Validate Email with DNS Records

Email is a lot like real-life mail. You can send email to anyone, but you can also write whatever return address you'd like. That is, it's pretty easy to pretend to be someone else via mail, and that was originally the case with email as well: email is just text, and you could just change your From: address to any email address you wanted! DKIM (Domain Keys Identified Mail) helps solve this issue.

OpenDKIM will generate a public/private cryptographic key pair for your server. The public key will be made available publicly in your server's DNS records and the private key will be used to sign every single email that leaves the server. This means that people receiving mail from your server can now be absolutely sure that it originated from your server because their servers can check the cryptographic signature on the email with the public key!

OpenDKIM ensures that email originated from the server it claims it did, but it does not ensure that it originated from the user account it claims it did. This easier problem is solved by server-side authorization settings.

Installation

apt install opendkim opendkim-tools

The Keys and Files

We have to generate the DKIM keys and create some secondary files that will be required for our configuration.

Generate the DKIM key

Here we create directories for the OpenDKIM keys, generate them, and ensure they have the right file permissions.

mkdir -p /etc/postfix/dkim
opendkim-genkey -D /etc/postfix/dkim/ -d example.org -s mail
chgrp opendkim /etc/postfix/dkim/*
chmod g+r /etc/postfix/dkim/*

Create the key table

Now we'll tell OpenDKIM where the newly generated keys are on the file system.

echo "mail._domainkey.example.org example.org:mail:/etc/postfix/dkim/mail.private" > /etc/postfix/dkim/keytable

Create the signing table

echo "*@example.org mail._domainkey.example.org" > /etc/postfix/dkim/signingtable

Adding trusted hosts

echo "127.0.0.1
10.1.0.0/16
1.2.3.4/24" > /etc/postfix/dkim/trustedhosts

Configuring opendkim.conf

Now we have all the raw material, so open up /etc/opendkim.conf and we can finalize our server settings. First, add these lines that will source the files we just created.

KeyTable file:/etc/postfix/dkim/keytable
SigningTable refile:/etc/postfix/dkim/signingtable
InternalHosts refile:/etc/postfix/dkim/trustedhosts

Canonicalization        relaxed/simple
Socket                  inet:12301@localhost

There will already be an uncommented Socket directive, so delete, comment out or replace it with the above.

Interfacing with Postfix

There are a couple things we must add to the Postfix SMTP server settings to interface it with OpenDKIM. Specifically, we have to set our OpenDKIM server, which will be running on port 12301, as a milter (mail filter). This is easy to do with the four commands below:

postconf -e "myhostname = $(cat /etc/mailname)"
postconf -e "milter_default_action = accept"
postconf -e "milter_protocol = 6"
postconf -e "smtpd_milters = inet:localhost:12301"
postconf -e "non_smtpd_milters = inet:localhost:12301"

Restart and reload Postfix and DKIM

Now that we have all our settings in place:

systemctl restart opendkim
systemctl enable opendkim
systemctl reload postfix

Adding the DNS record!

We are only one step away from having functioning OpenDKIM. We must add the DKIM public key to our server's DNS settings, so go ahead and open up your registrar's site or wherever your site's DNS settings are.

The public key is found in the file /etc/postfix/dkim/mail.txt, but it will display as multiple lines and multiple quoted strings, which is annoying and hard to copy-and-paste into your registrar. To make things easier, run the following command to format the key in the way we need it for the DNS TXT entry:

echo -e "

v=DKIM1; k=rsa; $(tr -d "
" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")

"

Take the very long output of that command, which will start with v=DKIM1 and add it as a TXT entry in your DNS settings as below. The host we put it for is mail._domainkey.

Adding the OpenDKIM TXT entry in DNS settings

On my registrar, this is how it is input, but on some registrars, it may be required to include your domain name as well as mail._domainkey.example.org.

If you have your own DNS server, add a TXT entry as follows:

mail._domainkey.example.org TXT v=DKIM1; k=rsa; p=ThatLongRandomSequenceOfLettersAndNumbersOfYours

Testing it out!

Now we want to send an email to make sure that your emails will now be signed with OpenDKIM.

Hostname

If you've followed these instructions, all emails from the domain example.org will now have a DKIM signature on them. If we send mail via the mail command, however, their domain of origin will be whatever your server's hostname is, which you may have set to something different than your domain.

You can permanently change your hostname by changing it in /etc/hostname and rebooting, or you can just run hostname example.org to change it temporarily for testing. Either way, this will allow us to run the mail command as in the SMTP article.

echo "Hi there.

This is the text." | mail -s "Email from the server" your@emailaddress.com

More helpful troubleshooting.

You can also go to this site, which will help you troubleshoot any other DKIM problems if you mistyped something.

DMARC

DMARC (Domain-based Message Authentication Protocol) is a protocol designed to give email domain owners the ability to protect their domain from unauthorized use.

Add the dmarc user:

useradd -m -G mail dmarc

Open up your registrar or DNS settings again, and make a new TXT record like we did with DKIM, except now use the output from the following command:

echo "_dmarc.$(cat /etc/mailname)"
echo "v=DMARC1; p=reject; rua=mailto:dmarc@$(cat /etc/mailname); fo=1"

The first line is the Host field. The latter is the TXT value.

Sender Policy Framework

Saving the easiest for last, we should add a TXT record for SPF, an email-authentication standard used to prevent spammers from sending messages that appear to come from a spoofed domain.

cat /etc/mailname
IP4=<your VPS's IPv4 address>
IP6=<your VPS's IPv6 address>
echo "v=spf1 mx a:mail.$(cat /etc/mailname) ip4:$IP4 ip6:$IP6 -all"

Note: previous versions of this guide didn’t ask you to specify the ip4 and ip6 mechanisms. If you don’t include them, some email hosts (most notoriously gmail) will not accept mail from your server.

The IP4 and IP6 values should be the same as what you set your PTR records to.

The output of cat /etc/mailname is the Host field. The output of the second command is the TXT value.

Again, you can check that site to make sure your DKIM, DMARC, and SPF entries are valid. That’s it!

Contribution

Or Previous: Setup rDNS