Installing the iRedMail mail server on CentOS 7. Part 6. DKIM, SPF, DMARC

Installing the mail server iRedMail. DKIM, SPF, DMARC

Configuring DKIM

DKIM, DomainKeys Identified Mail, is an E-mail authentication method designed to detect spoofing of messages sent by email. The method allows the recipient to verify that the letter was actually sent from the declared domain. DKIM simplifies the fight against fake sender addresses, which are often used in phishing emails and email spam. DomainKeys Identified Mail (DKIM) technology combines several existing anti-phishing and anti-spam techniques to improve the quality of the classification and identification of legitimate email. Instead of a traditional IP address, DKIM adds a digital signature associated with the organization’s domain name to identify the sender of the message. The signature is automatically verified at the recipient’s side, after which “white lists” and “black lists” are applied to determine the sender’s reputation.

A series of articles on installing and configuring the iRedMail mail server

  • Installing the iRedMail mail server on CentOS 7. Part 1. Basic installation
  • Installing the iRedMail mail server on CentOS 7. Part 2. Fighting spam
  • Installing the iRedMail mail server on CentOS 7. Part 3. Aliases, a web interface for working with aliases
  • Installing the iRedMail mail server on CentOS 7. Part 4. Configuring Postfix, authorization without entering a domain
  • Installing the iRedMail mail server on CentOS 7. Part 5. Storage structure of virtual mailboxes
  • Installing the iRedMail mail server on CentOS 7. Part 6. DKIM, SPF, DMARC
  • Installing the iRedMail mail server on CentOS 7. Part 7. Greylisting whitelist, WEB interface, Dovecot quota
  • Installation of the mail server iRedMail on CentOS 7. Part 8. White and black lists. Web interface

See our DKIM value that was generated after installing iRedMail

[[email protected]]# amavisd -c /etc/amavisd/amavisd.conf showkeys
; key#1 1024 bits, i=dkim, d=example.com, /var/lib/dkim/example.com.pem
dkim._domainkey.example.com.	3600 TXT (
  "v=DKIM1; p="
"MIGfMA0GCSqGSIb5RTEBAQUAA4GNADCBiQKBgQCeZ7mcAV0oqaAXOYBOaEMjJHCC"
"SC9+dJbJEwt0KTZpZFAKmOQiZ5h5xzW6PsnGjAXiA6qYEB+xW4KRLOPI35L4h2/U"
"81ppX6St/GhUYIXjV/FB6bBf9I6YgNUzJi549VWnBgo3yNIRgWzQjqounF6wsmAd"
"VQk0V+YoL9FA7qcj2wIDATRE")

Create a TXT record in the domain name zones control panel:

Домен: dkim._domainkey.example.com.
Тип записи: TXT
Значение: v=DKIM1; p=MI...

“Value” – one long line, without quotes

Checking

[[email protected]]# amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 example.com: dkim._domainkey.example.com => pass

Setting up SPF

SPF, Sender Policy Framework, is an extension to the protocol for sending email over SMTP. SPF allows you to check if the sender’s domain has been tampered with.

Create a TXT record in the domain name zones control panel:

Домен: example.com.
Тип записи: TXT
Значение: v=spf1 a mx ip4:%ip% include:_spf.google.com ~all

Where% ip% – ip address of the mail server,include: _spf.google.com – to pass the check by the Google service, it is not necessary to register~ all “ – accept letters from all other servers, but mark them as SPAM

Configuring DMARC

DMARC, Domain-based Message Authentication, Reporting and Conformance, is a technical specification created by a group of organizations to reduce the number of spam and phishing emails, based on identifying the sender’s email domains by based on the rules and attributes set on the recipient’s mail server.

To receive DMARC reports, I use the service Postmark

We follow the link above, indicate our e-mail and domain name, after which the service gives out what value to register in the zones control panel, for example:

Домен: _dmarc.example.com.
Тип записи: TXT
Значение: v=DMARC1; p=none; pct=100; rua=mailto:абракадабра@dmarc.postmarkapp.com; sp=none; aspf=r;

After you have registered this value, you need to confirm it in the service.

Services for testing mail server

https://postmaster.google.com/https://www.mail-tester.com/https://toolbox.googleapps.com/apps/checkmx/https://dnschecker.org/

Sidebar