In order to successfully add OpenDKIM to DNS on Linux, you need to understand some basic terms and tips. 3 Must-Know-Terms To Add DKIM to DNS The Basic terms in Email authentication, DNS records, and other related concepts. DMARC and the Email authentication process. Anatomy of a Resource record in the DNS. DMARC After building a magic setup script coupled with an open-source software bundle that enables a smooth encounter at transforming a server into a problem solver for emails with multiple domains, the following steps when strictly adhered aid in achieving the intended outcome we crave for. You can download our magic script from here. Setup and configure OpenDKIM for multiple domains with Postfix on Linux with the script #!/bin/bash if [[ "$1" != "INSTALL" ]] then echo "Note: please run from root user" echo "This script will generate keys for domain and install openDkim postfix on this host" echo "to process please use $0 INSTALL" exit fi echo -n 'Enter Domain name : ' read domain_global echo 'Specifies the selector, or name, of the key pair generated' echo -n 'Enter group name/DNS (node|mail) : ' read group_name echo Install opendkim and posfix apt-get install -y opendkim opendkim-tools postfix mailutils mkdir -p /etc/opendkim/${domain_global} &>/dev/null echo ______________________________________________________________________________________ echo "Generate key for ${domain_global}:${group_name}" opendkim-genkey -D /etc/opendkim/${domain_global} -d $domain_global -s $group_name echo ______________________________________________________________________________________ echo 'Update keytable file' echo "${group_name}._domainkey.${domain_global} ${domain_global}:${group_name}:/etc/opendkim/${domain_global}/${group_name}.private" >> /etc/opendkim/keytable echo ______________________________________________________________________________________ echo 'Update signingtable file' echo ${domain_global} ${group_name}._domainkey.${domain_global} >> /etc/opendkim/signingtable echo ______________________________________________________________________________________ echo Configure OpenDKIM echo 'SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"' > /etc/default/opendkim mkdir -p /var/spool/postfix/var/run/opendkim &>/dev/null cat > /etc/opendkim.conf <<EOF Syslog yes SyslogSuccess yes LogWhy yes UMask 002 SoftwareHeader yes OversignHeaders From Canonicalization relaxed/relaxed KeyTable file:/etc/opendkim/keytable SigningTable file:/etc/opendkim/signingtable EOF echo ______________________________________________________________________________________ echo 'Configure postfix ' postconf -e milter_default_action=accept postconf -e milter_protocol=2 postconf -e smtpd_milters=unix:/var/run/opendkim/opendkim.sock postconf -e non_smtpd_milters=unix:/var/run/opendkim/opendkim.sock Download and rename the TXT file to an executable bash script. Let’s go step by step with our installation script lines You will need to run the script from the root user, the script will generate keys for a domain and install OpenDkim, Postfix on the host. Enter a domain name, specify the selector after the script will generate appropriate configurations. After the successful installation, you will need to add very important DNS records for your domain. We shall now examine each of the email authentication concepts one after the other. Sender Policy Framework (SPF) This is a simple email-validation system that detects email spoofing by providing a mechanism that allows receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators. This can be achieved via configuring your SPF record with our** ** SPF wizard. Under the SPF, messages that do not come directly from the return-paths designated outbound servers we consider as forged. This semantic is compatible with existing practices, with two exceptions; web-generated email and verbatim forwarding. Those two cases should implement SRS for best results. DomainKeys Identified Mail (DKIM) – DomainKeys Identified Mail (DKIM) is a protocol that permits a person, role, or organization that possesses ownership of signing domain to claim some responsibility for a message via associating the domain with the message. This is an important authentication mechanism to help protect both email receivers and email senders from forged and phishing emails. Forged email is a serious threat to all parties in an email exchange. Our wizard for DKIM configuration and checks is DKIM here. Anatomy of a DMARC Resource Record in the DNS are published in the DNS as text (TXT) resource records (RR). They announce what an email receiver should do with non-aligned mail it receives. Consider an example DMARC TXT RR for the domain “sender.easydmarc.com” that reads: DMARC policies “v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@easydmarc.com” How Senders Deploy DMARC in 5-Easy Steps DMARC is based on real-world experience by some of the world’s largest email senders and receivers deploying SPF and DKIM. The specification takes into account the fact that it is nearly impossible for an organization to flip a switch to production. There are a number of built-in methods for “throttling” the DMARC processing so that all parties can ease into full deployment over time. Deploy DKIM & SPF. You have to cover the basics, first. Ensure that your mailers are correctly aligning the appropriate identifiers. Publish a DMARC record with the “none” flag set for the policies, which requests data reports. Analyze the data and modify your mail streams as appropriate. Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain experience. This article was first published here
