Tag Archives: SPF

Configure SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for your email server – Postfix in Ubuntu

To configure SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for your email server, follow these steps:


1. Configure SPF Record

SPF allows you to specify which mail servers are authorized to send email for your domain.

Step 1.1: Add an SPF Record

You need to create a DNS TXT record for your domain. This record specifies which servers can send emails on behalf of your domain.

Example:

Your SPF record would look like this:

v=spf1 ip4:YOUR_PUBLIC_IP -all

  • v=spf1: Indicates the version of SPF.
  • ip4:YOUR_PUBLIC_IP: Specifies the authorized server’s IP address.
  • -all: Indicates that all other servers are unauthorized.

Add this record to your DNS zone file:

  1. Log in to your DNS management console.
  2. Add a new TXT record:
    • Name: @ (or your domain name portalapp.link).
    • Value: v=spf1 ip4:YOUR_PUBLIC_IP -all.
    • TTL: 3600 seconds (or default).
  3. Save the changes.

Step 1.2: Verify the SPF Record

Use an online SPF checker or run the following command to verify:

You should see your SPF record in the output.


2. Configure DKIM

DKIM uses cryptographic signatures to verify that emails have not been altered.

Step 2.1: Generate DKIM Keys

Use the opendkim package to generate DKIM keys.

  1. Install opendkim:

    sudo apt install opendkim opendkim-tools

  2. Generate a Key Pair: Replace default with a selector name of your choice.

    sudo opendkim-genkey -t -s default -d YOUR_DOMAIN_NAME

    This will generate two files:

    • default.private: Your private key (used by the server).
    • default.txt: The public key (added to your DNS).
  3. Move the Private Key: Move the private key to a secure location (e.g., /etc/opendkim/keys):

    sudo mkdir -p /etc/opendkim/keys sudo mv default.private /etc/opendkim/keys/ sudo chmod 600 /etc/opendkim/keys/default.private

Step 2.2: Configure OpenDKIM

Edit the OpenDKIM configuration files.

  1. Edit /etc/opendkim.conf: Add or modify the following lines:

    AutoRestart Yes
    AutoRestartRate 10/1h
    Umask 002
    Syslog yes
    LogWhy yes
    Canonicalization relaxed/simple
    Domain YOUR_DOMAIN_NAME
    Selector default
    KeyFile /etc/opendkim/keys/default.private
    Socket inet:12345@localhost

  2. Edit /etc/default/opendkim: Uncomment or set the following line to match the socket in opendkim.conf:

    SOCKET="inet:12345@localhost"

  3. Restart OpenDKIM:

    sudo systemctl restart opendkim

Step 2.3: Add DKIM Record to DNS

  1. Open the default.txt file created earlier:

    It will look something like this:

    default._domainkey.YOUR_DOMAIN_NAME. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANB..."

  2. Add a DNS TXT record:
    • Name: default._domainkey.
    • Value: Paste the entire value from default.txt.
    • TTL: 3600.
  3. Save the changes.

3. Test SPF and DKIM

After updating DNS records, verify SPF and DKIM using online tools:


4. Optional: Configure DMARC

DMARC allows you to specify how mail servers handle emails failing SPF or DKIM checks.

  1. Add a DNS TXT record for DMARC:
    • Name: _dmarc.
    • Value:
      v=DMARC1; p=quarantine; rua=mailto:postmaster@YOUR_DOMAIN_NAME; ruf=mailto:postmaster@YOUR_DOMAIN_NAME
    • TTL: 3600.
  2. Save the changes.

5. Restart Postfix

Finally, restart Postfix to apply all changes:

sudo systemctl restart postfix

Your server should now be configured to send emails with SPF, DKIM, and optionally DMARC validation. Let me know if you encounter any issues!