Tran Nghi's Site  - Make notes and share experience

Postfix – Config SPF, DKIM and DMARC

Below is some articles that I have referred to config SPF and DKIM on my self-host mail server.

1) SPF

This is the first article that I found: https://wordtothewise.com/2014/06/authenticating-spf/
But this one is more detail: https://linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/

Below is my work – I was setting up for a sub-domain of infotechviet.com: assuming that you’re already have configured the DNS record for your mail server. like this:

lcl          A record          – points to ip 113.xxx.xx.12x                    #public ip of my mail server, of course
lcl         MX record        – mail handled by lcl.infotechviet.com   #the above A record
mail     CNAME record – is an alias of lcl.infotechviet.com        #not necessary, this is just for my web client/admin access: ie: https://mail.infotechviet.com

So now, I am setting up my SPF like this:

lcl    TXT record  – has value as “v=spf1 a mx ip4:113.xxx.xx.12x include:lcl.infotechviet.com -all”

Otherwise:

lcl   TXT record  – has value as “v=spf1 a mx ip4:113.xxx.xx.12x -all”
(each items in the value is just optional, you’re having a specific ip address, then no need the include option, or you can have multi include options as you want:
– has value as “v=spf1 a mx ip4:113.xxx.xx.12x include:lcl.infotechviet.com include:mail.infotechviet.com -all”

 

See the explanation on the above links:

As if you’re using the Exchange Mail Online Service 365, you’re properly has a TXT record like this – for my root domain (ie: infotechviet.com):

@    TXT record  – has value as “v=spf1 include:spf.protection.outlook.com -all”

 

2) DMARC

I am currently setting my DMARC as below

_dmarc.lcl   TXT record  – has value as “v=DMARC1;p=quarantine;sp=quarantine;adkim=r;aspf=r”

Or if you’re using Exchange Mail Online Service 365, it shall be like this – for my root domain (ie: infotechviet.com)

_dmarc  TXT record  – has value as “v=DMARC1; p=none;”

Find the explanation https://linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/

 

3) DKIM – OpenDKIM

I was referring some article like this: https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/
But actually, this article has made things going to work: https://help.ubuntu.com/community/Postfix/DKIM#Common_errors_and_fixes

My work:

[email protected]:# apt install opendkim opendkim-tools

[email protected]:# vi /etc/opendkim.conf

# I prefer to use a wildcard as suggestion
# https://help.ubuntu.com/community/Postfix/DKIM#Common_errors_and_fixes 
# Domain example.com
  Domain * 
  KeyFile /etc/postfix/dkim.key
  Selector mail
  SOCKET inet:[email protected]


[email protected]:# vi /etc/default/opendkim

# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
# DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
# THIS BELOW WAS MARKED AS COMMENT BY NGHIA LE
# SOCKET="local:/var/run/opendkim/opendkim.sock"
# listen on all interfaces on port 54321:
# SOCKET="inet:54321"
# listen on loopback on port 12345:
# SOCKET="inet:[email protected]"
# listen on 192.0.2.1 on port 12345:
# SOCKET="inet:[email protected]"
# Below was added by Nghia Le for DKIM Configuration
  SOCKET="inet:[email protected]"

[email protected]:# vi /etc/postfix/main.cf

# Below was added by Nghia Le for DKIM Configuration
  milter_default_action = accept
  milter_protocol = 2
  smtpd_milters = inet:localhost:8891
  non_smtpd_milters = inet:localhost:8891


#Key generation for dkim-milter and its setup with DNS
[email protected]:# opendkim-genkey -t -s mail -d lcl.infotechviet.com

[email protected]:# cp mail.private /etc/postfix/dkim.key
[email protected]:# chown opendkim:opendkim /etc/postfix/dkim.key

[email protected]:# cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCS+uGXm55i2E24CuSCyvLurVkGhTxjgtmXMFvmSXaduBSjLz8wqxgfCo/aBRG8fIqKpoTZy6Wc/QRd29xE0zKMxY2QX+oFJYjDco7fLuL1UTQv3OhhH/dr4RxUrf0V+XPsxlmUS/gDNl1wsRZyGQaogTmjgfLGJzrz901GOcIxXwIDAQAB" ) ; ----- DKIM key mail for lcl.infotechviet.com
#You properly have to add this TXT record to your domain

[email protected]:# systemctl start opendkim.service
[email protected]:# systemctl restart postfix.service


END.

 

Message