Pages

Monday 8 January 2024

Dkim, Spf and Dmarc

Dkim, Spf and Dmarc

Beginning in February 2024, Gmail and Yahoo will begin implementing new requirements of large senders to combat spam and abuse through email.

1. You have to be sending from a domain that you won (so, not gmail.com etc).

 2. You have to set up Dkim, Spf and Dmarc

Dkim is  Domainkeys Identified Mail. When you send an ekail, a Dkim record is included. This lets the receiving mailer check that it really did come from your server.

Spf is Sender Policy Framework.

When you send an email message, the receiving system will check to see if there is an SPF record published.

  • If there is a valid SPF record AND your sending IP is on the list, you PASS.
  • If the IP is NOT on the list, you FAIL the SPF check and could either be rejected or placed in the spam folder.

Spf isn't as good as Dkim

Dmarc is Domain-based Message Authentication, reporting and conformance.

It helps domains deal with domain spoofing and phishing attacks by preventing unauthorized use of the domain in the Friendly-From address of email messages.

So, how do you do that? I'm doing it for a linux mail server. I'm not a "large sender", but I'm doing it anyway. First, let's install some software.

yum install -y opendkim
yum install -y opendkim-tools

Then edit the configuration file:

pico  /etc/opendkim.conf

For what to do, see https://www.vttoth.com/CMS/technical-notes/356-setting-up-dkim-with-sendmail

The key lines to add/modify are:

...
Mode   sv
...
KeyTable       /etc/opendkim/KeyTable
...
SigningTable   refile:/etc/opendkim/SigningTable
...
ExternalIgnoreList     refile:/etc/opendkim/TrustedHosts
...
InternalHosts  refile:/etc/opendkim/TrustedHosts
...

Now create a subdirectory (put your domain name where I put example.com).

mkdir /etc/opendkim/keys/example.com/

opendkim-genkey -D /etc/opendkim/keys/example.com -d example.com -s default

chown -R opendkim:opendkim /etc/opendkim

systemctl start opendkim; systemctl enable opendkim

And edit sendmail.mc (in /etc/mail) to add

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

then:

make
systemctl restart sendmail

cd /etc/opendkim/keys/example.com
You'll see a file  default.txt. Gaze on that. Then go to /var/named/db.example

add

default._domainkey  IN  TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0.................IDAQAB" )

Restart the DNS server by doing: systemctl restart named

And the dkim can be tested using https://dmarcadvisor.com/dkim-check/

domain = example.com selector = default

Next, spf. You need to tell it the range of IP addresses. Add to /var/named/db.example

If you have mailers that don't do rDNS (reverse DNS) then use  a:another.example.com


example.com. IN TXT "v=spf1 ip4:212.58.55.192/26 a:another.example.com ~all"

Finally, Dmarc

dmarc.example.com. IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:email-address-for-reports"

P=none means take no action, just report it to the email address email-address-for-reports

Other options are: quarantine and reject.


So now we have three lines added to example.db

default._domainkey  IN  TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0.................IDAQAB" )

example.com. IN TXT "v=spf1 ip4:212.58.55.192/26 a:anoher.example.com ~all"

dmarc.example.com. IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:email-address-for-reports"

Restart the DNS server by doing: systemctl restart named

Test using  https://dmarcadvisor.com/dkim-check/

 


 

 

No comments:

Post a Comment