Email on the IBM i
I’ve been chatting with a client of mine about sending emails from his
AS400 iSeries Power IBM-i System. More specifically about sending emails from his system, but with the email address of the user that is signed on. This emails send but frequently go to spam. Luckily, setting up IBM i Email and SPF will solve this problem.
Let’s look at an example:
- I can logon to #HIS-IBM-I-SYSTEM and send an email using standard IBM i email commands
- The emails send OK
- The emails look like they are coming from #NICKLITTEN.COM
- The emails say “not verified” and are frequently spammed
- We love spam #obviously but just not this type
Sounds straightforward, but this is also called spoofing – or sending an email from one system and making it look like it comes from another system.
Of course, since there are a lot of naughty email spammers out there, who regularly send emails with spoofed addresses (just like those bloody spam phone callers). Because of this, most email clients will receive an email like this and mark it spam.
Why does email get marked as spam?
Emails have an internal from-email and an external-human-facing-from email. So you send an email it might look like its coming from email@example.com but internally it will say where its really coming from. These addresses are called the envelope and header email addresses.
Emails are validated by various techniques – SPF, DKIM and DMARC.
SPF in a nutshell, the controller of a domain (ie me) adds a record to my DNS zone, listing the servers which I want to allow as legitimate senders for my domain. So if I wanted to let your IBM I system send email branded as *ME* then I would need add a SPF record to my www.nicklitten.com server granting rights to your IBM I systems IP address or domain name
A Sender Policy Framework (SPF) record is a type of Domain Name Service (DNS) TXT record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to detect and prevent spammers from sending messages with forged From addresses on your domain.some clever internet bloke that uses less words than me
So, as it stands you can send emails from your IBMi as any user domain you please. But without a SPF record on that users domain web-server saying “let the IBM-i system send emails signed as if they were sending from me” there is a chance that those emails will goto spam. It depends on the email client, if it looks up the senders envelop-email address (the original machine) and then checks for either a SPF or DKIM setup to validate the sender.
If it doesn’t there is a terrific blog that covers all this stuff over at Matt Mooreheads blog:
… the most important email authentication protocols—SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance)—in plain English.
Email messages contain two “from” addresses: the “envelope from” and the “header from”
Brands sending email…list which IPs are authorized to send email on behalf of their domainsMatt Moorehead
Now – DKIM is the next generation of SPF which adds further validation. But I don’t really know much about it other than its more complicated. I’ve added it for my MS-OFFICE config on my nicklitten.com and projex.com servers because I send various mails from OFFICE and want them to appear legit.
You just need to make sure you have the users email address setup correctly in the IBM i alias table.
I find this easiest to configure from CFGTCP:
Then 20 Configure TCP/IP applications:
Then 12 to Configure SMTP:
Then a 1 to Work with the System Alias Table.
This will let you assign originating email addresses for all your users that will be sending emails:
In this case my user “NICK” is setup to send as firstname.lastname@example.org so when I email myself from the command line using IBM i SNDEML4i command it looks like the email has come from me, even tho it was sent from the IBM i system:
Sure enough when it lands in my OUTLOOK it looks like this:
That looks OK right?
When Outlook cannot verify the identity of the sender using email authentication techniques, it displays a ‘?’ in the sender photo. You will also notice the little warning on the header we could not verify the identity of the sender #oops
So, although the email has sent OK, and the email looks legit – my email client (in this case its Outlook) has noticed that the originating machine is not the actual server that controls the originating email address.
How do we mark an email address as safe and verified?
In this case I can look at my email header to see the originating IBM-i machine name:
Let’s add a SPF record to nicklitten.com to tell it that IBM i server is our friend and we will allow them to send for us.
What does an SPF record look like?
So, I know I need to add backbeat.rzkh.de to my allowed SPF domains.
The SPF record might look like this:
|v=spf1 a mx a:BACKBEAT.RZKH.DE ~all
but since I already have a SPF record for my domain I am just going to add the new domain to the existing SPF record:
v=spf1 a mx include:server295.smtp-spf.sureserver.com ~all
v=spf1 a mx include:server295.smtp-spf.sureserver.com a:backbeat.rzkh.de ~all
and then… after sipping a coffee… looking out of the window… letting the internet propagate all its changes around the ether for a few minutes I can try to send my email again. This time I see this in the message when it arrives: