Postfix SPF, DKIM and DMARC on Debian

Explanation of terms.

SPF (Sender Policy Framework) is a DNS text entry which shows a list of servers that should be considered allowed to send mail for a specific domain.

DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages’ content are trustworthy, meaning that they weren’t changed from the moment the message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process.

DMARC (Domain-based Message Authentication, Reporting and Conformance) empowers SPF and DKIM by stating a clear policy which should be used about both the aforementioned tools and allows to set an address which can be used to send reports about the mail messages statistics gathered by receivers against the specific domain.

Installation and configuration process.

Install opendkim package
apt-get install opendkim opendkim-tools

Generate Key Pair
Following commands will generate two keys default.private and default.txt only for signing DKIM messages (-r).
mkdir -p /etc/mail/dkim-keys/$MYDOMAIN
cd /etc/mail/dkim-keys/$MYDOMAIN
opendkim-genkey -b 2048 -r -s mail -d $MYDOMAIN

Configure SPF, DKIM and DMARC for Postfix
Remember to add user postfix to group opendkim.
usermod -a -G opendkim postfix

DKIM configuration file

KeyTable           refile:/etc/mail/keytable
SigningTable       refile:/etc/mail/signingtable
Selector           mail
Socket             inet:8892@localhost
Canonicalization   relaxed/simple

Set correct access rights to /etc/mail folder
chmod 755 /etc/mail




Set opendkim user as owner of new files:
chown -R opendkim:opendkim /etc/mail/dkim-keys /etc/mail/keytable /etc/mail/signingtable

Postfix configuration file

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

Configure DNS Entry
SPF record
Add a TXT record to your domain with the following value:

v=spf1 mx a ptr ip4: ip4: ip4: ip4: ip4: ~all

DKIM record
Add a TXT record to your found in: /etc/mail/dkim-keys/ Omit the quotes and the text before and after quotes.

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx+PJoQrLmluDH5gvtkY+aYNr5SXGqADVIBrZJFMBLJ4iEkUkC2285S1ivNH9Ly+REAoiP8S8VQPAStvvVSGgQFQopaxGYvEzJIrs+x3P/aTWa0nZjeBwEaQIVWMiDx4HCMV9YZ/SLCsCuiLzmpkxAKJ0kih+bUby6GYTgQScoBidKPYIfXtiVCaEoNYu9hcrHwsLHCp5Z3krvjHEPhlCuD416v5J2XbKJi+Q6RwCSoFkcGa5Y7SNx9/igIlhctzV636dMBe1E5X6T7WA+J6HDJXxSsQyiAUWKrzJH23vhdBDAwKiQp+8vF5gGdtvLJoUBhnYideZQFlfuVdNumvkzQIDAQAB

DMARC record
Be sure you have a DKIM and SPF set before using DMARC.
Add a TXT record to your domain with the following value:

v=DMARC1; p=none

Verify your SPF and DKIM records
dig TXT
dig TXT
dig TXT
Or use following service.

Test the keys for correct signing and verification (result should be “key OK“) after DNS records were updated using:
opendkim-testkey -vvv -d -s mail -k /etc/mail/dkim-keys/

Or use following service.

Restart Services
service opendkim restart
service postfix restart

Verify DKIM
Send a test email through command line:
mail -vs "Test DKIM" < /dev/null
In received email source search for “DKIM-Signature“.

Or use following service.

Print Friendly, PDF & Email