Services
For cliens
For partners
Knowledge base
Simple instructions to work with the ProfitServer service
SPF, DKIM and DMARC configuration

This guide will show you the process of configuring SPF, DKIM и DMARC – three vital components to improve email sending performance. 

Proper configuration of SPF, DKIM и DMARC will increase the trust of mail servers and minimize the likelihood of your mailouts getting into spam. 

  • SPF (Sender Policy Framework) is a security measure designed to prevent others from sending emails on your behalf. It determines which IP addresses are allowed to send emails and which are not.

  • DKIM (DomainKeys Identified Mail) is a message authentication method. When each email is sent, it is signed with the private key and then verified at the receiving mail server (or Internet service provider) with the DNS public key.

  • DMARC (Domain-based Message Authentication, Reporting & Conformance) uses SPF and DKIM for mail authentication, reducing spam and phishing attacks.

Step 1: SPF configuration (Sender Policy Framework)

1.1. To configure SPF, a TXT record must be added to your domain's DNS settings.

1.2. This is the following syntax of the SPF record:

  • v=spf1: determines an SPF version used by you. Today only SPF1 is used.

  • ip4:[Your_Mail_Server_IP]: It indicates that your mail server IP address is allowed to send email on behalf of your domain.

  • a: It specifies that if a domain has an A record (IPv4 address) in DNS, the server specified in that record can send email on behalf of the domain.

  • mx: Indicates that if a domain has an MX (mail exchange) record in DNS, the server specified in this record can send email on behalf of the domain.

  • ~all: It indicates that only servers in the SPF record can send email on behalf of the domain. If the email comes from another server, it will be marked as a "soft match" (~), which means that it can be accepted, but marked as possible spam.

Together, these elements form an SPF that looks like this:

Name: [Your_Domain]
 

v=spf1 ip4:[Your_Mail_Server_IP] a mx ~all


Replace [Your_Mail_Server_IP] with your email server IP address.
 

Step 2: DKIM (DomainKeys Identified Mail) configuration

2.1. First install opendkim and opendkim-tools. The installation process depends on the operating system:

For CentOS:
 

yum install opendkim -y


For Debian/Ubuntu:
 

apt install opendkim opendkim-tools -y


2.2. Next, start the opendkim service and enable its launch during boot:
 

systemctl start opendkim

systemctl enable opendkim


2.3. Create a directory for keys storage:
 

mkdir -p /etc/opendkim/keys/yourdomain.com


2.4. Generate keys using opendkim-genkey tool:
 

opendkim-genkey --directory /etc/opendkim/keys/yourdomain.com/ --domain yourdomain.com --selector dkim


Don't forget to replace ‘yourdomain.com’ with your real domain name.


2.5. Set appropriate permissions for keys:
 

chown -R opendkim:opendkim /etc/opendkim/keys/yourdomain.com


2.6. Now we need to configure opendkim. Open the file /etc/opendkim.conf and add the following settings:
 

AutoRestart Yes

AutoRestartRate 10/1h

Umask 002

Syslog Yes

SyslogSuccess Yes

LogWhy Yes

Canonicalization relaxed/simple

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

InternalHosts refile:/etc/opendkim/TrustedHosts

KeyTable refile:/etc/opendkim/KeyTable

SigningTable refile:/etc/opendkim/SigningTable

Mode sv

PidFile /var/run/opendkim/opendkim.pid

SignatureAlgorithm rsa-sha256

UserID opendkim:opendkim

Socket inet:8891@localhost


2.7. Add your domain to /etc/opendkim/TrustedHosts file
 

127.0.0.1

localhost

*.yourdomain.com


2.8. Edit /etc/opendkim/KeyTable file to look like this:
 

dkim._domainkey.yourdomain.com yourdomain.com:dkim:/etc/opendkim/keys/yourdomain.com/dkim.private


2.9. Change the /etc/opendkim/SigningTable file. In order to look like this
 

*@yourdomain.com dkim._domainkey.yourdomain.com


2.10. If you use Debian/Ubuntu, specify the port opendkim:
 

echo 'SOCKET="inet:8891@localhost"' >> /etc/default/opendkim


2.11. Restart the opendkim service in order for changes to be applied:
 

systemctl restart opendkim


2.12. Finally, add the public key to your domain's DNS configurations. The keys are in /etc/opendkim/keys/yourdomain.com/dkim.txt.


Step 3: DMARC (Domain-based Message Authentication, Reporting & Conformance) configuration

3.1. To configure DMARC, add a TXT record to your domain settings:
 

Name: _dmarc.[Your_Domain].

Значение: v=DMARC1; p=none; aspf=r; sp=none


Replace [Your_Domain] with your domain’s name.
 

Step 4: PTR (Pointer Record) configuration

4.1. A PTR record, also known as a reverse DNS record, is used to transform an IP address to a domain name. This is important for mail servers because some servers may reject messages without a PTR record.

4.2. The PTR record is usually configured in the settings of the internet service provider or hosting provider. If you have access to these settings, you can set up a PTR record by specifying your server's IP address and its corresponding domain name.

4.3. If you do not have access to the PTR record settings, contact your internet service provider or hosting provider with a PTR record configuration request.

4.4. After installing PTR, you can check it using the dig command in Linux:
 

dig -x your_server_IP


Replace ‘your_server_IP’ with your server's IP address. The response should include your domain name.


After completing all the steps of configuring SPF, DKIM and DMARC, the mail server will be much less likely to mark your mailouts as spam – it will guarantee that your letters reach the recipients.

Please, rate this article:
Ask a question
We are always ready to answer your questions at any time of day or night.
Please, check our Knowledge base, most likely the answer to your question is already there!