User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
email:configure-dkim-spf-dmarc [2025/03/05 20:07] willyemail:configure-dkim-spf-dmarc [2025/07/24 13:58] (current) – [DMARC (Domain-based Message Authentication, Reporting & Conformance)] willy
Line 1: Line 1:
-====== Configure proper mail delivery ======+====== I) Configure proper mail delivery ======
  
 You need access to your domain DNS records, this is mandatory. You need access to your domain DNS records, this is mandatory.
Line 37: Line 37:
 ===== DKIM (Domain Keys Identified Mail) ===== ===== DKIM (Domain Keys Identified Mail) =====
  
-Run the following command to configure DKIM the first time:+OpenDKIM provides great documentation [[http://www.opendkim.org/docs.html!here]].  
 + 
 +You need to choose a //selector// name, and i suggest you use **mydomain.com** as selector, and you need to generate a set of keys and DNS record with the following command:
 <code bash> <code bash>
-emerge --ask --config opendkim+cd /etc/opendkim 
 +opendkim-genkey -s mydomain.com
 </code> </code>
  
-This command will ask you the //selector//input your domain name (mydomain.com).+This will create two files**mydomain.com.private**, which contains the secret key, and **mydomain.com.txt** which contains the DKIM public signature that you need to incorporate in your DNS as a TXT record.
  
-Note the output:+=== DNS record === 
 + 
 +As an example consider the following **mydomain.com.txt**:
 <code> <code>
- emerge --ask --config opendkim+mydomain.com._domainkey  IN      TXT     ( "v=DKIM1; k=rsa; " 
 +          "p=<< this is a very long line >>" )  ; ----- DKIM key mydomain.com for mydomain.com 
 +</code>
  
 +You need to create a new TXT record in your DNS zone with //mydomain.com._domainkey// as key and //v=DKIM1; k=rsa; p=<< this is a very long line >>// as value.
  
-Ready to configure mail-filter/opendkim-2.10.3-r32? [Yes/No] yes+=== Postfix setup ===
  
-Enter the selector name (default external.mydomain.com)mydomain.com+OpenDKIM acts as a //milter//, which means a mail filter, for PostfixThe postfix configuration described [[email:configure-postfix|here]] already include the required lines under the OpenDKIM setup comment.
  
- * Make sure you have the following settings in your /etc/opendkim/opendkim.conf: +=== Socket Setup ===
-   Keyfile /var/lib/opendkim/mydomain.com.private +
-   Selector mydomain.com+
  
- * If you are using Postfix, add following lines to your main.cf: +For security reasons you want the DKIM keys not to be readable by Postfix, but you want Postfix capable to access the OpenDKIM socket or it would not be possible to actually sign any outbound email at allThe default Gentoo users setup is not ideal for this, as you either let Postfix access the keys by adding it to the //opendkim// group or let OpenDKIM access postfix configuration by addig it to the //postfix// group
-   smtpd_milters         = unix:/run/opendkim/opendkim.sock + 
-   non_smtpd_milters = unix:/run/opendkim/opendkim.sock +The solution is to add a new group, called **dkimsocket**, add the user //postfix/to it, then replace opendkim default group with it so that the socket gets created with the proper ownership
-   and read http://www.postfix.org/MILTER_README.html +<code bash> 
- * After you configured your MTA, publish your key by adding this TXT record to your domain+groupadd dkimsocket 
-mydomain.com._domainkey  IN      TXT     ( "v=DKIM1; k=rsa; " +usermod --append --groups dkimsocket postfix 
-          "p=<mykey>" )  ; ----- DKIM key mydomain.com for (your domain) +usermod --gid dkimsocket opendkim 
- * t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags: +usermod --append --groups opendkim opendkim 
-   https://www.rfc-editor.org/rfc/rfc6376.html#section-3.6.1+
 </code> </code>
  
-Now, setup the DNS record as specified by the output of the command+=== Final wrapup === 
 +Let's wrap it all up with the following **/etc/opendkim/opendkim.conf** file: 
 +<file - opendkim.conf> 
 +Syslog                  yes 
 +SyslogSuccess           yes 
 +Canonicalization        relaxed/relaxed 
 +SendReports             yes 
 +PidFile /run/opendkim/opendkim.pid 
 +Socket local:/var/run/opendkim/opendkim.sock 
 +UMask 0117 
 +UserID opendkim:dkimsocket 
 +AutoRestart             Yes 
 +AutoRestartRate         10/1h 
 +Mode                    sv 
 +# Use the following lines for a single domain/selector 
 +Domain                  gardiol.org 
 +Selector                gardiol.org 
 +KeyFile                 /etc/opendkim/gardiol.org.private 
 +# Use the following lines for multiple domain/selectorsthey use tables instead: 
 +#KeyTable           /etc/opendkim/key_table 
 +#SigningTable       /etc/opendkim/signing_table 
 +#ExternalIgnoreList /etc/opendkim/trusted_hosts 
 +#InternalHosts      /etc/opendkim/trusted_hosts 
 +</file> 
 + 
 +If you want to use multiple domains and selectors, you need to create the table files and put the multiple references there. Check the official OpenDKIM documentation linked above. 
 + 
 +=== Start & Autostart OpenDKIM === 
 + 
 +<code bash> 
 +rc-update add opendkim default 
 +/etc/init.d/opendkim start 
 +</code> 
 + 
 +=== Test your DKIM setup === 
 + 
 +After your DNS record has propagated, you can test it with: 
 +<code bash> 
 +opendkim-testkey -d mydomain.com -s mydomain.com -k mydomain.com.private -vvv 
 +</code> 
 + 
 + 
 + 
 +===== DMARC (Domain-based Message Authentication, Reporting & Conformance) ===== 
 + 
 +OpenDMARC sample configutation can be found [[https://github.com/trusteddomainproject/OpenDMARC/blob/master/opendmarc/opendmarc.conf.sample|here]]. 
 + 
 +This is pretty easy to setup, just edit the **/etc/opendmarc/opendmarc.conf** file similar to the following: 
 +<file - opendmarc.conf> 
 +AuthservID mydomain.com 
 +FailureReports true 
 +RejectFailures false 
 +SPFSelfValidate yes 
 +Socket local:/var/run/opendmarc/opendmarc.sock 
 +SoftwareHeader true 
 +Syslog true 
 +SyslogFacility mail 
 +TrustedAuthservIDs mail.mydomain.com 
 +HistoryFile /var/run/opendmarc/opendmarc.dat 
 +UMask 0002 
 +UserID opendmarc 
 +PidFile /var/run/opendmarc/opendmarc.pid 
 +IgnoreAuthenticatedClients true 
 +</file> 
 + 
 +=== DNS record === 
 + 
 +A DMARC DNS record can be pretty simple or pretty complex. [[https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record|this]] link can help explain it's format. 
 + 
 +The following is a simple example that you can start from: 
 +<code> 
 +_dmarc IN TXT ( "v=DMARC1; p=reject; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com"
 +</code> 
 + 
 +where: 
 +  * p: policy, you want reject here most probably 
 +  * rua: email address to sent aggregate reports to (optional) 
 +  * ruf: email address to sent failure reports to (optional) 
 + 
 +=== Postfix setup === 
 + 
 +OpenDMARC acts as a //milter//, which means a mail filter, for Postfix. The postfix configuration described [[email:configure-postfix|here]] already include the required lines under the OpenDMARC setup comment. 
 + 
 +=== Start & Autostart OpenDMARC === 
 + 
 +<code bash> 
 +rc-update add opendmarc default 
 +/etc/init.d/opendmarc start 
 +</code> 
 +