Setting up SPF and DKIM on Postfix to overcome Yahoo/Verizon/Cox DMARC

More and more large companies are implementing more restrictive email policies to fight increasing SPAM. These are mainly DMARC. Such companies include Yahoo, Cox, Verizon, and others.

As this happens, some of your legitimate email may be rejected because email servers are more restrictive.

In order to minimize the probability of your email being rejected, the following describes how to implement Sender Policy Framework (SPF) and DKIM on your already running Postfix mail server.

Prerequisites

Before you start, there are a few assumptions:

1. You have your own domain and run your own mail server.

2. Your server is running on Linux, preferrably Ubuntu or Debian.

3. You are using Postfix for your email server.

Configuring SPF with your correct DNS PTR record

Step 1: Find out your PTR Record

First you need to find out what the DNS PTR name for your server is. This is important because some mail servers will reject email from your server if the PTR returned matches what is in the SPF record. If they do not match, the mail will be rejected.

More info is available under: reverse DNS lookup.

The easiest way is to use the PTR record provided by your host. For example, if you are using Linode, the name will be something like liXXX-YYY.members.linode.com, where XXX and YYY are numbers.

Step 2: Generate an SPF record

The easiest way to generate an SPF record is using the SPF Wizard, then adding the PTR to it by adding:

include:liXXX-YYY.members.linode.com

Step 3: Configure SPF in a TXT record

In your DNS, create a new TXT record as follows, with no host name.

v=spf1 mx a include:_spf.google.com include:liXXX-YYY.members.linode.com ~all

Configuring OpenDKIM with Postfix

The configuration below assumes that you have the Postfix mail server already configured and working.

Step 1: Install the opendkim package

aptitude install opendkim

Step 2: Configure Postfix for opendkim

Edit /etc/postfix/main.cf, and change the following:

myhostname = liXXX-YYY.members.linode.com

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Step 3: Edit the file /etc/mailname

Edit the /etc/mailname file, and put in it the canonical host name, which is the same as the PTR name above: liXXX-YYY.members.linode.com

Step 4: Generate a DKIM key

opendkim-genkey -t -s mail

Step 5: Copy it where opendkim will find it

cp mail.private /etc/opendkim/mail.private

Step 6: Add DKIM to your DNS

First, show the contents of the public DKIM key, so that you can add it in your domain's TXT field

cat mail.txt

Then in your DNS, add another TXT record with name "mail._domainkey" as follows:

v=DKIM1; k=rsa; t=y;
p=...
;

Replace the "..." above with your real public DKIM key.

Restart the services on your host

Finally, restart opendkim and Postfix, and then test your email, and review your logs.

service opendkim restart
service postfix restart

You should see less email being rejected now.

Contents: 

Tags: