<>> iport._domainkey.cisco.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21671
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;iport._domainkey.cisco.com. IN TXT
;; ANSWER SECTION:
iport._domainkey.cisco.com. 86400 IN TXT "v=DKIM1;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCctxGhJnvNpdcQLJM6a/0otvdpzFIJuo73OYFuw6/8bXcf8/p5JG/iME1r9fUlrNZs3kMn9ZdPYvTyRbyZ0UyMrsM3ZN2JAIop3M7sitqHgp8pbORFgQyZxq+L23I2cELq+qw
tbanjWJzEPpVvrvbuz9QL8CUtS+V5N5ldq8L/lwIDAQAB;"
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 23 06:41:31 GMT 2021
;; MSG SIZE rcvd: 285
(Machine lab.esa.com)> dig 20161025._domainkey.gmail.com TXT
; <<>> DiG 9.11.2 <<>> 20161025._domainkey.gmail.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11798
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;20161025._domainkey.gmail.com. IN TXT
;; ANSWER SECTION:
20161025._domainkey.gmail.com. 1800 IN TXT "k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqR"
"tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpb
q4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB"
;; Query time: 174 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 23 06:45:01 GMT 2021
;; MSG SIZE rcvd: 462
(Machine lab.esa.com)> nslookup 20161025._domainkey.gmail.com TXT
TXT="k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqR"
"tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpb
q4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB"
TTL=30m
DMARC
可以使用以下格式執行DMARC查詢:
nslookup _dmarc.domain txtdig _dmarc.domain txt
附註:S替換單詞 domain 您想要查詢的域。
(Machine lab.esa.com)> nslookup _dmarc.cisco.com txt
TXT="v=DMARC1; p=quarantine; pct=0; fo=1; ri=3600; rua=mailto:cisco@rua.agari.com; ruf=mailto:cisco@ruf.agari.com"
TTL=30m
(Machine lab.esa.com)> dig txt _dmarc.cisco.com
; <<>> DiG 9.11.2 <<>> _dmarc.cisco.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24522
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_dmarc.cisco.com. IN TXT
;; ANSWER SECTION:
_dmarc.cisco.com. 1800 IN TXT "v=DMARC1; p=quarantine; pct=0; fo=1; ri=3600; rua=mailto:cisco@rua.agari.com; ruf=mailto:cisco@ruf.agari.com"
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 23 06:34:15 GMT 2021
;; MSG SIZE rcvd: 155
(Machine lab.esa.com)> nslookup _dmarc.gmail.com txt
TXT="v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"
TTL=30m
(Machine lab.esa.com)> dig _dmarc.gmail.com txt
; <<>> DiG 9.11.2 <<>> _dmarc.gmail.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28370
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_dmarc.gmail.com. IN TXT
;; ANSWER SECTION:
_dmarc.gmail.com. 1800 IN TXT "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"
;; Query time: 85 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 23 06:35:18 GMT 2021
;; MSG SIZE rcvd: 118
相關資訊
意見