Master Email Security: Configure Postfix, DKIM, SPF & DMARC on Plesk
Installation Guide:
- How to Configure Postfix, DKIM, and SPF on Ubuntu (With or Without Plesk Onyx)
- Step-by-Step: Setting Up DKIM, SPF, and DMARC on Ubuntu with Plesk Onyx
- How to Configure SPF (Sender Policy Framework)
- Setting Up DMARC and Its Advantages
- Create Public and Private Keys with OpenSSL (if necessary)
- Guide: Installing and Configuring DKIM in cPanel
- How to Run a Server Speed Test from the Command Line
- How to Troubleshoot “User Unknown in Virtual Alias Table” Issue
Essential Tools
Recommended DKIM Checkers:
- Unlock The Inbox (Highly Recommended)
- DKIM Validator
- Mail Tester – (User-Friendly Tool)
DNS Diagnostic Tools
- LeafDNS – Useful for verifying MX record setups.
- Unlock The Inbox DNS Tools – Provides reliable DNS results.
How to Configure Postfix and OpenDKIM on Ubuntu (12.x or newer)
Introduction & Benefits: DKIM (DomainKeys Identified Mail) is a security protocol that allows you to sign your emails electronically, proving their authenticity when sent between different domains.
This setup helps you build a better reputation for your server and improves overall email deliverability by showing the internet your emails are legitimate and protected.
DKIM uses cryptographic public keys, enabling senders to sign their messages in such a way that recipients can confirm the email’s origin and integrity.
Installation Steps
Before beginning, ensure Postfix is installed on your system. If you haven’t installed it yet, visit the official Postfix documentation for the latest instructions.
To begin, install opendkim and its utilities from the main repository:
sudo aptitude install opendkim opendkim-tools
If you’re running Ubuntu 12.04 Precise, you’ll need to install from the backports repository. You can skip this step if you’re using a newer release.
sudo aptitude install opendkim/precise-backports sudo aptitude install opendkim-tools/precise-backports
Next, open or edit /etc/opendkim.conf. Use your real domain name in place of example.com.
Canonicalization relaxed/simple Domain * KeyFile /etc/postfix/dkim.key Selector dkim SOCKET inet:8891@localhost
Edit /etc/default/opendkim and add this line to set the socket:
SOCKET="inet:8891@localhost"
After this, locate the /etc/postfix/main.cf file and append these lines for milter integration:
# DKIM Configuration milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
If you’re running another milter (for example, for the older DomainKeys), you can specify multiple sockets as follows:
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891,inet:localhost:8892 non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
Edit Postfix’s master control file, /etc/postfix/master.cf. Search for this line, and add it if it’s missing:
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Then append “no_milters” if you want to exclude milters from this process:
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
Before rebooting services, ensure your configurations in opendkim.conf, master.cf, and main.cf are correct.
Now, you’ll need to generate your DKIM keys. The selector name here is “dkim” as defined in the config. Create a new folder, enter it, then generate your public and private keys:
opendkim-genkey -t -s dkim -d example.com
– Replace “example.com” with your real domain. – The “dkim” portion is your selector and must match what’s set in your config.
You’ll now have two key files in your folder. Move the private key to the postfix directory for added security, and keep safe backups of both keys as needed:
mv dkim.private /etc/postfix/dkim.key
The main configuration work is now complete. Next, restart both the opendkim and postfix services to apply changes:
service opendkim start service postfix restart
If you experience any issues on restart, check the Postfix and DKIM log entries with:
grep -i dkim /var/log/mail.log
Finally, add your new DKIM TXT record (dkim._domainkey) with the public key to your domain’s DNS zone at your registrar or DNS provider (such as GoDaddy, 123-reg etc). Make sure all records are in TXT format.
The file dkim.txt contains your public key and the necessary subdomain DNS entry. Access it from your keys folder and copy the details into your DNS manager. Use this command to open the correct folder:
cd /etc/dkimkeys/
The DNS entry will look similar to this:
dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB
And the actual TXT value for your DNS manager will be:
v=DKIM1; k=rsa; t=y; p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB OR v=DKIM1; p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB
Once you’ve configured the key and subdomain TXT records, you can verify that everything is working correctly using the dig command.
dig dkim._domainkey.qureshi.me txt
Troubleshooting Steps:
After setting up, it’s a good idea to test your configuration. Send an email to autorespond+dkim[at]dk.elandsys.com or, preferably, [email protected] to check your DKIM signature.
If you notice that the DKIM signature is not present, take a look at your mail logs by running: grep -i dkim /var/log/mail.log
If your logs aren’t showing enough details, increase verbosity by editing your master.cf file. Locate this line:
127.0.0.1:10025 inet n - - - - smtpd
Change it to the following to enable verbose logging:
127.0.0.1:10025 inet n - - - - smtpd -v
Here’s an example of what you should see:
Why DKIM Verification Sometimes Fails
DKIM signatures are generated from both the headers and the body of the email. If either of these is altered in any way after being signed—such as by a forwarding server or an extra line break—the DKIM verification will not pass.
References
DomainKeys Identified Mail (DKIM) – RFC 4871
DKIM Author Domain Signing Practices (ADSP) – RFC 5617
You can also use this online validator to check if your emails include the correct DKIM signature.
How to Set Up SPF on Any Linux Distribution
About SPF: It is highly recommended to create a Sender Policy Framework (SPF) record for your domain. An SPF record is a DNS entry specifying which email servers are authorised to send mail from your domain.
SPF protects your domain from being used in forged “From” addresses by spammers.
Without an SPF record, other mail servers might reject messages from your users as they can’t verify whether the emails originate from a permitted source.
How to Add a Sender Policy Framework (SPF) Record
An SPF record should be created as a standard TXT record in DNS. Since BIND version 9.4.0, the SPF RR type (RFC 4408) is also supported, but TXT is most compatible.
TXT:name ttl class TXT text
SPF:name ttl class TXT SPF
If the basic method doesn’t work for you, try formatting like this:
TXT:example.com. IN TXT “description”
SPF:example.com. IN TXT “v=spf1 mx include:example.net -all”
You may use an online SPF Wizard to generate the proper record for your needs.
Example screenshot:
Copy the generated SPF record into your DNS zone file. For example: qureshi.me. IN TXT “v=spf1 mx a ip4:12.12.12.12 a:34.34.34.34 include:ak.qureshi.me ?all”
How to Configure DMARC (Domain-based Message Authentication, Reporting & Conformance) and Its Advantages
When a message does not pass SPF or DKIM checks, DMARC tells recipient servers what to do: take no action, quarantine, or reject the message, according to your domain policy.
To create a DMARC record, visit Unlock the Inbox’s DMARC Wizard, fill in your domain and preferences based on your organisation’s policy, then add the resulting TXT entry to your domain’s DNS zone. For example:
_dmarc.qureshi.me. IN TXT “v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; rf=afrf; pct=100; ri=86400”
How to setup DKIM, SPF, and DMARC on Ubuntu with Plesk Onyx – Continue to next page
Post Comment