Enhance email deliverability by implementing SPF & DKIM on RHEL7

There’re many great articles on internet for reference, here’re what I referenced.

What is DKIM & SPF? And How to Set It Up?

Table of Contents

Create TXT DNS record for your domain

# Godaddy example
Type	Name	Value	                                    TTL
TXT	    @	    v=spf1 include:spf.sendinblue.com mx ~all	1 Hour

# Check SPF information
dig your_domain txt

# Example output

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> yoursite.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63849
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yoursite.com.			IN	TXT

;; ANSWER SECTION:
yoursite.com.		1617	IN	TXT	"Sendinblue-code:sss34343"
yoursite.com.		1617	IN	TXT	"v=spf1 include:spf.sendinblue.com mx ~all"

;; AUTHORITY SECTION:
yoursite.com.		1242	IN	NS	ns12.domain.com.
yoursite.com.		1242	IN	NS	ns34.domain.com.

Adding SPF policy agent to check incoming emails

# install pypolicyd-spf
sudo yum install pypolicyd-spf

# Create user for pypolicyd-spf
sudo adduser policyd-spf --user-group --no-create-home -s /bin/false

Update postfix configuration, add pypolicyd-spf configuration

# Edit postfix master.cf file
sudo vi /etc/postfix/master.cf

Append below lines to the end of file


policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/libexec/postfix/policyd-spf

# Edit postfix main.cf file
sudo vi /etc/postfix/main.cf

Append below lines to the end of file

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf

Save, close and restart postfix

sudo systemctl restart postfix

Adding DKIM configuration

# Install opendkim perl-Getopt-Long
sudo yum install opendkim perl-Getopt-Long

# Edit /etc/opendkim.conf file
sudo vi /etc/opendkim.conf

# Find and update below lines
Mode           v -> Mode           sv
ReportAddress   "Leveraon Inc Help Desk" <help-desk@leveraon.com>
# Comment out this line
KeyFile       /etc/opendkim/keys/default.private

# Uncomment below lines
# KeyTable            /etc/opendkim/KeyTable

# SigningTable        refile:/etc/opendkim/SigningTable

# ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts

# InternalHosts       refile:/etc/opendkim/TrustedHosts

# Save & Close file

Create corresponding signing table, trusted hosts

# Create /etc/opendkim/SigningTable file
sudo vi /etc/opendkim/SigningTable

# Add/Update below information
*@your-domain.com    mail._domainkey.your-domain.com

# Save & Close file

# Create /etc/opendkim/KeyTable file
sudo vi /etc/opendkim/KeyTable

# Add/Update below information
mail._domainkey.your-domain.com your-domain.com:mail:/etc/opendkim/keys/your-domain.com/mail.private

# Save & Close file

# Create /etc/opendkim/TrustedHosts file
sudo vi /etc/opendkim/TrustedHosts

# Add/Update below information
*.your-domain.com

# Save & Close file

Generate Private/Public Keypair

# Create key folder
sudo mkdir /etc/opendkim/keys/your-domain.com

# Generate keys
sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s mail -v

# Example output
opendkim-genkey: generating private key
opendkim-genkey: private key written to mail.private
opendkim-genkey: extracting public key
opendkim-genkey: DNS TXT record written to mail.txt

# Grant access to opendkim to below folder
sudo chown opendkim:opendkim /etc/opendkim/keys/ -R

Adding your public key to your domain DNS record

# Get your public key
sudo cat /etc/opendkim/keys/your-domain.com/mail.txt

# Example
v=DKIM1; k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAABCQ8AMIIBCgKCAQEApai+35N20K6KpRV2r7QFdbUB3djake1rOrJhzV6dRAV8Tew3jkuEnN6G+/rJiRw6i7DtL4rw3EndouFyq0TDgDeYdddFfRBJKtzaL6Z4Rd95k0SW4x+/uHBC+fNR56aQCMLlLJwxpwNIj1gnU/OEWw1muJcNxHcLshhWJiiPUoNwicGYsUud5HZlbCBLPze3rg09d+ywv+ttxqdlkMmK2du1vpwz0PulCl45Kf5806qzx49EEf8DsBE1fyPTwKfx8zH4u5A/zlymdCAwPXyS1MVTOGo2S3fxTAIbSY8nbzTd+NlPELFDDPz2qVkPe+F9UvIcQitTY/YZWIkNBdMpaHELLOWD

Testing DKIM configuration

# Run below command to test DKIM
sudo opendkim-testkey -d your-domain.com -s mail -vvv

# Example output
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.your-domain.com'
opendkim-testkey: key OK

# Enable opendkim service
sudo systemctl start opendkim
sudo systemctl enable opendkim

Create connection between postfix and opendkim

# Edit /etc/postfix/main.cf file
sudo vi /etc/postfix/main.cf

# Append below lines to the end of the file.
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

Save & Close

# Add opendkim to postfix group
sudo gpasswd -a postfix opendkim

# Restart postfix
sudo systemctl restart postfix

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.