SPF (Sender Policy Framework) is a DNS text entry which shows a list of servers that should be considered allowed to send mail for a specific domain.
DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages’ content are trustworthy, meaning that they weren’t changed from the moment the message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process.
DMARC (Domain-based Message Authentication, Reporting and Conformance) empowers SPF and DKIM by stating a clear policy which should be used about both the aforementioned tools and allows to set an address which can be used to send reports about the mail messages statistics gathered by receivers against the specific domain.
Installation and configuration process.
Install opendkim package
apt-get install opendkim opendkim-tools
Generate Key Pair
Following commands will generate two keys default.private and default.txt only for signing DKIM messages (-r).
MYDOMAIN=faix.cz
mkdir -p /etc/mail/dkim-keys/$MYDOMAIN
cd /etc/mail/dkim-keys/$MYDOMAIN
opendkim-genkey -b 2048 -r -s mail -d $MYDOMAINConfigure SPF, DKIM and DMARC for Postfix
Remember to add user postfix to group opendkim.
usermod -a -G opendkim postfix
DKIM configuration file
/etc/opendkim.conf
Domain faix.cz
KeyTable refile:/etc/mail/keytable
SigningTable refile:/etc/mail/signingtable
Selector mail
Socket inet:8892@localhost
Canonicalization relaxed/simpleSet correct access rights to /etc/mail folder
chmod 755 /etc/mail
/etc/mail/keytable
mail._domainkey.faix.cz faix.cz:mail:/etc/mail/dkim-keys/faix.cz/mail.private
/etc/mail/signingtable
*@faix.cz mail._domainkey.faix.cz
Set opendkim user as owner of new files:
chown -R opendkim:opendkim /etc/mail/dkim-keys /etc/mail/keytable /etc/mail/signingtable
Postfix configuration file
/etc/postfix/main.cf
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892Configure DNS Entry
SPF record
Add a TXT record to your domain faix.cz with the following value:
v=spf1 mx a ptr ip4:94.230.149.155 ip4:94.230.145.27 ip4:94.230.145.11 ip4:94.230.145.28 ip4:94.230.145.29 a:mail.faix.cz a:mail.centronet.cz ~all
DKIM record
Add a TXT record to your mail._domainkey.faix.cz found in: /etc/mail/dkim-keys/faix.cz/mail.txt. Omit the quotes and the text before and after quotes.
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx+PJoQrLmluDH5gvtkY+aYNr5SXGqADVIBrZJFMBLJ4iEkUkC2285S1ivNH9Ly+REAoiP8S8VQPAStvvVSGgQFQopaxGYvEzJIrs+x3P/aTWa0nZjeBwEaQIVWMiDx4HCMV9YZ/SLCsCuiLzmpkxAKJ0kih+bUby6GYTgQScoBidKPYIfXtiVCaEoNYu9hcrHwsLHCp5Z3krvjHEPhlCuD416v5J2XbKJi+Q6RwCSoFkcGa5Y7SNx9/igIlhctzV636dMBe1E5X6T7WA+J6HDJXxSsQyiAUWKrzJH23vhdBDAwKiQp+8vF5gGdtvLJoUBhnYideZQFlfuVdNumvkzQIDAQAB
DMARC record
Be sure you have a DKIM and SPF set before using DMARC.
Add a TXT record to your domain _dmarc.faix.cz with the following value:
v=DMARC1; p=none
Verify your SPF and DKIM records
SPF
dig faix.cz TXT
DKIM
dig mail._domainkey.faix.cz TXT
DMARC
dig _dmarc.faix.cz TXT
Or use following service.
Test the keys for correct signing and verification (result should be “key OK“) after DNS records were updated using:
opendkim-testkey -vvv -d faix.cz -s mail -k /etc/mail/dkim-keys/faix.cz/mail.private
Or use following service.
Restart Services
service opendkim restart
service postfix restart
Verify DKIM
Send a test email through command line:
mail -vs "Test DKIM" check-auth@verifier.port25.com < /dev/null
In received email source search for “DKIM-Signature“.
Or use following service.
