Part 14. DNS configuring for the mail server. SPF, DKIM, DMARC
- Category: Mail Server
- Published: Monday, 09 September 2019 14:14
- Written by Super User
- Hits: 2171
For correct operation of the mail server requires correct DNS configuration.
In our domain zone, at least, we must have MX records. It is also desirable to create the reverse record, SPF, DKIM and DMARC
Basic DNS settings
In order for other servers to know that our server is accepting mail for our domain, the following settings must be created in the zone description:
- Create an A record for our server (forward zone)
- Create MX record specifying priority and with our domain name
- Send request to the provider, hoster, or other entity that provided us with an IP address, requesting to provide a reverse zone (PTR-record) for our IP address with the name from the forward zone.
SPF record — this is a DNS record that specifies what servers can send emails on behalf of the our domain.
SPF — this is a TXT record that is in the DNS zone settings. For example:
"v = spf1 +a + mx +a:mail.study.local ~all"
Explanation of the contents of the record:
+ is allowed
- is forbidden
v = spf1 use record version 1
+a You can send mail from A record (that is, from the primary address of the domain)
+mx you can send mail from the servers for which the MX is registered (that is, the mail servers of the given domain)
+a:mail.study.local You can send mail from the host mail.study.local (you can specify a host from another domain)
~all it is possible to receive mail from other hosts, but the credibility of the system will be reduced.
DKIM - This is a digital signature that the mail server inserts into each letter based on the private openpgp key. The public key is stored on the DNS and the recipient's server checks the validity of the sender based on the public key and digital signature.
Configuring DKIM on the Postfix server
Let’s install the necessary programs
#apt install opendkim opendkim-tools
Next, create a directory /etc/mail and switch to it. There, we generate keys with the command
opendkim-genkey -t -s mail -d study.local
mail — this is so-called key selector (name) an arbitrary value
study.local — the domain for which we create a pair of keys
As a result of the command in the /etc/mail folder, two mail.txt and mail.private files will appear - these are the keys.
Next, edit the file /etc/default/opendkim
We will enter a line in it
here we indicate where the opendkim will listen connections.
The /etc/opendkim.conf file must be as follows
Domain study.local # domain name to be verified
Selector mail #key selector that was defined with generating a key
Statistics /var/log/dkim-filter/dkim-stats # dkim log file
Add a lines to the end of the file /etc/postfix/main.cf
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891 # The string should match the string in
non_smtpd_milters = inet:localhost:8891 # The string should match the string in
Configure DKIM in DNS
In the DNS for our domain, add a new TXT record with name mail._domainkey. The value of this entry is the content of the file /etc/mail/mail.txt, that is, the public key for our domain.
For a bind9 zone description file, for example, this line will look like this:
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MIGfMA5GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhL5g8W+AVPOgiiZyPdayinqMwCasbDh06K9Ixy5D575iYWQZYMGyzlDlUIJLqLDBBCFxRRs36tb4p/EY0OkmyHNisK/Y4cB/joVnQmK/7XVwkQt1GVNuzodRjcQPXGFx5VEaQi7+O54gEF2eOEyGt/FPWG882AFAFpkrJekuiawIDAQAB" )
Now we need to restart Postfix and after some time, when DNS records are updated, messages from our server can be checked through DKIM.
After creating the SPF and DKIM records, you must configure the DMARC check by adding the rule in the DNS as a TXT record.
DMARC specifies a policy for checking mail in the domain and what to do if the message does not pass the SPF or DKIM check.
The DMARC base record looks like this:
_dmarc.study.local IN TXT "v = DMARC1; p =;"
p - policy - policy may be:
none - Do not take any special actions, everything at the discretion of the mail server;
quarantine - send to spam;
reject - do not accept the message.
But this setting is only appropriate for a single server. A better policy that takes into account the presence of sub-domains from which mail can be sent and gives access to reports looks like this:
IN TXT "v=DMARC1; p=none; sp=none;
sp - subdomain policy - can take the same values as the policy;
rua - reporting URI for aggregate reports - Specifies the mailing address in format mailto:mbox@ study.local on which reports will come in XML-format every day
You can buy the book "Mail server based on Postfix, Dovecot and RoundCube" in electronic form in the store
You can buy the book
"Mail server based on Postfix,
Dovecot and RoundCube"
in electronic form in the store