发件人 IDSender ID

发件人 ID 用于检测欺骗Sender ID is used to detect spoofing. 伪造的电子邮件被修改为看起来发自某个发件人,但此发件人并不是邮件的实际发件人。A spoofed email message is modified to appear as if it originates from a sender other than the actual sender of the message. 在过去,发送伪造的电子邮件相对容易,因为邮件头中的发件人的电子邮件地址未经验证。In the past, it was relatively easy to send spoofed email messages, because the sender's email address in the message header wasn't validated. 发件人 ID 使用 RECEIVED SMTP 头以及对发件人域的 DNS 记录的查询来确定发件人的电子邮件地址是否为伪造。Sender ID uses the RECEIVED SMTP header and a query to the DNS records for the sender's domain to determine if the sender's email address is spoofed. Exchange Server 中的发件人 ID 由发件人 ID 代理提供,并基本上在 Exchange Server 2010 中保持不变。Sender ID in Exchange Server is provided by the Sender ID agent, and is basically unchanged from Exchange Server 2010.

默认情况下,发件人 ID 代理是在边缘传输服务器上启用的,但您可以在邮箱服务器上启用它。有关详细信息,请参阅在邮箱服务器上启用反垃圾邮件功能By default, the Sender ID agent is enabled on Edge Transport servers, but you can enable it on Mailbox servers. For more information, see Enable antispam functionality on Mailbox servers.

有关如何配置发件人 ID 代理的详细信息,请参阅发件人 id 过程For more information about how to configure the Sender ID agent, see Sender ID procedures.

使用发件人 ID 防止欺骗Using Sender ID to combat spoofing

当 Exchange 服务器接收入站的邮件时,发件人 ID 代理通过查询发件人的域的 DNS 记录验证发件人的 IP 地址。When the Exchange server receives an inbound message, the Sender ID agent verifies the sender's IP address by querying the DNS records for the sender's domain. 这一检查将确认邮件接收自发件人的域的一个授权 IP 地址。This check confirms that the message was received from an authorized IP address for the sender's domain. 授权的发送服务器的 IP 地址称为假设负责地址 (PRA)。The IP address of the authorized sending server is referred to as the purported responsible address (PRA).

管理员在 DNS 中发布发件人策略框架 (SPF) 记录,用于标识域的授权出站邮件服务器。如果 SPF 记录可在 DNS 中用于发件人的域,则发件人 ID 代理解析 SPF 记录,以确定源 IP 地址是否有权为发件人的电子邮件地址中指定的域发送电子邮件。有关 SPF 记录所包含内容以及如何创建 SPF 记录的详细信息,请参阅发件人策略框架:SPF 记录语法Administrators publish sender policy framework (SPF) records in DNS that identify the authorized outbound messaging servers for the domain. If an SPF record is available in DNS for the sender's domain, the Sender ID agent parses the SPF record to determine if the source IP address is authorized to send email for the domain that's specified in the sender's email address. For more information about what an SPF record contains and how to create an SPF record, see Sender Policy Framework: SPF Record Syntax.

发件人 ID 状态值Sender ID status values

发件人 ID 代理生成邮件的发件人 ID 状态。发件人 ID 状态可以设置为下列值之一:The Sender ID agent generates a Sender ID status for the message. The Sender ID status can be set to one of the following values:

  • Pass: IP 地址和 PRA 都通过了发件人 ID 验证检查。Pass: Both the IP address and the PRA passed the Sender ID verification check.

  • 非特定语言:已发布的发件人 ID 数据明确没有结论。Neutral: The published Sender ID data is explicitly inconclusive.

  • 软失败: PRA 的 IP 地址可能在不允许的集中。Soft fail: The IP address for the PRA might be in the not permitted set.

  • 失败:不允许使用该 IP 地址。Fail: The IP Address is not permitted. 传入邮件中未找到任何 PRA,或发件人的域不存在。No PRA is found in the incoming mail, or the sender's domain doesn't exist.

  • None:发件人域的 DNS 中不存在已发布的 SPF 数据。None: No published SPF data exists in DNS for the sender's domain.

  • Temperror 出现:发生了暂时的 dns 故障,例如,不可用的 dns 服务器。TempError: A temporary DNS failure occurred, such as an unavailable DNS server.

  • PermError: DNS 记录无效,例如,记录格式错误。PermError: The DNS record is invalid, such as an error in the record format.

