- How to Setup Postfix/DKIM/SPF on Ubuntu with or without Plesk Onyx
- How to setup DKIM/SPF/DMARC in Ubuntu with Plesk Onyx
- How to setup SPF (Sender Policy Framework)
- How to setup DMARC and Benefits
- Generate a public and private key from OpenSSL (if require)
- How to install/setup dkim in cPanel
- Server Speedtest from command
- User unknown in virtual alias table
For DKIM Checker:
Intro and Benefits: DKIM is a tool and a method for email to secure, allowing a personal/Origisation email communication secure whilst recvicng/sending to different domains.
Big benefit of that we are announcing to the internet world that we are secure and have better IP/Server reputation.
DKIM used public key called’ Cryptography to allow sender to electornically sign his/her legitimate emails in the way to a verifed my recvicer/recipients.
Before start, make sure you already installed Postfix MTA, if not please install it from Postfix.
First thing first, installs opendkim universal repository:
sudo aptitude install opendkim opendkim-tools
If you on previous Ubuntu 12.04 Precise, you require installing backport. – ignore this step if you have latest Ubuntu version installed,
sudo aptitude install opendkim/precise-backports sudo aptitude install opendkim-tools/precise-backports
Go and add/append in this file: cd /etc/opendkim.conf – example.com, this is an example, make sure use your domain name.
Canonicalization relaxed/simple Domain * KeyFile /etc/postfix/dkim.key Selector dkim SOCKET inet:[email protected]
After above step, go and add a line in the file: cd /etc/default/opendkim:
After above step completed then, find a “main.cf” file: cd /etc/postfix/main.cf, find an appropriate line and amend it.
# DKIM # -------------------------------------- milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
For above command: If you already using some milter for Domainkey(old version) then you may add extra ports like this:
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891,inet:localhost:8892 non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
Now, look for “master.cf” file in: cd/etc/postfix master.cf and amend one line only. if you can’t find the whole line then all full line:
Add “no_milter” at the end of the command
Double check both commands in opendkim.conf, master.cf and main.cf files?
Now time for generating the Public(dkim.txt) and Private Keys(dkim.private), why we have named “dkim”? because we choose the selector in opendkim.conf file, you can choose depending on your requirements. First, create a folder “dkimkeys”, go into the folder and type your first command to generate the keys:
opendkim-genkey -t -s dkim -d example.com
Above command, where is mentioned “dkim” this is a selector and example.com is your domain where you need to replace your original domain.
Two keys have been generated in the “dkimkeys” folder, the only private key has to move to postfix folder to secure email address/domain. Also, secure both keys in the cloud folder as a backup.
mv dkim.private /etc/postfix/dkim.key
90% of your DKIM configuration completed, now restart your opendkim and postfix MTA:
service opendkim start service postfix restart
After rebooting the services, you may get errors: to check the log file use this command:
grep -i dkim /var/log/mail.log
The next and very important step is to add a TXT(dkim._domainkey) and Public Keys into the domain’s registrar DNS management section like GoDaddy, 123-reg etc. all entries must be TXT format.
The file dkim.txt contains the key and subdomains record: cd /etc/dkimkeys, Copy and Paste and add into the DNS management section. Command: Nano cd /etc/dkimkeys/
Looks like this:
dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB
TXT entries for DNS:
v=DKIM1; k=rsa; t=y; p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB OR v=DKIM1; p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB
Once, key and subdomain TXT setup, check from the dig command that all up and running as excepted.
dig dkim._domainkey.qureshi.me txt
You are done for the day, now for the test purposes, send an email to autorespond+dkim[at]dk.elandsys.com OR [email protected](Highly recommended).
If Signature is missing, check in the log: grep -i dkim /var/log/mail.log
If you can’t see logs then add”-v” in the master.cf file, where you can find this:
127.0.0.1:10025 inet n - - - - smtpd
Must look like this:
127.0.0.1:10025 inet n - - - - smtpd -v
DKIM signature verification failures
DKIM uses the email headers and body to generate a signature. If the headers are rewritten or text is changed to the message body after it has been signed, the dkim verification fails.
DomainKeys Identified Mail (DKIM) – RFC 4871
DKIM Author Domain Signing Practices (ADSP) – RFC 5617
Also, check this site that your email send signature with it or not: http://dkimvalidator.com/
What is the SPF: Highly recommend that you create a Sender Policy Framework (SPF) record for your domain. An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain.
The main benefit of SPF is to safe from spammers from sending forged from addresses at your organisation’s domains.
If SPF record does not setup in your domains then, Third party domains may reject your email messages from your organisation’s domains users because they cannot validate that the message from an authorised mail server.
The SPF record should be defined in a Standard Text (TXT)format called resource record andSPF RR typpe BIND release from 9.4.0 support the SPF RR type RFC 4408.
TXT:name ttl class TXT text
SPF:name ttl class TXT SPF
Or the second method, if first one doesn’t work.
TXT:example.com. IN TXT “description”
SPF:example.com. IN TXT “v=spf1 mx include:example.net -all”
Let’s create one record from SPF wizard site:
Then copy and paste into your DNS zone record: qureshi.me. IN TXT “v=spf1 mx a ip4:126.96.36.199 a:188.8.131.52 include:ak.qureshi.me ?all”
If the message fails the SPF record check, DMARC comes in to control how your provider control failures the email message, there is a three option for controlling messages: No action, quarantine and reject.
Go to: https://www.unlocktheinbox.com/dmarcwizard/ > add your domain and add your required information to create one, it’s all depending on your organisation’s policies. Then copy and paste into your DNS zone record: _dmarc.qureshi.me. IN TXT “v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; rf=afrf; pct=100; ri=86400”