Loading Now

Master Email Security: Configure Postfix, DKIM, SPF & DMARC on Plesk

Installation Guide:

  1. How to Configure Postfix, DKIM, and SPF on Ubuntu (With or Without Plesk Onyx)
  2. Step-by-Step: Setting Up DKIM, SPF, and DMARC on Ubuntu with Plesk Onyx
  3. How to Configure SPF (Sender Policy Framework)
  4. Setting Up DMARC and Its Advantages
  5. Create Public and Private Keys with OpenSSL (if necessary)
  6. Guide: Installing and Configuring DKIM in cPanel
  7. How to Run a Server Speed Test from the Command Line
  8. How to Troubleshoot “User Unknown in Virtual Alias Table” Issue

Essential Tools

Recommended DKIM Checkers:

  1. Unlock The Inbox (Highly Recommended)
  2. DKIM Validator
  3. Mail Tester – (User-Friendly Tool)

DNS Diagnostic Tools

  1. LeafDNS – Useful for verifying MX record setups.
  2. Unlock The Inbox DNS Tools – Provides reliable DNS results.

How to Configure Postfix and OpenDKIM on Ubuntu (12.x or newer)

Introduction & Benefits: DKIM (DomainKeys Identified Mail) is a security protocol that allows you to sign your emails electronically, proving their authenticity when sent between different domains.

This setup helps you build a better reputation for your server and improves overall email deliverability by showing the internet your emails are legitimate and protected.

DKIM uses cryptographic public keys, enabling senders to sign their messages in such a way that recipients can confirm the email’s origin and integrity.

  Installation Steps

Before beginning, ensure Postfix is installed on your system. If you haven’t installed it yet, visit the official Postfix documentation for the latest instructions.

To begin, install opendkim and its utilities from the main repository:

sudo aptitude install opendkim opendkim-tools

If you’re running Ubuntu 12.04 Precise, you’ll need to install from the backports repository. You can skip this step if you’re using a newer release.

sudo aptitude install opendkim/precise-backports
sudo aptitude install opendkim-tools/precise-backports

Next, open or edit /etc/opendkim.conf. Use your real domain name in place of example.com.

Canonicalization relaxed/simple
Domain    *
KeyFile    /etc/postfix/dkim.key
Selector    dkim
SOCKET    inet:8891@localhost

Edit /etc/default/opendkim and add this line to set the socket:

SOCKET="inet:8891@localhost"

After this, locate the /etc/postfix/main.cf file and append these lines for milter integration:

# DKIM Configuration
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

If you’re running another milter (for example, for the older DomainKeys), you can specify multiple sockets as follows:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892

Edit Postfix’s master control file, /etc/postfix/master.cf. Search for this line, and add it if it’s missing:

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Then append “no_milters” if you want to exclude milters from this process:

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Before rebooting services, ensure your configurations in opendkim.conf, master.cf, and main.cf are correct.

Now, you’ll need to generate your DKIM keys. The selector name here is “dkim” as defined in the config. Create a new folder, enter it, then generate your public and private keys:

opendkim-genkey -t -s dkim -d example.com

– Replace “example.com” with your real domain. – The “dkim” portion is your selector and must match what’s set in your config.

You’ll now have two key files in your folder. Move the private key to the postfix directory for added security, and keep safe backups of both keys as needed:

mv dkim.private /etc/postfix/dkim.key

The main configuration work is now complete. Next, restart both the opendkim and postfix services to apply changes:

service opendkim start
service postfix restart

If you experience any issues on restart, check the Postfix and DKIM log entries with:

grep -i dkim /var/log/mail.log

Finally, add your new DKIM TXT record (dkim._domainkey) with the public key to your domain’s DNS zone at your registrar or DNS provider (such as GoDaddy, 123-reg etc). Make sure all records are in TXT format.

The file dkim.txt contains your public key and the necessary subdomain DNS entry. Access it from your keys folder and copy the details into your DNS manager. Use this command to open the correct folder:

cd /etc/dkimkeys/

The DNS entry will look similar to this:

dkim._domainkey IN  TXT ( "v=DKIM1; k=rsa; t=y; "
"p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB

And the actual TXT value for your DNS manager will be:

v=DKIM1; k=rsa; t=y; p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB

OR

v=DKIM1; p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB

Once you’ve configured the key and subdomain TXT records, you can verify that everything is working correctly using the dig command.

dig dkim._domainkey.qureshi.me txt

Troubleshooting Steps:

After setting up, it’s a good idea to test your configuration. Send an email to autorespond+dkim[at]dk.elandsys.com or, preferably, [email protected] to check your DKIM signature.

If you notice that the DKIM signature is not present, take a look at your mail logs by running: grep -i dkim /var/log/mail.log

If your logs aren’t showing enough details, increase verbosity by editing your master.cf file. Locate this line:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd

Change it to the following to enable verbose logging:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd -v

Here’s an example of what you should see:

Why DKIM Verification Sometimes Fails

DKIM signatures are generated from both the headers and the body of the email. If either of these is altered in any way after being signed—such as by a forwarding server or an extra line break—the DKIM verification will not pass.

References

DomainKeys Identified Mail (DKIM) – RFC 4871
DKIM Author Domain Signing Practices (ADSP) – RFC 5617

You can also use this online validator to check if your emails include the correct DKIM signature.

How to Set Up SPF on Any Linux Distribution

About SPF: It is highly recommended to create a Sender Policy Framework (SPF) record for your domain. An SPF record is a DNS entry specifying which email servers are authorised to send mail from your domain.

SPF protects your domain from being used in forged “From” addresses by spammers.

Without an SPF record, other mail servers might reject messages from your users as they can’t verify whether the emails originate from a permitted source.

How to Add a Sender Policy Framework (SPF) Record

An SPF record should be created as a standard TXT record in DNS. Since BIND version 9.4.0, the SPF RR type (RFC 4408) is also supported, but TXT is most compatible.

TXT:name   ttl   class   TXT   text
SPF:name   ttl   class   TXT   SPF

If the basic method doesn’t work for you, try formatting like this:

TXT:example.com.   IN   TXT   “description”
SPF:example.com.   IN   TXT   “v=spf1 mx include:example.net -all”

You may use an online SPF Wizard to generate the proper record for your needs.

Example screenshot:

Copy the generated SPF record into your DNS zone file. For example: qureshi.me.  IN TXT “v=spf1 mx a ip4:12.12.12.12 a:34.34.34.34 include:ak.qureshi.me ?all”

How to Configure DMARC (Domain-based Message Authentication, Reporting & Conformance) and Its Advantages

When a message does not pass SPF or DKIM checks, DMARC tells recipient servers what to do: take no action, quarantine, or reject the message, according to your domain policy.

To create a DMARC record, visit Unlock the Inbox’s DMARC Wizard, fill in your domain and preferences based on your organisation’s policy, then add the resulting TXT entry to your domain’s DNS zone. For example:
_dmarc.qureshi.me. IN TXT “v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; rf=afrf; pct=100; ri=86400”


How to setup DKIM, SPF, and DMARC on Ubuntu with Plesk Onyx – Continue to next page

Pages: 1 2

Post Comment