Part 14. DNS configuring for the mail server. SPF, DKIM, DMARC

The list of articles cycle


For correct operation of the mail server requires correct DNS configuration.

In our domain zone, at least, we must have MX records. It is also desirable to create the reverse record, SPF, DKIM and DMARC


Basic DNS settings

In order for other servers to know that our server is accepting mail for our domain, the following settings must be created in the zone description:

  1. Create an A record for our server (forward zone)
  2. Create MX record specifying priority and with our domain name
  3. Send request to the provider, hoster, or other entity that provided us with an IP address, requesting to provide a reverse zone (PTR-record) for our IP address with the name from the forward zone.

SPF configuring

SPF recordthis is a DNS record that specifies what servers can send emails on behalf of the our domain.

SPF — this is a TXT record that is in the DNS zone settings. For example:

"v = spf1 +a + mx ~all"

Explanation of the contents of the record:

  • + is allowed

  • - is forbidden

  • ~

  • v = spf1 use record version 1

  • +a You can send mail from A record (that is, from the primary address of the domain)

  • +mx you can send mail from the servers for which the MX is registered (that is, the mail servers of the given domain)

  • You can send mail from the host (you can specify a host from another domain)

  • ~all it is possible to receive mail from other hosts, but the credibility of the system will be reduced.


 DKIM configuring

DKIM - This is a digital signature that the mail server inserts into each letter based on the private openpgp key. The public key is stored on the DNS and the recipient's server checks the validity of the sender based on the public key and digital signature.


Configuring DKIM on the Postfix server

Let’s install the necessary programs

#apt install opendkim opendkim-tools


Next, create a directory /etc/mail and switch to it. There, we generate keys with the command
opendkim-genkey -t -s mail -d study.local


mail — this is so-called key selector (name) an arbitrary value

study.local — the domain for which we create a pair of keys


As a result of the command in the /etc/mail folder, two mail.txt and mail.private files will appear - these are the keys.


Next, edit the file /etc/default/opendkim

We will enter a line in it


here we indicate where the opendkim will listen connections.


The /etc/opendkim.conf file must be as follows


Syslog yes

UMask 002

Domain study.local # domain name to be verified

KeyFile /etc/mail/mail.private

Selector mail #key selector that was defined with generating a key

AutoRestart yes

Background yes

Canonicalization relaxed/relaxed

DNSTimeout 5

Mode sv

SignatureAlgorithm rsa-sha256

SubDomains no

X-Header no

OversignHeaders From

Statistics /var/log/dkim-filter/dkim-stats # dkim log file



Add a lines to the end of the file /etc/postfix/


milter_default_action = accept

milter_protocol = 2

smtpd_milters = inet:localhost:8891 # The string should match the string in

# /etc/default/opendkim

non_smtpd_milters = inet:localhost:8891 # The string should match the string in

# /etc/default/opendkim


Configure DKIM in DNS

In the DNS for our domain, add a new TXT record with name mail._domainkey. The value of this entry is the content of the file /etc/mail/mail.txt, that is, the public key for our domain.

For a bind9 zone description file, for example, this line will look like this:

mail._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MIGfMA5GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhL5g8W+AVPOgiiZyPdayinqMwCasbDh06K9Ixy5D575iYWQZYMGyzlDlUIJLqLDBBCFxRRs36tb4p/EY0OkmyHNisK/Y4cB/joVnQmK/7XVwkQt1GVNuzodRjcQPXGFx5VEaQi7+O54gEF2eOEyGt/FPWG882AFAFpkrJekuiawIDAQAB" )


Now we need to restart Postfix and after some time, when DNS records are updated, messages from our server can be checked through DKIM.


DMARC configuring

After creating the SPF and DKIM records, you must configure the DMARC check by adding the rule in the DNS as a TXT record.

DMARC specifies a policy for checking mail in the domain and what to do if the message does not pass the SPF or DKIM check.

The DMARC base record looks like this: IN TXT "v = DMARC1; p =;"


p - policy - policy may be:

  • none - Do not take any special actions, everything at the discretion of the mail server;

  • quarantine - send to spam;

  • reject - do not accept the message.


But this setting is only appropriate for a single server. A better policy that takes into account the presence of sub-domains from which mail can be sent and gives access to reports looks like this:

_dmarc. study.local IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:postmaster@study.local"

sp - subdomain policy - can take the same values as the policy;

rua - reporting URI for aggregate reports - Specifies the mailing address in format mailto:mbox@ study.local on which reports will come in XML-format every day


The list of articles cycle

You can buy the book

"Mail server based on Postfix,

Dovecot and RoundCube"

in electronic form in the store