
Most email services implement several verification procedures on incoming email to ensure that it is legitimate, and prevent their users’ inboxes from being flooded with unwanted email (spam).
For instance, Google Gmail, among other tests, verifies that the incoming email is signed with DKIM. Servers sending email to gmail users that do not implement this signing may find that the emails sent are flagged as spam by Google Gmail servers, are delivered to the spam folder of the recipient, or are just discarded.
This post goes through the details of the implementation of the DKIM digital signature on a Postfix mail server running on a linux Debian machine. It also covers briefly SPF and other email authentication mechanisms.
Contents
- 1. Google recommendations for Bulk Senders
- 2. Installing and configuring OpenDKIM
- 3. Generating a private/public key pair that will be used to sign emails
- 4. Configuring postfix to use the OpenDKIM signing service on outgoing mail
- 5. Starting the service and verify that it is working as expected
- 6. Implementing SPF authentication
1. Google recommendations for Bulk Senders
In the page Bulk Senders Guidelines, Google gives a set of recommendations to reduce the risk that outgoing mail sent by a mail server be treated as spam:
- Always use the same IP address to send emails
- Create a reverse DNS record translating the server IP into the domain name
- When a given mail is sent to a number of users (i.e., a newsletter), use always the same sender email address in the “From:” header line
- Sign messages with DKIM.Use a key of 1024 bit at least
- Create a SPF record in DNS, specifyign the IP addresses that are allowed to send emails from users in the domain.
- Publish a DMARC policy
- If IPV6 is used, make sure that there is a PTR (reverse DNS) record for the IP address that is returned from a direct DNS query for the domain.
- If IPV6 is used, the domain MUST pass the SPF or DKIM verifications
2. Installing and configuring OpenDKIM
OpenDKIM is available as a standard package in most linux distros, such as Debian and Ubuntu. It can be installed with a call to apt-get:
1 2 3 |
$ sudo apt-get install opendkim opendkim-tools |
Once installed, the configuration file /etc/opendkim.conf must be edited to add the following lines (replacing example.com with your own domain name):
1 2 3 4 5 6 |
Domain example.com KeyFile /etc/postfix/dkim.key Selector mail SOCKET inet:8891@localhost |
Also the configuration file /etc/default/opendkim needs to be edited to add a line that specifies the connection that postfix will use to access the opendkim service:
1 2 3 |
SOCKET="inet:8891@localhost" |
3. Generating a private/public key pair that will be used to sign emails
The opendkim-genkey command is used to generate a private/public key pair (replace example.com with the name of your domain):
1 2 3 |
$ opendkim-genkey -t -s mail -d example.com |
This command generates a “mail.private” file that contains the private key, and a file “mail.txt” that contains the public key.
The private key is copied to /etc/postfix/dkim.key (the location of the private key previously specified in the opendkim.conf file):
1 2 3 |
$ cp mail.private /etc/postfix/dkim.key |
The public key must be added to the DNS configuration of the domain as a TXT record. The exact procedure to edit the DNS configuration of the domain depends on the DNS service provider for the domain. The file “mail.txt” contains the specificatio of the record to add:
1 2 3 4 |
cat mail.txt mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9uUgVbuz6ej1fKTA29zq2CcWw+2XKMX5VuYLxC/o+wjpcPokGm4fGkqXVj+VuTJD7mRUaZT/Co6PDVE/+7xEJ0Atl3VVVWtVbTf2wvcv8I39oyUGYd3pF/b2eRq0WsU8fymeV6DaXiupxLGnPSWD20ag0hrgegVDJiAhDrQPrnwIDAQAB" ; ----- DKIM key mail for example.com |
Some DNS service providers might give the option to upload this file directly. In most cases, they have a form in their client area that allows adding and editing the records in the DNS zone.
The DNS service can be consulted with a nslookup or dig command to verify that the record has been correctly added:
1 2 3 4 5 6 7 8 9 10 |
# nslookup -type=TXT mail._domainkey.example.com Server: 172.31.0.2 Address: 172.31.0.2#53 Non-authoritative answer: mail._domainkey.example.com text = "v=DKIM1\; k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQK BgQC9uUgVbuz6ej1fKTA29zq2CcWw+2XKMX5VuYLxC/o+wjpcPokGm4fGkqXVj+VuTJD7mRUaZT/Co6PDVE/+7xEJ0Atl3VVVWtVb Tf2wvcv8I39oyUGYd3pF/b2eRq0WsU8fymeV6DaXiupxLGnPSWD20ag0hrgegVDJiAhDrQPrnwIDAQAB" |
4. Configuring postfix to use the OpenDKIM signing service on outgoing mail
To do this the lines below must be added at the bottom of the main postfix configuration file /etc/postfix/main.cf
:
1 2 3 4 5 6 7 |
# DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 |
5. Starting the service and verify that it is working as expected
To start signing the outgoing mail, the opendkim service needs to be started, and the postfix service needs to be restarted:
1 2 3 4 |
$ sudo service opendkim start $ sudo service postfix restart |
To verify that opendkim has started successfully, we can check with netstat that it is listening on TCP port 8891:
1 2 3 4 |
# netstat -an | grep 8891 tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN |
The Mail tester online service can be used to verify that messages sent from our server are being signed with opendkim. First, access the home page:
and then send a test email to the email address on the screen:
1 2 3 4 5 6 7 |
# mailx web-n0GmLZ@mail-tester.com Subject: Test message This is a test message to verify the DKIM digital signing in our server . EOT |
Next, click on the “Then check your score” button, and wait until the results are displayed:
In the reults page we can see that the message sent had a valid DKIM signature
However, the message did not pass the SPF validation, because we have not added yet a SPF record to the DNS configuration of the domain. The total score obtained in mail-tester.com is only 2.8, meaning that messages sent by our server will probably be rejected by most mail servers.
6. Implementing SPF authentication
SPF (Sender Policy Framework) is a mail server validation mechanism based on DNS. To implement SPF, a TXT record is added to the DNS configuration of the domain, specifying the IP addresses that are authorized to send email from senders belonging to the domain.
For instance, the following record only allows the IP address 127.128.129.130 to send emails for domain “example.com”:
1 2 3 |
example.com text="v=spf1 ip4:127.128.129.130/32 -all" |
The provider of DNS service for our domain usually allows to edit the DNS zone, to add the SPF record, by means of a form in their web site. Afterwards, the command-line tools nslookup or dig can be used to verify that the record is correctly configured:
1 2 3 4 5 6 7 8 |
# nslookup -type=TXT example.com Server: 172.31.0.2 Address: 172.31.0.2#53 Non-authoritative answer: example.com text = "v=spf1 ip4:127.128.129.130/32 -all" |
And finally, the online service mail-tester.com can be used again to verify the new configuration:
And that’s all!
—
References
- rtcam.com Tutorials: DKIM with Postfix
- simpledns.com support: Configuring DNS records for DomainKeys / DKIM
- Wikipedia: Sender Policy Framework (SPF)
- Ubuntu Community Help Wiki: Postfix/DKIM
- www.digwebinterface.com
—