This guide will show you the process of configuring SPF, DKIM и DMARC – three vital components to improve email sending performance.
Proper configuration of SPF, DKIM и DMARC will increase the trust of mail servers and minimize the likelihood of your mailouts getting into spam.
- SPF (Sender Policy Framework) is a security measure designed to prevent others from sending emails on your behalf. It determines which IP addresses are allowed to send emails and which are not.
- DKIM (DomainKeys Identified Mail) is a message authentication method. When each email is sent, it is signed with the private key and then verified at the receiving mail server (or Internet service provider) with the DNS public key.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) uses SPF and DKIM for mail authentication, reducing spam and phishing attacks.
SPF configuration (Sender Policy Framework)
1.1. To configure SPF, a TXT record must be added to your domain's DNS settings.
1.2. This is the following syntax of the SPF record:
- v=spf1: determines an SPF version used by you. Today only SPF1 is used.
- ip4:[Your_Mail_Server_IP]: It indicates that your mail server IP address is allowed to send email on behalf of your domain.
- a: It specifies that if a domain has an A record (IPv4 address) in DNS, the server specified in that record can send email on behalf of the domain.
- mx: Indicates that if a domain has an MX (mail exchange) record in DNS, the server specified in this record can send email on behalf of the domain.
- ~all: It indicates that only servers in the SPF record can send email on behalf of the domain. If the email comes from another server, it will be marked as a "soft match" (~), which means that it can be accepted, but marked as possible spam.
Together, these elements form an SPF that looks like this:
Name: [Your_Domain]
v=spf1 ip4:[Your_Mail_Server_IP] a mx ~all
Replace [Your_Mail_Server_IP] with your email server IP address.
DKIM (DomainKeys Identified Mail) configuration
2.1. First install opendkim and opendkim-tools. The installation process depends on the operating system:
For CentOS:
yum install opendkim -y
For Debian/Ubuntu:
apt install opendkim opendkim-tools -y
2.2. Next, start the opendkim service and enable its launch during boot:
systemctl start opendkim
systemctl enable opendkim
2.3. Create a directory for keys storage:
mkdir -p /etc/opendkim/keys/yourdomain.com
2.4. Generate keys using opendkim-genkey tool:
opendkim-genkey --directory /etc/opendkim/keys/yourdomain.com/ --domain yourdomain.com --selector dkim
Don't forget to replace ‘yourdomain.com’ with your real domain name.
2.5. Set appropriate permissions for keys:
chown -R opendkim:opendkim /etc/opendkim/keys/yourdomain.com
2.6. Now we need to configure opendkim. Open the file /etc/opendkim.conf and add the following settings:
AutoRestart Yes
AutoRestartRate 10/1h
Umask 002
Syslog Yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:8891@localhost
2.7. Add your domain to /etc/opendkim/TrustedHosts file
127.0.0.1
localhost
*.yourdomain.com
2.8. Edit /etc/opendkim/KeyTable file to look like this:
dkim._domainkey.yourdomain.com yourdomain.com:dkim:/etc/opendkim/keys/yourdomain.com/dkim.private
2.9. Change the /etc/opendkim/SigningTable file. In order to look like this
*@yourdomain.com dkim._domainkey.yourdomain.com
2.10. If you use Debian/Ubuntu, specify the port opendkim:
echo 'SOCKET="inet:8891@localhost"' >> /etc/default/opendkim
2.11. Restart the opendkim service in order for changes to be applied:
systemctl restart opendkim
2.12. Finally, add the public key to your domain's DNS configurations. The keys are in /etc/opendkim/keys/yourdomain.com/dkim.txt.
DMARC (Domain-based Message Authentication, Reporting & Conformance) configuration
3.1. To configure DMARC, add a TXT record to your domain settings:
Name: _dmarc.[Your_Domain].
Значение: v=DMARC1; p=none; aspf=r; sp=none
Replace [Your_Domain] with your domain’s name.
PTR (Pointer Record) configuration
4.1. A PTR record, also known as a reverse DNS record, is used to transform an IP address to a domain name. This is important for mail servers because some servers may reject messages without a PTR record.
4.2. The PTR record is usually configured in the settings of the internet service provider or hosting provider. If you have access to these settings, you can set up a PTR record by specifying your server's IP address and its corresponding domain name.
4.3. If you do not have access to the PTR record settings, contact your internet service provider or hosting provider with a PTR record configuration request.
4.4. After installing PTR, you can check it using the dig command in Linux:
dig -x your_server_IP
Replace ‘your_server_IP’ with your server's IP address. The response should include your domain name.
After completing all the steps of configuring SPF, DKIM and DMARC, the mail server will be much less likely to mark your mailouts as spam – it will guarantee that your letters reach the recipients.