User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
email:configure-dkim-spf-dmarc [2025/03/06 06:51] willyemail:configure-dkim-spf-dmarc [2025/06/13 12:43] (current) willy
Line 1: Line 1:
-====== Configure proper mail delivery ======+====== I) Configure proper mail delivery ======
  
 You need access to your domain DNS records, this is mandatory. You need access to your domain DNS records, this is mandatory.
Line 63: Line 63:
 === Socket Setup === === Socket Setup ===
  
-For security reasons you want the DKIM keys not to be readable by Postfix, but you want Postfix capable to access the OpenDKIM socket or it would not be possible to actually sign any outbound email at all. The default Gentoo users setup is not ideal for this, as you either let Postfix access the keys by adding it to the //opendkim// group or let OpenDKIM accesso postfix configuration by addig it to the //postfix// group.+For security reasons you want the DKIM keys not to be readable by Postfix, but you want Postfix capable to access the OpenDKIM socket or it would not be possible to actually sign any outbound email at all. The default Gentoo users setup is not ideal for this, as you either let Postfix access the keys by adding it to the //opendkim// group or let OpenDKIM access postfix configuration by addig it to the //postfix// group.
  
 The solution is to add a new group, called **dkimsocket**, add the user //postfix// to it, then replace opendkim default group with it so that the socket gets created with the proper ownership: The solution is to add a new group, called **dkimsocket**, add the user //postfix// to it, then replace opendkim default group with it so that the socket gets created with the proper ownership:
Line 76: Line 76:
 Let's wrap it all up with the following **/etc/opendkim/opendkim.conf** file: Let's wrap it all up with the following **/etc/opendkim/opendkim.conf** file:
 <file - opendkim.conf> <file - opendkim.conf>
 +Syslog                  yes 
 +SyslogSuccess           yes 
 +Canonicalization        relaxed/relaxed 
 +SendReports             yes 
 +PidFile /run/opendkim/opendkim.pid 
 +Socket local:/var/run/opendkim/opendkim.sock 
 +UMask 0117 
 +UserID opendkim:dkimsocket 
 +AutoRestart             Yes 
 +AutoRestartRate         10/1h 
 +Mode                    sv 
 +# Use the following lines for a single domain/selector 
 +Domain                  gardiol.org 
 +Selector                gardiol.org 
 +KeyFile                 /etc/opendkim/gardiol.org.private 
 +# Use the following lines for multiple domain/selectors, they use tables instead: 
 +#KeyTable           /etc/opendkim/key_table 
 +#SigningTable       /etc/opendkim/signing_table 
 +#ExternalIgnoreList /etc/opendkim/trusted_hosts 
 +#InternalHosts      /etc/opendkim/trusted_hosts
 </file> </file>
  
 +If you want to use multiple domains and selectors, you need to create the table files and put the multiple references there. Check the official OpenDKIM documentation linked above.
  
 === Start & Autostart OpenDKIM === === Start & Autostart OpenDKIM ===
Line 95: Line 115:
  
  
 +
 +===== DMARC (Domain-based Message Authentication, Reporting & Conformance) =====
 +
 +OpenDMARC sample configutation can be found [[https://github.com/trusteddomainproject/OpenDMARC/blob/master/opendmarc/opendmarc.conf.sample|here]].
 +
 +This is pretty easy to setup, just edit the **/etc/opendmarc/opendmarc.conf** file similar to the following:
 +<file - opendmarc.conf>
 +AuthservID mydomain.com
 +FailureReports true
 +RejectFailures false
 +SPFSelfValidate yes
 +Socket local:/var/run/opendmarc/opendmarc.sock
 +SoftwareHeader true
 +Syslog true
 +SyslogFacility mail
 +TrustedAuthservIDs mail.mydomain.com
 +HistoryFile /var/run/opendmarc/opendmarc.dat
 +UMask 0002
 +UserID opendmarc
 +PidFile /var/run/opendmarc/opendmarc.pid
 +</file>
 +
 +=== DNS record ===
 +
 +A DMARC DNS record can be pretty simple or pretty complex. [[https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record|this]] link can help explain it's format.
 +
 +The following is a simple example that you can start from:
 +<code>
 +_dmarc IN TXT ( "v=DMARC1; p=reject; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com" )
 +</code>
 +
 +where:
 +  * p: policy, you want reject here most probably
 +  * rua: email address to sent aggregate reports to (optional)
 +  * ruf: email address to sent failure reports to (optional)
 +
 +=== Postfix setup ===
 +
 +OpenDMARC acts as a //milter//, which means a mail filter, for Postfix. The postfix configuration described [[email:configure-postfix|here]] already include the required lines under the OpenDMARC setup comment.
 +
 +=== Start & Autostart OpenDMARC ===
 +
 +<code bash>
 +rc-update add opendmarc default
 +/etc/init.d/opendmarc start
 +</code>
  
  

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information