Ubuntu 16: spf, dkim, dmarc


DNS Entries

hensler.net TXT "v=spf1 ip4: ~all"
default._domainkey.hensler.net. TXT "v=DKIM1;k=rsa;" "part I" "part II"
_dmarc TXT v=DMARC1; p=none; pct=100; rua=mailto:dmarc-reports@hensler.net

DNS Type SPF use has been removed in the standards track version of SPF, RFC 7208. Your DNS Type SPF record should be republished as Type TXT instead.

dig hensler.net txt


sudo apt install postfix-policyd-spf-python
sudo vim /etc/postfix/master.cf
policyd-spf  unix  -    n       n       -       0       spawn
  user=policyd-spf argv=/usr/bin/policyd-spf

sudo vim /etc/postfix/main.cf
#smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf


sudo apt install opendkim opendkim-tools
sudo gpasswd -a postfix opendkim

sudo vim /etc/opendkim.conf
Canonicalization relaxed/simple
Mode sv
SubDomains no
#ADSPAction continue
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256

#OpenDKIM user
Remember to add user postfix to group opendkim
UserID opendkim

#Map domains in From addresses to keys used to sign messages
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table

#Hosts to ignore when verifying signatures
ExternalIgnoreList /etc/opendkim/trusted.hosts

#A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts
sudo mkdir /etc/opendkim
sudo mkdir /etc/opendkim/keys
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys

sudo vim /etc/opendkim/signing.table
*@hensler.net default._domainkey.hensler.net

sudo vim /etc/opendkim/key.table
default._domainkey.hensler.net hensler.net:default:/etc/opendkim/keys/hensler.net/default.private

sudo vim /etc/opendkim/trusted.hosts
sudo mkdir /etc/opendkim/keys/hensler.net
sudo opendkim-genkey -b 2048 -d hensler.net -D /etc/opendkim/keys/hensler.net -s default -v

sudo chown opendkim:opendkim /etc/opendkim/keys/hensler.net/default.private

sudo cat /etc/opendkim/keys/hensler.net/default.txt
Copy public key to DNS and test; Important note: separate strings with a single space, e.g. "v=DKIM1;k=rsa;" "part I" "part II"

sudo opendkim-testkey -d hensler.net -s default -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'default._domainkey.hensler.net'
opendkim-testkey: key not secure
opendkim-testkey: key OK


sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:postfix /var/spool/postfix/opendkim

sudo vim /etc/opendkim.conf
Socket local:/var/spool/postfix/opendkim/opendkim.sock

sudo vim /etc/default/opendkim

sudo vim /etc/postfix/main.cf
Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters


sudo apt install opendmarc
sudo useradd -m -G mail -s /bin/bash dmarc-reports

opendmarc-check hensler.net
DMARC record for hensler.net:
	Sample percentage: 100
	DKIM alignment: relaxed
	SPF alignment: relaxed
	Domain policy: none
	Subdomain policy: unspecified
	Aggregate report URIs: mailto:dmarc-reports@hensler.net
	Forensic report URIs: (none)

Leave a Reply

Your email address will not be published. Required fields are marked *