User Tools

This is an old revision of the document!

Configure proper mail delivery

You need access to your domain DNS records, this is mandatory.

SPF (Sender Policy Framework)

SPF works both outbound and inbound

SPF Outbound

This is the most difficult, but critical step. You need to add to your DNS a TXT record shaped like this: 

mydomain.com.  IN TXT  "v=spf1 +a +mx +ptr -all"

This record specify who is allowed to send email for the mydomain.com domain and who is not allowed to. Anything with a + is allowed while with a - is not allowed.

For the above example:

  • v=spf1: the type (SPF) and version (1) of the record
  • a: refer to mydomain.com
  • mx: refer to the mx record of the domain
  • ptr: refer to mydomain.com reverse hostname
  • -all: anybody. Always always always put -all as the last part of the record.

In short, the above record allow only our mx record and main domain to send emails for mydomain.com, while everybody else is not allowed. So, email providers that follow SPF standard will reject any email sent as mydomain.com sender if not coming from mydomain.com or mail.mydomain.com (i am assuming mail is your mx record).

This will be enough to protect your outgoing email from being flagged as spam.

SPF Inbound

You have already installed Engine-SPF which is a very nice python script that acts as a mail filter and, if added to Postfix chain, will automatically do the SPF check on incoming email for you and flag it as spam if it breaks the SPF rules.

There is nothing to configure! If you followed this page, it's already setup.

DKIM (Domain Keys Identified Mail)

OpenDKIM provides great documentation http://www.opendkim.org/docs.html!here.

You need to choose a selector name, and i suggest you use mydomain.com as selector, and you need to generate a set of keys and DNS record with the following command: 

cd /etc/opendkim
opendkim-genkey -s mydomain.com

This will create two files: mydomain.com.private, which contains the secret key, and mydomain.com.txt which contains the DKIM public signature that you need to incorporate in your DNS as a TXT record.

DNS record

As an example consider the following mydomain.com.txt: 

mydomain.com._domainkey  IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=<< this is a very long line >>" )  ; ----- DKIM key mydomain.com for mydomain.com

You need to create a new TXT record in your DNS zone with mydomain.com._domainkey as key and v=DKIM1; k=rsa; p=« this is a very long line » as value.

Postfix setup

OpenDKIM acts as a milter, which means a mail filter, for Postfix. The postfix configuration described here already include the required lines under the OpenDKIM setup comment.

Socket Setup

For security reasons you want the DKIM keys not to be readable by Postfix, but you want Postfix capable to access the OpenDKIM socket or it would not be possible to actually sign any outbound email at all. The default Gentoo users setup is not ideal for this, as you either let Postfix access the keys by adding it to the opendkim group or let OpenDKIM accesso postfix configuration by addig it to the postfix group.

The solution is to add a new group, called dkimsocket, add the user postfix to it, then replace opendkim default group with it so that the socket gets created with the proper ownership: 

groupadd dkimsocket
usermod --append --groups dkimsocket postfix
usermod --gid dkimsocket opendkim
usermod --append --groups opendkim opendkim

Final wrapup

Let's wrap it all up with the following /etc/opendkim/opendkim.conf file:

opendkim.conf
Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/relaxed
SendReports             yes
PidFile /run/opendkim/opendkim.pid
Socket local:/var/run/opendkim/opendkim.sock
UMask 0117
UserID opendkim:dkimsocket
AutoRestart             Yes
AutoRestartRate         10/1h
Mode                    sv
# Use the following lines for a single domain/selector
Domain                  gardiol.org
Selector                gardiol.org
KeyFile                 /etc/opendkim/gardiol.org.private
# Use the following lines for multiple domain/selectors, they use tables instead:
#KeyTable           /etc/opendkim/key_table
#SigningTable       /etc/opendkim/signing_table
#ExternalIgnoreList /etc/opendkim/trusted_hosts
#InternalHosts      /etc/opendkim/trusted_hosts

If you want to use multiple domains and selectors, you need to create the table files and put the multiple references there. Check the official OpenDKIM documentation linked above.

Start & Autostart OpenDKIM

rc-update add opendkim default
/etc/init.d/opendkim start

Test your DKIM setup

After your DNS record has propagated, you can test it with: 

opendkim-testkey -d mydomain.com -s mydomain.com -k mydomain.com.private -vvv

DMARC (Domain-based Message Authentication, Reporting & Conformance)

This is pretty easy to setup, just edit the /etc/opendmarc/opendmarc.conf file similar to the following:

opendmarc.conf
AuthservID mydomain.com
FailureReports true
RejectFailures false
SPFSelfValidate yes
Socket local:/var/run/opendmarc/opendmarc.sock
SoftwareHeader true
Syslog true
SyslogFacility mail
TrustedAuthservIDs mail.mydomain.com
HistoryFile /var/run/opendmarc/opendmarc.dat
UMask 0002
UserID opendmarc
PidFile /var/run/opendmarc/opendmarc.pid

Postfix setup

OpenDMARC acts as a milter, which means a mail filter, for Postfix. The postfix configuration described here already include the required lines under the OpenDMARC setup comment.

Start & Autostart OpenDMARC

rc-update add opendmarc default
/etc/init.d/opendmarc start

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information