Email server setup with SPF, DKIM, and DMARC
I have recently played with the idea of setting up an SMTP server for a friend’s custom domain, and wanted to share the working setup.
The boky/postfix Docker image turned out to be quite useful, especially because it’s set up with a mechanism for generating the DKIM keys.
So here are the two steps to sending emails from a custom domain:
1. Postfix setup
$ docker run --rm --name postfix \ -v `pwd`/opendkim-keys:/etc/opendkim/keys \ -e "ALLOWED_SENDER_DOMAINS=feedsubscription.com" \ -e "DKIM_AUTOGENERATE=yes" \ -e "INBOUND_DEBUGGING=yes" \ --no-healthcheck \ -p 1587:587 \ boky/postfix
One more thing about the Postfix container: if you want to persist the queue between container restarts/rebuilds, pass in a volume for
/var/spool/postfix, for example:
2. DNS setup: SPF, DKIM, and DMARC
We need to add 3 TXT records in the feedsubscription.com domain:
|SPF||@||v=spf1 mx -all||See below¹|
|DKIM||mail._domainkey||v=DKIM1; h=sha256; k=rsa; s=email; p=XXXX||See below²|
|DMARC||_dmarc||v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org; adkim=s; aspf=s|
¹ This particular SPF value assumes we already have a proper MX record.
² The complete definition for the DKIM record is generated by the container because of
DKIM_AUTOGENERATE=yes, and in this particular setup can be found in
ssmtp to test the setup. I needed to have this in
…then I can send an email:
$ ssmtp -vvv email@example.com < email.txt
$ docker logs -f <container_name>
I specifically enabled logging in above Postfix setup with
INBOUND_DEBUGGING=yes so that I can see what’s happening.
A lil closing note
Although I am a little confused about the value of the DMARC record, without it the emails land in the spam folder.
Happy email sending!
Update Aug 29
Because last week we had a phishing incident at work, I googled some more about the mechanics of SPF, DKIM, and DMARC.
When an SMTP server receives an email from a domain, it can use SFP to verify that the sending server is authorized to send emails for that domain. For example, if I bring up a Postfix container on my laptop, and send an email from firstname.lastname@example.org, the receiving SMTP server can check with the DNS for feedsubscription.com, get the SPF record for and verify that my laptop is in the list. If it’s not in the list, it can mark the message as spam or reject it altogether.
DKIM is just an additional level of authentication based on public-key cryptography. It adds a header to the email message —
DKIM-Signature — which can be verified by the receiving SMTP server by checking the corresponding DKIM record in the feedsubscription.com DNS.
DMARC builds on both SPF and DKIM, and allows for more sophisticated policies. The receiving SMTP server can look at the DMARC record and decide what to do with every message. And this is why having DMARC — and also SFP and DKIM — gives the sender a higher level of confidence a message will reach its recipient …because the receiver can be more confident.
Here are a couple of links that I found informative: