Configure SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for your email server – Postfix in Ubuntu

Leave a reply

To configure SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for your email server, follow these steps:

1. Configure SPF Record

SPF allows you to specify which mail servers are authorized to send email for your domain.

Step 1.1: Add an SPF Record

You need to create a DNS TXT record for your domain. This record specifies which servers can send emails on behalf of your domain.

Example:

Your SPF record would look like this:

Copy Code 


v=spf1 ip4:YOUR_PUBLIC_IP -all

  • v=spf1: Indicates the version of SPF.
  • ip4:YOUR_PUBLIC_IP: Specifies the authorized server’s IP address.
  • -all: Indicates that all other servers are unauthorized.

Add this record to your DNS zone file:

  1. Log in to your DNS management console.
  2. Add a new TXT record:
    • Name: @ (or your domain name portalapp.link).
    • Value: v=spf1 ip4:YOUR_PUBLIC_IP -all.
    • TTL: 3600 seconds (or default).
  3. Save the changes.

Step 1.2: Verify the SPF Record

Use an online SPF checker or run the following command to verify:

Copy Code 


dig TXT YOUR_DOMAIN_NAME

You should see your SPF record in the output.

2. Configure DKIM

DKIM uses cryptographic signatures to verify that emails have not been altered.

Step 2.1: Generate DKIM Keys

Use the opendkim package to generate DKIM keys.

  1. Install opendkim:
    Copy Code 
    

    sudo apt install opendkim opendkim-tools

  2. Generate a Key Pair: Replace default with a selector name of your choice.
    Copy Code 
    

    sudo opendkim-genkey -t -s default -d YOUR_DOMAIN_NAME

    This will generate two files:

    • default.private: Your private key (used by the server).
    • default.txt: The public key (added to your DNS).
  3. Move the Private Key: Move the private key to a secure location (e.g., /etc/opendkim/keys):
    Copy Code 
    

    sudo mkdir -p /etc/opendkim/keys sudo mv default.private /etc/opendkim/keys/ sudo chmod 600 /etc/opendkim/keys/default.private

Step 2.2: Configure OpenDKIM

Edit the OpenDKIM configuration files.

  1. Edit /etc/opendkim.conf: Add or modify the following lines:
    Copy Code 
    

    AutoRestart Yes
AutoRestartRate 10/1h
Umask 002
Syslog yes
LogWhy yes
Canonicalization relaxed/simple
Domain YOUR_DOMAIN_NAME
Selector default
KeyFile /etc/opendkim/keys/default.private
Socket inet:12345@localhost

  2. Edit /etc/default/opendkim: Uncomment or set the following line to match the socket in opendkim.conf:
    Copy Code 
    

    SOCKET="inet:12345@localhost"

  3. Restart OpenDKIM:
    Copy Code 
    

    sudo systemctl restart opendkim

Step 2.3: Add DKIM Record to DNS

  1. Open the default.txt file created earlier:
    Copy Code 
    

    cat default.txt

    It will look something like this:

    Copy Code 
    

    default._domainkey.YOUR_DOMAIN_NAME. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANB..."

  2. Add a DNS TXT record:
    • Name: default._domainkey.
    • Value: Paste the entire value from default.txt.
    • TTL: 3600.
  3. Save the changes.

3. Test SPF and DKIM

After updating DNS records, verify SPF and DKIM using online tools:

4. Optional: Configure DMARC

DMARC allows you to specify how mail servers handle emails failing SPF or DKIM checks.

  1. Add a DNS TXT record for DMARC:
    • Name: _dmarc.
    • Value:
      v=DMARC1; p=quarantine; rua=mailto:postmaster@YOUR_DOMAIN_NAME; ruf=mailto:postmaster@YOUR_DOMAIN_NAME
    • TTL: 3600.
  2. Save the changes.

5. Restart Postfix

Finally, restart Postfix to apply all changes:

Copy Code 


sudo systemctl restart postfix

Your server should now be configured to send emails with SPF, DKIM, and optionally DMARC validation. Let me know if you encounter any issues!

Leave a Reply

Your email address will not be published. Required fields are marked *