This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== I) Configure proper mail delivery ====== You need access to your domain DNS records, this is mandatory. ===== SPF (Sender Policy Framework) ===== SPF works both //outbound// and //inbound// === SPF Outbound === This is the most difficult, but critical step. You need to add to your DNS a TXT record shaped like this: <code> mydomain.com. IN TXT "v=spf1 +a +mx +ptr -all" </code> This record specify **who** is allowed to send email for the //mydomain.com// domain and who is **not** allowed to. Anything with a + is allowed while with a - is not allowed. For the above example: * **v=spf1**: the type (SPF) and version (1) of the record * **a**: refer to //mydomain.com// * **mx**: refer to the mx record of the domain * **ptr**: refer to //mydomain.com// reverse hostname * **-all**: anybody. **Always always always** put //-all// as the last part of the record. In short, the above record allow **only** our mx record and main domain to send emails for //mydomain.com//, while //everybody// else is not allowed. So, email providers that follow SPF standard will reject any email sent as mydomain.com sender if not coming from //mydomain.com// or //mail.mydomain.com// (i am assuming mail is your mx record). This will be enough to protect your //outgoing// email from being flagged as spam. === SPF Inbound === You have already installed //Engine-SPF// which is a very nice python script that acts as a mail filter and, if added to Postfix chain, will automatically do the SPF check on incoming email for you and flag it as spam if it breaks the SPF rules. There is nothing to configure! If you followed [[email:configure-postfix|this page]], it's already setup. ===== DKIM (Domain Keys Identified Mail) ===== OpenDKIM provides great documentation [[http://www.opendkim.org/docs.html!here]]. You need to choose a //selector// name, and i suggest you use **mydomain.com** as selector, and you need to generate a set of keys and DNS record with the following command: <code bash> cd /etc/opendkim opendkim-genkey -s mydomain.com </code> This will create two files: **mydomain.com.private**, which contains the secret key, and **mydomain.com.txt** which contains the DKIM public signature that you need to incorporate in your DNS as a TXT record. === DNS record === As an example consider the following **mydomain.com.txt**: <code> mydomain.com._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=<< this is a very long line >>" ) ; ----- DKIM key mydomain.com for mydomain.com </code> You need to create a new TXT record in your DNS zone with //mydomain.com._domainkey// as key and //v=DKIM1; k=rsa; p=<< this is a very long line >>// as value. === Postfix setup === OpenDKIM acts as a //milter//, which means a mail filter, for Postfix. The postfix configuration described [[email:configure-postfix|here]] already include the required lines under the OpenDKIM setup comment. === Socket Setup === For security reasons you want the DKIM keys not to be readable by Postfix, but you want Postfix capable to access the OpenDKIM socket or it would not be possible to actually sign any outbound email at all. The default Gentoo users setup is not ideal for this, as you either let Postfix access the keys by adding it to the //opendkim// group or let OpenDKIM accesso postfix configuration by addig it to the //postfix// group. The solution is to add a new group, called **dkimsocket**, add the user //postfix// to it, then replace opendkim default group with it so that the socket gets created with the proper ownership: <code bash> groupadd dkimsocket usermod --append --groups dkimsocket postfix usermod --gid dkimsocket opendkim usermod --append --groups opendkim opendkim </code> === Final wrapup === Let's wrap it all up with the following **/etc/opendkim/opendkim.conf** file: <file - opendkim.conf> Syslog yes SyslogSuccess yes Canonicalization relaxed/relaxed SendReports yes PidFile /run/opendkim/opendkim.pid Socket local:/var/run/opendkim/opendkim.sock UMask 0117 UserID opendkim:dkimsocket AutoRestart Yes AutoRestartRate 10/1h Mode sv # Use the following lines for a single domain/selector Domain gardiol.org Selector gardiol.org KeyFile /etc/opendkim/gardiol.org.private # Use the following lines for multiple domain/selectors, they use tables instead: #KeyTable /etc/opendkim/key_table #SigningTable /etc/opendkim/signing_table #ExternalIgnoreList /etc/opendkim/trusted_hosts #InternalHosts /etc/opendkim/trusted_hosts </file> If you want to use multiple domains and selectors, you need to create the table files and put the multiple references there. Check the official OpenDKIM documentation linked above. === Start & Autostart OpenDKIM === <code bash> rc-update add opendkim default /etc/init.d/opendkim start </code> === Test your DKIM setup === After your DNS record has propagated, you can test it with: <code bash> opendkim-testkey -d mydomain.com -s mydomain.com -k mydomain.com.private -vvv </code> ===== DMARC (Domain-based Message Authentication, Reporting & Conformance) ===== OpenDMARC sample configutation can be found [[https://github.com/trusteddomainproject/OpenDMARC/blob/master/opendmarc/opendmarc.conf.sample|here]]. This is pretty easy to setup, just edit the **/etc/opendmarc/opendmarc.conf** file similar to the following: <file - opendmarc.conf> AuthservID mydomain.com FailureReports true RejectFailures false SPFSelfValidate yes Socket local:/var/run/opendmarc/opendmarc.sock SoftwareHeader true Syslog true SyslogFacility mail TrustedAuthservIDs mail.mydomain.com HistoryFile /var/run/opendmarc/opendmarc.dat UMask 0002 UserID opendmarc PidFile /var/run/opendmarc/opendmarc.pid </file> === DNS record === A DMARC DNS record can be pretty simple or pretty complex. [[https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record|this]] link can help explain it's format. The following is a simple example that you can start from: <code> _dmarc IN TXT ( "v=DMARC1; p=reject; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com" ) </code> where: * p: policy, you want reject here most probably * rua: email address to sent aggregate reports to (optional) * ruf: email address to sent failure reports to (optional) === Postfix setup === OpenDMARC acts as a //milter//, which means a mail filter, for Postfix. The postfix configuration described [[email:configure-postfix|here]] already include the required lines under the OpenDMARC setup comment. === Start & Autostart OpenDMARC === <code bash> rc-update add opendmarc default /etc/init.d/opendmarc start </code>
