Dkim, Spf and Dmarc
Beginning in February 2024, Gmail and Yahoo will begin implementing new requirements of large senders to combat spam and abuse through email.
1. You have to be sending from a domain that you won (so, not gmail.com etc).
2. You have to set up Dkim, Spf and Dmarc
Dkim is Domainkeys Identified Mail. When you send an ekail, a Dkim record is included. This lets the receiving mailer check that it really did come from your server.
Spf is Sender Policy Framework.
When you send an email message, the receiving system will check to see if there is an SPF record published.
- If there is a valid SPF record AND your sending IP is on the list, you PASS.
- If the IP is NOT on the list, you FAIL the SPF check and could either be rejected or placed in the spam folder.
Spf isn't as good as Dkim
Dmarc is Domain-based Message Authentication, reporting and conformance.
It helps domains deal with domain spoofing and phishing attacks by
preventing unauthorized use of the domain in the Friendly-From address
of email messages.
So, how do you do that? I'm doing it for a linux mail server. I'm not a "large sender", but I'm doing it anyway. First, let's install some software.
yum install -y opendkim
yum install -y opendkim-tools
Then edit the configuration file:
pico /etc/opendkim.conf
For what to do, see https://www.vttoth.com/CMS/technical-notes/356-setting-up-dkim-with-sendmail
The key lines to add/modify are:
...
Mode sv
...
KeyTable /etc/opendkim/KeyTable
...
SigningTable refile:/etc/opendkim/SigningTable
...
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
...
InternalHosts refile:/etc/opendkim/TrustedHosts
...
Now create a subdirectory (put your domain name where I put example.com).
mkdir /etc/opendkim/keys/example.com/
opendkim-genkey -D /etc/opendkim/keys/example.com -d example.com -s default
chown -R opendkim:opendkim /etc/opendkim
systemctl start opendkim; systemctl enable opendkim
And edit sendmail.mc (in /etc/mail) to add
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
then:
make
systemctl restart sendmail
cd /etc/opendkim/keys/example.com
You'll see a file default.txt. Gaze on that. Then go to /var/named/db.example
add
default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0.................IDAQAB" )
Restart the DNS server by doing: systemctl restart named
And the dkim can be tested using https://dmarcadvisor.com/dkim-check/
domain = example.com selector = default
Next, spf. You need to tell it the range of IP addresses. Add to /var/named/db.example
If you have mailers that don't do rDNS (reverse DNS) then use a:another.example.com
example.com. IN TXT "v=spf1 ip4:212.58.55.192/26 a:another.example.com ~all"
Finally, Dmarc
dmarc.example.com. IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:email-address-for-reports"
P=none means take no action, just report it to the email address email-address-for-reports
Other options are: quarantine and reject.
So now we have three lines added to example.db
default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0.................IDAQAB" )
example.com. IN TXT "v=spf1 ip4:212.58.55.192/26 a:anoher.example.com ~all"
dmarc.example.com. IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:email-address-for-reports"
Restart the DNS server by doing: systemctl restart named
Test using https://dmarcadvisor.com/dkim-check/