SPF,DKIM and DMARC

Architecture We Are Building

Postfix  →  OpenDKIM  →  Internet
               ↑
           DKIM DNS

SPF – Allow your server to send email

In your domain DNS (for example yourdomain.id), create a TXT record:

Field	Value
Host	`@`
Type	`TXT`
Value	`v=spf1 ip4:103.xx.xx.xx mx -all`

Replace 103.xx.xx.xx with your Postfix server’s public IP address.

Meaning:

Only this IP and your MX servers are allowed to send email
All others are rejected

Install OpenDKIM

apt install opendkim opendkim-tools -y

Configure OpenDKIM

Edit the configuration file:

nano /etc/opendkim.conf

Ensure the following settings:

Mode                    sv
Canonicalization        relaxed/simple
SubDomains              no
OversignHeaders         From
AutoRestart             yes
AutoRestartRate         10/1h
Background              yes
DNSTimeout              5
SignatureAlgorithm      rsa-sha256

UserID                  opendkim
Socket                  inet:8891@localhost

KeyTable                /etc/opendkim/key.table
SigningTable            /etc/opendkim/signing.table
TrustedHosts            /etc/opendkim/trusted.hosts

Trusted Hosts

Edit:

nano /etc/opendkim/trusted.hosts

Add:

127.0.0.1
localhost
mail.yourdomain.id
103.30.246.60

Generate DKIM keys

mkdir -p /etc/opendkim/keys/yourdomain.id
cd /etc/opendkim/keys/yourdomain.id

opendkim-genkey -s mail -d yourdomain.id
chown opendkim:opendkim mail.private

This will create:

mail.private   ← private key
mail.txt       ← DNS record

Configure KeyTable & SigningTable

Edit KeyTable:

nano /etc/opendkim/key.table

Add:

mail._domainkey.yourdomain.id yourdomain.id:mail:/etc/opendkim/keys/yourdomain.id/mail.private

Edit SigningTable:

nano /etc/opendkim/signing.table

Add:

*@yourdomain.id mail._domainkey.yourdomain.id

Connect Postfix to OpenDKIM

Edit Postfix configuration:

nano /etc/postfix/main.cf

Add:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Restart services:

systemctl restart opendkim postfix

Add DKIM record to DNS

View the DKIM DNS record:

cat /etc/opendkim/keys/yourdomain.id/mail.txt

Example output:

mail._domainkey.yourdomain.id IN TXT (
"v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
)

Add this to your DNS:

Field	Value
Host	`mail._domainkey`
Type	`TXT`
Value	(paste the entire `p=...` value)

DMARC Configuration

Add the following DNS record:

Field	Value
Host	`_dmarc`
Type	`TXT`
Value	`v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.id; ruf=mailto:dmarc@yourdomain.id; fo=1`

For strict enforcement, change:

p=reject

Final Verification

Test DKIM:

opendkim-testkey -d yourdomain.id -s mail -vvv

Expected result:

key OK

Send a test email to Gmail and check headers:

SPF: PASS
DKIM: PASS
DMARC: PASS

SPF,DKIM and DMARC

Architecture We Are Building

SPF – Allow your server to send email

Install OpenDKIM

Configure OpenDKIM

Trusted Hosts

Generate DKIM keys

Configure KeyTable & SigningTable

Connect Postfix to OpenDKIM

Add DKIM record to DNS

DMARC Configuration

Final Verification

Comments

Leave a Reply Cancel reply