Monday 8 January 2024

Dkim, Spf and Dmarc

Dkim, Spf and Dmarc

Beginning in February 2024, Gmail and Yahoo will begin implementing new requirements of large senders to combat spam and abuse through email.

1. You have to be sending from a domain that you won (so, not etc).

 2. You have to set up Dkim, Spf and Dmarc

Dkim is  Domainkeys Identified Mail. When you send an ekail, a Dkim record is included. This lets the receiving mailer check that it really did come from your server.

Spf is Sender Policy Framework.

When you send an email message, the receiving system will check to see if there is an SPF record published.

  • If there is a valid SPF record AND your sending IP is on the list, you PASS.
  • If the IP is NOT on the list, you FAIL the SPF check and could either be rejected or placed in the spam folder.

Spf isn't as good as Dkim

Dmarc is Domain-based Message Authentication, reporting and conformance.

It helps domains deal with domain spoofing and phishing attacks by preventing unauthorized use of the domain in the Friendly-From address of email messages.

So, how do you do that? I'm doing it for a linux mail server. I'm not a "large sender", but I'm doing it anyway. First, let's install some software.

yum install -y opendkim
yum install -y opendkim-tools

Then edit the configuration file:

pico  /etc/opendkim.conf

For what to do, see

The key lines to add/modify are:

Mode   sv
KeyTable       /etc/opendkim/KeyTable
SigningTable   refile:/etc/opendkim/SigningTable
ExternalIgnoreList     refile:/etc/opendkim/TrustedHosts
InternalHosts  refile:/etc/opendkim/TrustedHosts

Now create a subdirectory (put your domain name where I put

mkdir /etc/opendkim/keys/

opendkim-genkey -D /etc/opendkim/keys/ -d -s default

chown -R opendkim:opendkim /etc/opendkim

systemctl start opendkim; systemctl enable opendkim

And edit (in /etc/mail) to add

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')


systemctl restart sendmail

cd /etc/opendkim/keys/
You'll see a file  default.txt. Gaze on that. Then go to /var/named/db.example


default._domainkey  IN  TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0.................IDAQAB" )

Restart the DNS server by doing: systemctl restart named

And the dkim can be tested using

domain = selector = default

Next, spf. You need to tell it the range of IP addresses. Add to /var/named/db.example

If you have mailers that don't do rDNS (reverse DNS) then use IN TXT "v=spf1 ip4: ~all"

Finally, Dmarc IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:email-address-for-reports"

P=none means take no action, just report it to the email address email-address-for-reports

Other options are: quarantine and reject.

So now we have three lines added to example.db

default._domainkey  IN  TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0.................IDAQAB" ) IN TXT "v=spf1 ip4: ~all" IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:email-address-for-reports"

Restart the DNS server by doing: systemctl restart named

Test using




No comments:

Post a Comment