[Ubuntu/Debian] Setting Up SPF and DKIM

Clara - VPS Hosting Team

Introduction

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send emails on behalf of a domain. Since SPF is a DNS entry, it ensures the list of authorized servers is authoritative, as only the domain's owners or administrators can modify the DNS zone. Here's how the SPF verification process works:

The receiving mail server retrieves the HELO message and sender address.
A TXT DNS query is performed to check the claimed domain's SPF record.
The SPF record is then used to verify the sending server.
If the verification fails, the sender server receives a rejection message.

DKIM (DomainKeys Identified Mail), on the other hand, ensures the integrity of an email’s content, confirming it hasn’t been altered after leaving the sender's server. DKIM achieves this through public/private key encryption. The domain's administrator publishes the public DKIM key in a DNS entry, while the mail server uses the private key to sign outgoing emails. Here's the DKIM process:

The outgoing mail server checks if the "From:" domain is included in its signing table.
If valid, it adds a "DKIM-Signature" header to the email, signing it with the private key.
Any modifications to the email's main content invalidate the DKIM signature.
The receiving server retrieves the public key from the domain's DNS to verify the DKIM signature.
The verification result determines if the email is trustworthy or fraudulent.

Setting Up SPF

To configure SPF, you simply add a TXT record to your domain's DNS zone. The method depends on your domain registrar or DNS management system. If your registrar’s interface includes a subdomain field, leave it blank.

Here’s a basic SPF record:

"v=spf1 a mx -all"

This record authorizes emails from servers specified by MX records and other servers with A records for your domain.
Ensure you include the double quotes, as they are a required part of the record.
More complex configurations can be created following the SPF documentation.

Setting Up DKIM

Setting up DKIM involves additional steps but is manageable if you're already running a Postfix mail server on Ubuntu.

1. Install Required Packages

apt-get install opendkim opendkim-tools -y

2. Configure OpenDKIM

Edit the OpenDKIM configuration file:

nano /etc/opendkim.conf

Add the following lines:

Domain    your_domain  
KeyFile   /etc/postfix/dkim.key  
Selector  dkim  
SOCKET    inet:8891@localhost

Edit the default OpenDKIM file:

nano /etc/default/opendkim

Add:

SOCKET="inet:8891@localhost"

3. Update Postfix Configuration

Edit the Postfix configuration file:

nano /etc/postfix/main.cf

Ensure these lines are present and uncommented:

milter_protocol = 2  
milter_default_action = accept 
``` 
If you’re using additional filters (e.g., SpamAssassin), append the OpenDKIM milter to the existing parameters:

smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:8891
non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:8891

If no filters are defined, add:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

**Generating DKIM Keys**

Generate the public/private keys:

`opendkim-genkey -t -s dkim -d your_domain`

This creates two files:

**1. dkim.private**: The RSA private key for signing emails.
**2. dkim.txt:** Contains the public key for your DNS records.

Move the private key to the correct location:

`mv dkim.private /etc/postfix/dkim.key`

Backup the private key securely.

Restart the services to apply changes:

service opendkim start
service postfix restart

### Adding the Public Key to DNS

Add the public key (from dkim.txt) to your domain's DNS as a TXT record. Use the subdomain provided in the dkim.txt file (e.g., dkim._domainkey).

If your registrar doesn’t support custom TXT records, consider transferring your domain to a provider that does. Alternatively, use our DNS management system for seamless setup!

### Configuring DKIM for Multiple Domains

If managing multiple domains, modify /etc/opendkim.conf as follows:

Domain *
KeyFile /etc/postfix/dkim.key
Selector dkim
SOCKET inet:8891@localhost

### Testing
Allow time for DNS changes to propagate. Use tools like Mail Tester to verify your SPF and DKIM configurations.