This guide will show you the process of configuring SPF, DKIM и DMARC – three vital components to improve email sending performance.
Proper configuration of SPF, DKIM и DMARC will increase the trust of mail servers and minimize the likelihood of your mailouts getting into spam.
SPF (Sender Policy Framework) is a security measure designed to prevent others from sending emails on your behalf. It determines which IP addresses are allowed to send emails and which are not.
DKIM (DomainKeys Identified Mail) is a message authentication method. When each email is sent, it is signed with the private key and then verified at the receiving mail server (or Internet service provider) with the DNS public key.
DMARC (Domain-based Message Authentication, Reporting & Conformance) uses SPF and DKIM for mail authentication, reducing spam and phishing attacks.
1.1. To configure SPF, a TXT record must be added to your domain's DNS settings.
1.2. This is the following syntax of the SPF record:
v=spf1: determines an SPF version used by you. Today only SPF1 is used.
ip4:[Your_Mail_Server_IP]: It indicates that your mail server IP address is allowed to send email on behalf of your domain.
a: It specifies that if a domain has an A record (IPv4 address) in DNS, the server specified in that record can send email on behalf of the domain.
mx: Indicates that if a domain has an MX (mail exchange) record in DNS, the server specified in this record can send email on behalf of the domain.
~all: It indicates that only servers in the SPF record can send email on behalf of the domain. If the email comes from another server, it will be marked as a "soft match" (~), which means that it can be accepted, but marked as possible spam.
Together, these elements form an SPF that looks like this:
Replace [Your_Mail_Server_IP] with your email server IP address.
2.1. First install opendkim and opendkim-tools. The installation process depends on the operating system:
2.2. Next, start the opendkim service and enable its launch during boot:
systemctl start opendkim
systemctl enable opendkim
2.3. Create a directory for keys storage:
2.4. Generate keys using opendkim-genkey tool:
Don't forget to replace ‘yourdomain.com’ with your real domain name.
2.5. Set appropriate permissions for keys:
2.6. Now we need to configure opendkim. Open the file /etc/opendkim.conf and add the following settings:
2.7. Add your domain to /etc/opendkim/TrustedHosts file
2.8. Edit /etc/opendkim/KeyTable file to look like this:
2.9. Change the /etc/opendkim/SigningTable file. In order to look like this
2.10. If you use Debian/Ubuntu, specify the port opendkim:
2.11. Restart the opendkim service in order for changes to be applied:
2.12. Finally, add the public key to your domain's DNS configurations. The keys are in /etc/opendkim/keys/yourdomain.com/dkim.txt.
3.1. To configure DMARC, add a TXT record to your domain settings:
Значение: v=DMARC1; p=none; aspf=r; sp=none
Replace [Your_Domain] with your domain’s name.
4.1. A PTR record, also known as a reverse DNS record, is used to transform an IP address to a domain name. This is important for mail servers because some servers may reject messages without a PTR record.
4.2. The PTR record is usually configured in the settings of the internet service provider or hosting provider. If you have access to these settings, you can set up a PTR record by specifying your server's IP address and its corresponding domain name.
4.3. If you do not have access to the PTR record settings, contact your internet service provider or hosting provider with a PTR record configuration request.
4.4. After installing PTR, you can check it using the dig command in Linux:
Replace ‘your_server_IP’ with your server's IP address. The response should include your domain name.
After completing all the steps of configuring SPF, DKIM and DMARC, the mail server will be much less likely to mark your mailouts as spam – it will guarantee that your letters reach the recipients.