[Ubuntu/Debian] Setting Up SPF and DKIM

Freya VPS Hosting Team

Introduction

SPF (Sender Policy Framework) is a DNS TXT record that specifies which servers are authorized to send emails on behalf of a domain. Because SPF is a DNS entry, it is authoritative for the domain, meaning only the domain's administrators can modify it. When an email is received, the receiving mail server checks the HELO message and sender address, performs a TXT DNS query for the domain's SPF record, and verifies the sender server against this record. If the check fails, the email is rejected.

DKIM (DomainKeys Identified Mail) is a method for verifying the integrity of email content, ensuring it has not been altered since it left the sender's server. DKIM uses a public/private key signing process. The domain owner publishes the public DKIM key in a DNS entry, which recipients use to verify the DKIM signature on incoming messages. The sending server signs outgoing messages with its private key, adding a "DKIM-Signature" header. The receiving server queries DNS to retrieve the DKIM key and validates the signature, helping determine if the message is trustworthy.

Setting Up SPF

To set up SPF, add a TXT record to your domain's DNS zone. This can be done through your domain registrar's interface or your own nameservers. Use the following generic SPF record to authorize mail from servers identified by MX records and A records associated with your domain:

"v=spf1 a mx -all"

Ensure the record is enclosed in double quotes. More complex SPF records can be configured based on specific needs as detailed in SPF documentation.

Setting Up DKIM

Setting up DKIM involves a few more steps than SPF but is manageable, especially on an Ubuntu server running Postfix. Here’s how to do it:

Install Required Packages:

apt-get install opendkim opendkim-tools -y

Configure OpenDKIM:

Edit the OpenDKIM configuration file:

nano /etc/opendkim.conf

Add the following lines:

Domain your_domain
KeyFile /etc/postfix/dkim.key
Selector dkim
SOCKET inet:8891@localhost

Then, edit the OpenDKIM defaults file:

nano /etc/default/opendkim

   Add:
 
> SOCKET="inet:8891@localhost"

3. **Configure Postfix to Use DKIM:**

   Open the Postfix configuration file:

> nano /etc/postfix/main.cf

   Ensure these lines are present and uncommented:
>    milter_protocol = 2
>    milter_default_action = accept

  

   If you are using other milters (e.g., SpamAssassin, ClamAV), append the OpenDKIM milter to the existing list:

>    smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:8891
>    non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:8891
   

   If the milter parameters are missing, add them:

>    smtpd_milters = inet:localhost:8891
>    non_smtpd_milters = inet:localhost:8891
  

**Generating the Public and Private Keys**

To generate a private key for signing outgoing mail, use the command below. The `"dkim"` value represents the Selector from `/etc/opendkim.conf` and can be any string, as long as you use the same value consistently. This command will create two files: `dkim.private` (the RSA private key) and `dkim.txt` (which contains the public key entry for DNS).

> opendkim-genkey -t -s dkim -d your_domain

Move the private key to the Postfix directory and ensure you back it up securely:

> mv dkim.private /etc/postfix/dkim.key

Restart Postfix and OpenDKIM services to apply the configuration changes and enable DKIM signing for outgoing mail:

> service opendkim start
> service postfix restart

**Adding the Public Key to Your Domain's DNS Records**

Next, you need to add the DKIM public key to your DNS records. The method to do this depends on how you manage your DNS. Some registrars may not support creating TXT records with specific subdomains, which could require transferring your domain to a registrar with more flexible [DNS management](https://www.vpssell.com/knowledgebase). 

To find your public key, check the `dkim.txt` file:

> cat dkim.txt

Here is how it looks on our DNS management system:

[upl-image-preview url=https://www.community.vpssell.com/assets/files/2024-08-05/1722853053-558651-dns.png]

**Sharing a DKIM Key for Multiple Domains**

If you need to use the same DKIM key for multiple domains on a single mail server, update the `/etc/opendkim.conf` file as follows:

> nano /etc/opendkim.conf

Change the configuration from:

> Domain    your_domain
> KeyFile   /etc/postfix/dkim.key
> Selector  dkim
> SOCKET    inet:8891@localhost

To:

> Domain    *
> KeyFile   /etc/postfix/dkim.key
> Selector  dkim
> SOCKET    inet:8891@localhost

**Testing**

Allow some time for DNS changes to propagate. For testing your DKIM setup, [Mail Tester](https://www.mail-tester.com/spf-dkim-check) is a reliable tool to verify if everything is configured correctly.