Both SPF and DKIM has two parts: One is the DNS records for SPF/DKIM serve the purpose of setting your own policy for others to check. The other is to check if the incoming mail message is in accordance with the SPF/DKIM that is set by the admins of the domain from which the message was sent.
Add a txt record to DNS server:
@ TXT 300 v=spf1 a ip4:220.127.116.11/32 include:mydomain.com ~all
Test it by sending an email to email@example.com and will get a report back.
To prevent sender address forgery, we setup The Sender Policy Framework (SPF) on the postfix. When there is an incoming email, postfix will check the SPF record.
yum install perl-Mail-SPF perl-Sys-Hostname-Long
/etc/postfix/master.cf and add the following stanza at the end:
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/sbin/postfix-policyd-spf-perl
(The leading spaces before
user=nobody ... are important so that Postfix knows that this line belongs to the previous one!)
/etc/postfix/main.cf and search for the
smtpd_recipient_restrictions directive. You should have
reject_unauth_destination in that directive, and right after
reject_unauth_destination you add
check_policy_service unix:private/policy like this:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy
policy_time_limit = 3600
Restart MailScanner, send an email from gmail to firstname.lastname@example.org, in header:
Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use 'email@example.com' in 'mfrom' identity (mechanism 'include:_netblocks.google.com' matched)) receiver=szeta; identity=mailfrom; envelope-from="firstname.lastname@example.org"; helo=mail-pa0-f48.google.com; client-ip=18.104.22.168
yum install opendkim
Generate keys for signing
You need to generate a private and a public key for each of the domains for which you wish to sign mail. The private key is stored away on your server, while the public key gets published in your domain’s DNS records so that receiving mail servers can verify your DKIM-signed mail.
You need decide now what the name of your selector is going to be. A selector is a unique keyword that is associated with both keys (public and private), included in all the signatures, and published in your DNS records. For simplicity, I use the word szeta as my default selector.
mkdir -p /etc/opendkim/keys/mydomain.com
/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s szeta
Now we have two files for each domain(the text file is the public key).
chown -R opendkim:opendkim /etc/opendkim/keys/*
Edit four configuration files:
/etc/opendkim.conf(I created a new file)
## opendkim.conf -- configuration file for OpenDKIM filter
Now enable OpenDKIM in Postfix, edit
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
Now start services
systemctl enable opendkim
Now that the mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed.
Use the public key created above to add a DNS TEXT record to mydomain.com.
$ dig szeta._domainkey.mydomain.com TXT +noall +answer
szeta._domainkey.mydomain.com. 3599 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGYaonAHWmVitTa9p4QRmtjobBRyWflXwCa3akQ87aJ2iT8bg/25/t7dwzOq4nRS9CoW6vu9gVPBS6hWIumRoWFwYfwgUXGWCxMQLr6Nc7wuKnqPOoA6/JTa0s1o0QWiY18k1Rsh8p4/oRQilCEVjvdezRxsIigIEGUlEn9a+xqwIDAQAB"
Restart MailScanner then send email to email@example.com then read the report, also analyse header as well.
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.
To enable DMARC, just add a TXT DNS record. Host name is _dmarc and text value is v=DMARC1; p=none ;rua=mailto:firstname.lastname@example.org
# dig _dmarc.mydomain.com TXT +noall +answer
_dmarc.mydomain.com. 7207 IN TXT "v=DMARC1\;p=none\;rua=mailto:email@example.com"
A final test for the email server can be done at https://www.mail-tester.com/. I got a score of 10/10! -:)