Enhance email deliverability by implementing SPF & DKIM on RHEL7

There’re many great articles on internet for reference, here’s what I referenced.

What is DKIM & SPF? And How to Set It Up?

Table of Contents

Create TXT DNS record for your domain

# Godaddy example
Type	Name	Value	                                    TTL
TXT	    @	    v=spf1 include:spf.sendinblue.com mx ~all	1 Hour

Check SPF information


dig your_domain txt

# Example output

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> yoursite.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63849
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yoursite.com.			IN	TXT

;; ANSWER SECTION:
yoursite.com.		1617	IN	TXT	"Sendinblue-code:sss34343"
yoursite.com.		1617	IN	TXT	"v=spf1 include:spf.sendinblue.com mx ~all"

;; AUTHORITY SECTION:
yoursite.com.		1242	IN	NS	ns12.domain.com.
yoursite.com.		1242	IN	NS	ns34.domain.com.

Adding SPF policy agent to check incoming emails

Install pypolicyd-spf

sudo yum install pypolicyd-spf

Create user for pypolicyd-spf

sudo adduser policyd-spf --user-group --no-create-home -s /bin/false

Update postfix configuration, add pypolicyd-spf configuration

Edit postfix master.cf file

sudo vi /etc/postfix/master.cf

Append below lines to the end of file


policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/libexec/postfix/policyd-spf

Edit postfix main.cf file

sudo vi /etc/postfix/main.cf

Append below lines to the end of file

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf

Save, close and restart postfix

sudo systemctl restart postfix

Adding DKIM configuration

Install opendkim perl-Getopt-Long

sudo yum install opendkim perl-Getopt-Long

Edit /etc/opendkim.conf file

sudo vi /etc/opendkim.conf

# Find and update below lines
Mode           v -> Mode           sv

ReportAddress   "Leveraon Inc Help Desk" <help-desk@leveraon.com>
# Comment out this line
KeyFile       /etc/opendkim/keys/default.private

# Uncomment below lines
# KeyTable            /etc/opendkim/KeyTable

# SigningTable        refile:/etc/opendkim/SigningTable

# ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts

# InternalHosts       refile:/etc/opendkim/TrustedHosts

# Save & Close file</help-desk@leveraon.com>

Create corresponding signing table, trusted hosts

Create /etc/opendkim/SigningTable file

sudo vi /etc/opendkim/SigningTable

# Add/Update below information
*@your-domain.com    mail._domainkey.your-domain.com

# Save & Close file

Create /etc/opendkim/KeyTable file

sudo vi /etc/opendkim/KeyTable

# Add/Update below information
mail._domainkey.your-domain.com your-domain.com:mail:/etc/opendkim/keys/your-domain.com/mail.private

# Save & Close file

Create /etc/opendkim/TrustedHosts file

sudo vi /etc/opendkim/TrustedHosts


# Add/Update below information
.your-domain.com

# Save & Close file

Generate Private/Public Keypair

Create key folder

sudo mkdir /etc/opendkim/keys/your-domain.com

Generate keys


sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s mail -v

# Example output
opendkim-genkey: generating private key
opendkim-genkey: private key written to mail.private
opendkim-genkey: extracting public key
opendkim-genkey: DNS TXT record written to mail.txt

Grant access to opendkim to below folder

sudo chown opendkim:opendkim /etc/opendkim/keys/ -R

Adding your public key to your domain DNS record

Get your public key

sudo cat /etc/opendkim/keys/your-domain.com/mail.txt

# Example
v=DKIM1; k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAABCQ8AMIIBCgKCAQEApai+35N20K6KpRV2r7QFdbUB3djake1rOrJhzV6dRAV8Tew3jkuEnN6G+/rJiRw6i7DtL4rw3EndouFyq0TDgDeYdddFfRBJKtzaL6Z4Rd95k0SW4x+/uHBC+fNR56aQCMLlLJwxpwNIj1gnU/OEWw1muJcNxHcLshhWJiiPUoNwicGYsUud5HZlbCBLPze3rg09d+ywv+ttxqdlkMmK2du1vpwz0PulCl45Kf5806qzx49EEf8DsBE1fyPTwKfx8zH4u5A/zlymdCAwPXyS1MVTOGo2S3fxTAIbSY8nbzTd+NlPELFDDPz2qVkPe+F9UvIcQitTY/YZWIkNBdMpaHELLOWD

Testing DKIM configuration

Run below command to test DKIM

sudo opendkim-testkey -d your-domain.com -s mail -vvv

# Example output
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.your-domain.com'
opendkim-testkey: key OK

Enable opendkim service

sudo systemctl start opendkim
sudo systemctl enable opendkim

Create connection between postfix and opendkim

Edit /etc/postfix/main.cf file

sudo vi /etc/postfix/main.cf

# Append below lines to the end of the file.
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

Save & Close

Add opendkim to postfix group

sudo gpasswd -a postfix opendkim

Restart postfix

sudo systemctl restart postfix

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.