Ubuntu 16: spf, dkim, dmarc

DNS Entries TXT "v=spf1 ip4: ~all" TXT "v=DKIM1;k=rsa;" "part I" "part II"
_dmarc TXT v=DMARC1; p=none; pct=100;

DNS Type SPF use has been removed in the standards track version of SPF, RFC 7208. Your DNS Type SPF record should be republished as Type TXT instead.

dig txt


sudo apt install postfix-policyd-spf-python
sudo vim /etc/postfix/
policyd-spf  unix  -    n       n       -       0       spawn
  user=policyd-spf argv=/usr/bin/policyd-spf

sudo vim /etc/postfix/
#smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf


sudo apt install opendkim opendkim-tools
sudo gpasswd -a postfix opendkim

sudo vim /etc/opendkim.conf
Canonicalization relaxed/simple
Mode sv
SubDomains no
#ADSPAction continue
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256

#OpenDKIM user
Remember to add user postfix to group opendkim
UserID opendkim

#Map domains in From addresses to keys used to sign messages
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table

#Hosts to ignore when verifying signatures
ExternalIgnoreList /etc/opendkim/trusted.hosts

#A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts
sudo mkdir /etc/opendkim
sudo mkdir /etc/opendkim/keys
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys

sudo vim /etc/opendkim/signing.table

sudo vim /etc/opendkim/key.table

sudo vim /etc/opendkim/trusted.hosts
sudo mkdir /etc/opendkim/keys/
sudo opendkim-genkey -b 2048 -d -D /etc/opendkim/keys/ -s default -v

sudo chown opendkim:opendkim /etc/opendkim/keys/

sudo cat /etc/opendkim/keys/
Copy public key to DNS and test; Important note: separate strings with a single space, e.g. "v=DKIM1;k=rsa;" "part I" "part II"

sudo opendkim-testkey -d -s default -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key ''
opendkim-testkey: key not secure
opendkim-testkey: key OK


sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:postfix /var/spool/postfix/opendkim

sudo vim /etc/opendkim.conf
Socket local:/var/spool/postfix/opendkim/opendkim.sock

sudo vim /etc/default/opendkim

sudo vim /etc/postfix/
Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters


sudo apt install opendmarc
sudo useradd -m -G mail -s /bin/bash dmarc-reports

DMARC record for
	Sample percentage: 100
	DKIM alignment: relaxed
	SPF alignment: relaxed
	Domain policy: none
	Subdomain policy: unspecified
	Aggregate report URIs:
	Forensic report URIs: (none)

Leave a Reply

Your email address will not be published. Required fields are marked *