How to configure SPF, DKIM and ultimately DMARC for mail server?

Mail Server Antispam

In server security aspect, IT staffs who manage mail servers or SMTP servers all know that spam mails are the primary enemy other than hackings of other sort. There are different ways to prevent both incoming and outgoing spam mails.

For incoming mails, keyword filtering, graylisting, IP & domain blacklisting are the basic strategies. For outgoing mails, tightening up password complexity on individual client PCs and blacklisting intruding brute force password wild-guessing are must.

Recipient Mail Server Returns Mail or Treat as Spam Mail

Today, we will focus on preventing mails from being returned or being placed in spam folders in destination server. Mail Server Lesson 101 tells you to keep your IP and domain off blocklists on Internet community such as Spamhaus, DNSBL and many others. In case of being listed, visit these blocklist websites and find out what can be done to be de-listed.

Gmail and Outlook.com/Office 365 Antispam Scheme

For the past few years, Gmail and Outlook.com/Office365 started to evaluate whether an incoming mail is spam or not by checking its SPF and DKIM value. Yet, DMARC record will also be verified. Not only this, major mail service providers also explicitly urge senders to deploy all three records or mails will be rejected.

What are SPF, Dkim and DMARC?

Implementation of SPF, DKIM and DMARC is a more implicit way toward antispam purpose. In case you are wondering what they are, look them up in wiki. Once it is set, leave it there with no further action. When mails from your mail server arrive at destination, the receiving mail server will look for these three records in your DNS hosting service. If it looks alright, then mails will go straight into recipient’s inbox. If something is wrong, then mails will either be returned or placed in spam folder.

If you cannot be sure what your mail server has been configured, then you can use MXToolBox website to check:

In case you forgot MXToolBox, you can still google keywords such as dkim checker, dkim record, dkim validator, dkim test and so on. For SPF and DMARC, you can simply swap dkim with spf and dmarc.

The reason behind grouping these three records is that both SPF and DKIM must be configured prior to implentation of DMARC. Let us first start the how-to on SPF, DKIM and then DMARC. For the following example, we will use Zoneedit DNS service provider:

SPF:

When you open DNS record list and add a SPF record, look for SPF record type. If SPF is not available in the record list, selecting TXT record would work too. For HOST, keep default value of @. In TEXT part, enter generic setting shown as below:

Zoneedit SPF record

“v=spf1 a mx ip4:123.123.123.123 ptr ~all”

Note: The quotation mark may or may not be needed. Check with syntax usage on your DNS service. The IP address following “ip4:” is your mail server’s IP address. Syntax usage is available in SPF wiki since OpenSPF official website is not available at the moment of writing.

DKIM:

There are two ways of producing DKIM key pair. One is simply getting private key and public key from DKIM Generator on Internet. The downside of it is that the private key will not be consistent with the private key you use for your mail server’s SSL certificate.

DKIM Generator

Another one is using mail server to natively generate both private key and public key. We will benefit from using the same private key for both DKIM and SSL certificate. It will save us time in the long run.

EVO Mail Server DKIM generator

Let’s cut to the point. Here are the steps:

Zoneedit DKIM record
  1. Once private key and public key are ready, log in DNS service and add a DKIM record using TXT record type.
  2. For HOST value, enter selector given by your mail server’s DKIM feature. In case you do not know the DKIM selector value, consult your mail server vendor. For EVO Mail Server, the value is simply evoms_domainkey.
  3. In TEXT part, put down DKIM public key that we previously created. The syntax should look like below:
    v=DKIM1; p=public key value

  4. public key value is the public key you get from DKIM Generator. If with EVO Mail Server, simply click on blue solution button to the right of DKIM check in Network section of Status page. There will pop up a notepad page, simpl select all and copy & paste them.

Note: With DKIM Generator method, be sure to save the private key as yourdomain.crt file and store it in mail server’s certificate folder. If you did not save it and lose the private key, then everything will start all over again. On the other hand, if your mail server natively support generating DKIM, then private key file should have already been saved somewhere inside mail server.

Practically, we can check both SPF and DKIM in Gmail’s INBOX. Open a testing e-mail sent from your mail server. Click on “3-dots” at top-right and click on Show original:

Gmail – Show original

Then, in the popup window, we will see that both SPF and DKIM have a pass status:

Gmail – SPF and DKIM pass status

DMARC

After we confirm both SPF and DKIM records are set and valid from the Gmail verification as well as MXToolBox checking below:

we can continue with DMARC:

Zoneedit DMARC record
  1. Log in DNS service and add a DMARC record, using TXT record type.
  2. For HOST value, simply enter _dmarc.
  3. For TEXT part, refer to DMARC’s official website. An example would look like this below:
    v= DMARC1; p=none; rua=mailto:postmaster@yourdomain.com
  4. Once the record is saved, wait for a few hours for DNS settings to kick in. Then, use MXToolBox website to check if DMARC record is looking good?
  5. In the future, receiver mail server will send a forensic or aggregate report to the e-mail address specified in the syntax string for further analysis.
MXToolBox check DMARC

To conclude, your mail server should look good to avoid being recognized as a spam mail source due to the reason of lacking SPF, DKIM and DMARC records when mails arrive at receiving mail server. The above implementation not only works for typical mail server which supports SPF, DKIM and DMARC, but it also works for some appliance mail server such as Synology MailPlus Server (Refer to the admin guide).



Leave a Reply