This SPF entry, in the DNS, main objective was to prevent email spoofing and improve the delivery of emails from my domain.
Following some of the advice from several places around the web, another step to improve spoofing prevention and delivery of emails and their authenticity, it would be good also to have DomainKeys Identified Mail (DKIM)m which is an email authentication method that adds a digital signature to outgoing emails.
For a better explanation on what DKIM is and how it works you can visit the Wikipedia page:
DomainKeys Identified Mail
It is also to note that if you are classified as a mass sender both Google and Microsoft enforce the use of DKIM to make sure the email gets delivered to their domains.
Based on this, I started looking into implement, install, configure DKIM in my mail server to make sure that I follow the advice, even if I am not, or not classified, a mass sender.
The plan we need to go through will be more or less like this:
- install and configure the OpenDKIM port.
- configure Postfix to start using OpenDKIM
- DKIM Keys generation and DNS update
- bring it all together and test.
install and configure OpenDKIM port
As usual we just need to fnd the location for the port, which is under /usr/ports/mail/opendkim, so:
# cd usr/ports/mail/opendkim
# make config
# make install clean
...
...
===> Cleaning for opendkim-2.10.3_22
#
Now that we have the OpenDKIM port installed, it needs to be configure to be usable, meaning that will be able to DKIM sign the emails as they got out.
First we configure OpenDKIM, and we do that by editing the file /usr/local/etc/mail/opendkim.conf and modify the following options as needed:
Domain yourdomain.com
KeyFile /usr/local/etc/mail/dkim/dkim.key.pem
ReportAddress "DKIM Error Postmaster" <postmaster@yourdomain.com>
Mode s
Selector dkim
Socket inet:8991@localhost
UserID mailnullA few explanations on the above options:
Domain - should be your domain that sends mail.
KeyFile - file path point to where your DKIM key is located that will be used to DKIM sign you outgoing mail.
ReportAddress - a reporting mail address for reporting any issues related to DKIM, normally point it to the postmaster mailbox.
Mode - as we are only interested in signing outgoing mail, we set this option to s, meaning sign only
Selector - the selector to be used on the mail, and should match the DNS record that will need be created
Socket - names the socket where opendkim should listen for connections from the MTA
UserID - a user id to be used by OpenDKIM.
As similar to other daemons, we want opendkim to start at boot, and from the a few guides I read also we should supply a user id that opendkim will use.
You can create your own user, but from my findings on the different tutorials you can use for the example "mailnull" user that already should exist in your system.
We configure all the above by editing the file /etc/rc.conf and we add the following lines at the bottom of it:
milteropendkim_enable="YES"
milteropendkim_UID="mailnull"configure Postfix to use OpenDKIM
To configure PostFix to start using OpenDKIM for signing the outgoing emails we will need to modify main.cf that you can find in /usr/local/etc/postfix, by adding the following lines at the bottom:
smtpd_milters= inet:127.0.0.1:8991
non_smtpd_milters= $smtpd_milters
milter_default_action = acceptthen the usual save and exit.
Here it is important that the option smtpd_milters= inet:127.0.0.1:8991 matches in terms of port and address the setting that has been done on the opendkim.conf above.
DKIM Key generation and DNS update
When we installed the OpenDKIM port, one of the utilities that came with it was opendkim_genkey that can and should be used to generate the necessary key to use. One advantage is that it will also generate a txt file with the public key and the contents that should be used to create/update the DNS TXT entry needed for DKIM.
To generate the key we simply can use:
#opendkim-genkey -D /usr/local/etc/mail/dkim -d yourdomain.com -s dkim
# ls /usr/local/etc/mail/dkim
dkim.private dkim.txt
#The opendkim-genkey above command generated a private key, dkim.private, and dkim is the selector that was chosen with -s and the dkim.txt should contain the needed information that will be used for creating/updating the DNS DKIM required entry.
# more /usr/local/etc/mail/dkim/dkim.txt
dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl/jJ3MZdMa0BWoqcQUcnYJzGbEPXVof2MpjwoXrfKyL42P6ei26V6jdJx3og0MlyN7LIknSpZXptdaYDy16BW2PG/Pt+7tP8xsi43qc3ttqiR/OJcRk9NPkOYa1eNikl+pNkCyc0MKhlgQUy3PmTV3iPrDxTFdBFNtqfTRU2bZQIDAQAB" ) ;
----- DKIM key dkim for yourdomain.com
#Now we just need to create/add the DNS entry for DKIM with the content above, and of course it will depend on which DNS supplier you are using and you will to make some adjustments according to that.
bring it all together
We have now done all the needed installations and configurations, created/added the needed keys to the DNS, and we should now start/restart all the services to force a reload of the new configurations and to start the new added service opendkim.
Lets start with Postfix, and in this case it is already running, so we just need to force a reload of the service:
# /usr/local/etc/rc.d/postfix reload
postfix: Postfix is using backwards-compatible default settings
postfix: See https://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=3.11" and "postfix reload"
postfix/postfix-script: refreshing the Postfix mail system
#Then we start opendkim service, and for that we will use the rc.d script milter-opendkim:
# /usr/local/etc/rc.d/milter-opendkim start
Starting milteropendkim.
# tail /var/log/maillog
Apr 9 18:54:27 myserver postfix/postfix-script[4393]: refreshing the Postfix mail system
Apr 9 18:54:27 myserver postfix/master[4496]: reload -- version 3.11.1, configuration /usr/local/etc/postfix
Apr 9 19:01:05 myserver opendkim[4857]: OpenDKIM Filter v2.10.3 starting (args: -l -u mailnull -P /var/run/milteropendkim/pid -x /usr/local/etc/mail/opendkim.conf)
#And I did a tail of the mail log, and you can still see the output of the reload of Postfix, and the line related to the output of OpenDKIM starting, and letting you know what were the configurations options used for it.
Now that the needed services are up and running, for a simple test we just needt o start our preferred email client, write a new email and send it. One suggestion will be to send an email to a gmail account so you can see both the DKIM signature but as well by inspecting the header the validation of the DKIM done by the Google servers.
A sample email will contain a signature similar to this on the header part of the message:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=yourdomain.com; s=dkim; t=1781025234; bh=WN9zG8ri2ZRzvZ5SjNL6cyH1Ntq2vIId/mbfTBpfmoc=; h=Date:To:From:Subject; b=nhg8s2kAd3fzO/J+X//CcT8sqWWT81x7m45ddwaueYASkeRuEBvu+rFyjZ1DHYSjA KosMvmG4mKcxlpbcP6YkY2aIITzFRHQmOYo5OwaM8qFwMPrPbVa53tgUQb++cRbAZ2 Owqh360cGz0XPlaOaBhqWhYhFBGysboXJrskSFR4=And if you send it to a gmail account, you should be able to detect somewhere in the headers, the following statement if everything is working as expected:
Authentication-Results: mx.google.com; dkim=pass header.i=@yourdomain.com header.s=dkim header.b=R026mMpi;And that is it when comes to using DKIM signature with the help of OpenDKIM in Postfix running on a FreeBSD server.
My next step and potential a new blog post here will be related to DMARC (Domain-based Message Authentication, Reporting, and Conformance) which is an email security protocol that helps protects your domain from being used in phishing and spoofing attacks.