注意: 如果缺少源 IP 地址,则无法设置发件人 ID 状态。Note:: If the source IP address is missing, the Sender ID status can't be set. Exchange 会继续处理邮件,而不包括发件人 ID 状态,邮件不会被返回或拒绝。Exchange continues to process the message without including a Sender ID status, and the message isn't returned or rejected. 在这种情况下,不会设置发件人 ID 状态,会记录应用程序事件。In this scenario, the Sender ID status isn't set, and an application event is logged.

发件人 ID 状态将被添加到邮件元数据中,稍后将被转换为 MAPI 属性。在垃圾邮件可信度 (SCL) 计算期间,Outlook 中的垃圾邮件筛选器将使用该 MAPI 属性。The Sender ID status is added to the message metadata, and is later converted to a MAPI property. The junk email filter in Outlook uses this MAPI property during the calculation of the spam confidence level (SCL).

Outlook 既不显示发件人 ID 状态,也不会以发件人 ID 值将邮件标记为垃圾邮件。Outlook 只在计算邮件的 SCL 期间才使用发件人 ID 状态值。Outlook neither displays the Sender ID status, nor flags a message as junk based solely on the Sender ID value. Instead, Outlook uses the Sender ID status value only during the calculation of the SCL for the message.

有关发件人 ID 状态在邮件中的显示方式的详细信息,请参阅反垃圾邮件标记For more information about how the Sender ID status is displayed in messages, see Antispam stamps.

用于处理欺骗邮件和无法访问的 DNS 服务器的发件人 ID 选项Sender ID options for handling spoofed mail and unreachable DNS servers

您可以配置当发件人 ID 代理识别包含欺骗发件人的邮件时要执行的操作(发件人 ID 状态为 Fail ),并且当无法访问 DNS 服务器时(发件人 id 状态为 TempError ):You can configure the actions to take when the Sender ID agent identifies messages that contain spoofed senders (the Sender ID status is Fail), and when a DNS server can't be reached (the Sender ID status is TempError):

  • 图章状态:发件人 id 代理在邮件的元数据中标记发件人 id 状态,并允许传递邮件以继续。Stamp status: The Sender ID agent stamps the Sender ID status in the metadata of the message, and allows the delivery of the message to continue. 这是默认选项。This is the default option.

  • 拒绝:发件人 ID 代理将拒绝具有 5 _xx_级 SMTP 错误响应的邮件,其中包括与发件人 ID 状态相对应的文本。Reject: The Sender ID agent rejects the message with a 5 xx level SMTP error response, which includes text that corresponds to the Sender ID status.

  • Delete:发件人 ID 代理将无提示地删除邮件,而不会出现 SMTP 错误响应。Delete: The Sender ID agent silently deletes the message without an SMTP error response. Exchange 服务器会向源服务器发送一个假的 OK SMTP 命令,然后删除邮件。The Exchange server sends a fake OK SMTP command to the source server, and then deletes the message. 由于源服务器认为邮件已发送,因此不会在相同会话中尝试发送该邮件。Because the source server assumes the message was sent, it doesn't try to resend the message in the same session.

有关如何配置要对欺骗邮件和无法访问的 DNS 服务器执行的操作的详细信息,请参阅发件人 ID 过程For more information about how to configure the action to take for spoofed mail and unreachable DNS servers, see Sender ID procedures.

更新组织中面向 Internet 的 DNS 以支持发件人 IDUpdating your organization's Internet facing DNS to support Sender ID

发件人 ID 的有效性取决于特定的 DNS 数据。为其域配置 SPF 记录的组织越多,发件人 ID 就能更高效地确定欺骗邮件。The effectiveness of Sender ID depends on specific DNS data. The more organizations that configure SPF records for their domains, the more effectively Sender ID is able to identify spoofed messages.

若要支持发件人 ID 基础结构,您需要为您组织从其中发送邮件的域创建 SPF 记录。有关如何创建和部署 SPF 记录的详细信息,请参阅发件人策略框架:SPF 记录语法To support the Sender ID infrastructure, you need to create SPF records for the domains that your organization sends messages from. For more information about how to create and deploy SPF records, see Sender Policy Framework: SPF Record Syntax.

将收件人域和发件人域指定为排除在发件人 ID 筛选之外Specifying recipients and sender domains to exclude from Sender ID filtering

您可以通过使用 Exchange 命令行管理程序 中的 Set-SenderIdConfig cmdlet 来从发件人 ID 筛选中排除特定收件人和发件人域。You can exclude specific recipients and sender domains from Sender ID filtering by using the Set-SenderIdConfig cmdlet in the Exchange Management Shell. 有关详细信息,请参阅发件人 ID 过程For more information, see Sender ID procedures.