Enhance email deliverability by implementing SPF & DKIM on RHEL7

There’re many great articles on internet for reference, here’re what I referenced.


Create TXT DNS record for your domain

# Godaddy example
Type	Name	Value	                                    TTL
TXT	    @	    v=spf1 include:spf.sendinblue.com mx ~all	1 Hour
# Check SPF information
dig your_domain txt
# Example output

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> leveraon.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63849
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;leveraon.com.			IN	TXT

leveraon.com.		1617	IN	TXT	"Sendinblue-code:d80ai810b3322e8fbass2e4ffb778ab5"
leveraon.com.		1617	IN	TXT	"v=spf1 include:spf.sendinblue.com mx ~all"

leveraon.com.		1242	IN	NS	ns77.domaincontrol.com.
leveraon.com.		1242	IN	NS	ns78.domaincontrol.com.

Adding SPF policy agent to check incoming emails

# install pypolicyd-spf
sudo yum install pypolicyd-spf

# Create user for pypolicyd-spf
sudo adduser policyd-spf --user-group --no-create-home -s /bin/false

Update postfix configuration, add pypolicyd-spf configuration

# Edit postfix master.cf file
sudo vi /etc/postfix/master.cf

# Append below lines to the end of file
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/libexec/postfix/policyd-spf
# Save and close

# Edit /etc/postfix/main.cf file
sudo vi /etc/postfix/main.cf
# Append below lines to the end of this file
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   check_policy_service unix:private/policyd-spf

# Save, close and restart postfix
sudo systemctl restart postfix

Adding DKIM configuration

# Install opendkim perl-Getopt-Long
sudo yum install opendkim perl-Getopt-Long

# Edit /etc/opendkim.conf file
sudo vi /etc/opendkim.conf

# Find and update below lines
Mode           v -> Mode           sv
ReportAddress   "Leveraon Inc Help Desk" <help-desk@leveraon.com>
# Comment out this line
KeyFile       /etc/opendkim/keys/default.private

# Uncomment below lines
# KeyTable            /etc/opendkim/KeyTable

# SigningTable        refile:/etc/opendkim/SigningTable

# ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts

# InternalHosts       refile:/etc/opendkim/TrustedHosts

# Save & Close file

Create corresponding signing table, trusted hosts

# Create /etc/opendkim/SigningTable file
sudo vi /etc/opendkim/SigningTable

# Add/Update below information
*@your-domain.com    mail._domainkey.your-domain.com

# Save & Close file
# Create /etc/opendkim/KeyTable file
sudo vi /etc/opendkim/KeyTable

# Add/Update below information
mail._domainkey.your-domain.com your-domain.com:mail:/etc/opendkim/keys/your-domain.com/mail.private

# Save & Close file
# Create /etc/opendkim/TrustedHosts file
sudo vi /etc/opendkim/TrustedHosts

# Add/Update below information

# Save & Close file

Generate Private/Public Keypair

# Create key folder
sudo mkdir /etc/opendkim/keys/your-domain.com

# Generate keys
sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s mail -v

# Example output
opendkim-genkey: generating private key
opendkim-genkey: private key written to mail.private
opendkim-genkey: extracting public key
opendkim-genkey: DNS TXT record written to mail.txt
# Grant access to opendkim to below folder
sudo chown opendkim:opendkim /etc/opendkim/keys/ -R

Adding your public key to your domain DNS record

# Get your public key
sudo cat /etc/opendkim/keys/your-domain.com/mail.txt

# Example
v=DKIM1; k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAABCQ8AMIIBCgKCAQEApai+35N20K6KpRV2r7QFdbUB3djake1rOrJhzV6dRAV8Tew3jkuEnN6G+/rJiRw6i7DtL4rw3EndouFyq0TDgDeYdddFfRBJKtzaL6Z4Rd95k0SW4x+/uHBC+fNR56aQCMLlLJwxpwNIj1gnU/OEWw1muJcNxHcLshhWJiiPUoNwicGYsUud5HZlbCBLPze3rg09d+ywv+ttxqdlkMmK2du1vpwz0PulCl45Kf5806qzx49EEf8DsBE1fyPTwKfx8zH4u5A/zlymdCAwPXyS1MVTOGo2S3fxTAIbSY8nbzTd+NlPELFDDPz2qVkPe+F9UvIcQitTY/YZWIkNBdMpaHELLOWD

Testing DKIM configuration

# Run below command to test DKIM
sudo opendkim-testkey -d your-domain.com -s mail -vvv

# Example output
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.your-domain.com'
opendkim-testkey: key OK
# Enable opendkim service
sudo systemctl start opendkim
sudo systemctl enable opendkim

Create connection between postfix and opendkim

# Edit /etc/postfix/main.cf file
sudo vi /etc/postfix/main.cf

# Append below lines to the end of the file.
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters

# Save & Close
# Add opendkim to postfix group
sudo gpasswd -a postfix opendkim

# Restart postfix
sudo systemctl restart postfix

Leave a Comment