Setting up DMARC, SPF and DKIM on Ubuntu.
I was recently setting up DMARC, SPF and DKIM on Ubuntu.
And I was following two articles:
All of the things in both the articles are explained clearly and they work as well.
Still I needed to do the following changes and a few lessons(All tests were made on Gmail).
1. SPF:
After finishing up with setup on SPF, Gmail showed.
spf=softfail (google.com: domain of transitioning example.com does not designate XXX.XX.XXX.XXX as permitted sender) smtp.mailfrom=www-data@example.com
My SPF settings were
"v=spf1 a include:_spf.google.com ~all"
which according to here, meant if IP matches what is there in “a” record of the domain, then it should work, but it didn’t. So I had to change it to.
"v=spf1 a ip4:139.162.13.244 include:_spf.google.com ~all"
After this SPF started showing PASS.
2. DKIM:
Few changes I had to do for this, taking help of the comments on the DO article:
a. No emails going out, error in log.
postfix/cleanup[38857]: warning: connect to Milter service inet:localhost:12301: Connection refused
Fix:
#Edit /lib/systemd/system/opendkim.service (change the line: ExecStart=/usr/sbin/opendkim -P ... to ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf) sudo systemctl daemon-reload service opendkim restart
b. After the setup it failed with invalid public key :
dkim=neutral (invalid public key)
This post helped. So I removed the refile: prefix from KeyFile and also made changes to the entries as mentioned in that post.
KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable
- Your KeyTableThe lines are supposed to start with the domain, not with the domainkey record:
example.com example.com:default:/etc/opendkim/keys/example.com/default.private
- SigningTableThe signing table should map Email-Addresses to the domain. It should look like this:
*@example.com example.com
c. The output of mail.txt was not as shown on the DO article
it was like
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hK4+s273W5a18XitzI7KA3eDYLjpZhNTFwFPTMpyprZ4UKDgN5t+k3GgFyWvtlE9IY8YEUhbJ1dle/2lX4RAuVPfbs3+6ZnIqSthUtWogoUvxvbYGG94NQfTzWlMsUnIOvHD1kHue40LBL5s3e1urKTlCbPOPkrFd32xyRFTzM4niVA1Q9CS7gp8mlHiyZXM1jJnSu58jTgt9" "a2g47YfpnaAv74DE535ujyKAmCnbGI2BMFpi16jE96T2i9ehK+Hh8blBFCk4EgEglmaezUqyfZAcEGJKDWGiqaLlffEs2tpi+dWLYCl9CSnsK9HPVvrk00ZP8InqrFtbvTsdwAWQIDAQAB" ) ; ----- DKIM key mail for example.com
There were multiple breaks in the file and having multiple strings within the quotes.
Not sure if directly using it would have worked, so removed quotes ” from in between the string and made in a single string like “v=DKIM1; h=sha256; k=rsa; p=key”
d. Also I did this:
If Postfix version higher than 2.6, set “milter_protocol” value 6 instead of 2.
milter_protocol = 6
3 DMARC
It was strict
"v=DMARC1; p=reject; adkim=s; aspf=s"
made it to take no action referring this and changed it to.
"v=DMARC1; p=none; adkim=r; aspf=r"
This basically says that take no action if DKIM and SPF failed for some reason. You can change this according to your needs i.e if you want to be notified of any spam etc.
After all of this Gmail is now not throwing the outgoing emails from the server to spam, relieved!