How-To: SPF, DKIM, DMARC configuration

Hi,

I have struggled a lot with SPF, DKIM and DMARC config, so I’d like to share my experience with you.
First of all, I’d like to mention, that I’m using my UCS as a public DNS (glue record needed).

#add mailserver via mgmt portal
ucr set mail/dovecot/pop3="no"
ucr set mail/postfix/postscreen/enabled="yes"

#TODO: check possible postscreen settings:
#ucr search postscreen

#-----------------------------------------------
#---- configure SPF & DMARC

# SPF
# create DNS TXT (with "")
udm dns/forward_zone modify \
--dn zoneName=yourdomain.com,cn=dns,dc=yourdomain,dc=com \
--append txt="\"v=spf1 a mx -all\""

# DMARC
# create DNS TXT (with "") 
udm dns/txt_record create \
--superordinate zoneName=yourdomain.com,cn=dns,dc=yourdomain,dc=com \
--set name=_dmarc \
--set txt="\"v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_rua@yourdomain.com;\"" \
--set zonettl=10800



#-----------------------------------------------
#---- install/configure DKIM
#helpful links:
#https://help.univention.com/t/dkim-txt-dns-recort-problem/11190/5
#https://www.cubewerk.de/2017/12/04/spf-und-dkim-mit-univention-ucs-server/
#https://kofler.info/dkim-konfiguration-fuer-postfix/


univention-install -yy opendkim opendkim-tools

mkdir /etc/opendkim
mkdir /etc/opendkim/keys

echo -e '
127.0.0.1
:1
localhost
yourdomain
yourdomain.com
' > /etc/opendkim/trusted

echo "*@yourdomain.com yourdomaincom" > /etc/opendkim/signing.table

echo "yourdomaincom yourdomain.com:202008:/etc/opendkim/keys/yourdomaincom.private" \
> /etc/opendkim/key.table

cd /etc/opendkim
opendkim-genkey -d yourdomain.com -b 4096 -r -s 202008
mv 202008.private keys/yourdomaincom.private
mv 202008.txt     keys/yourdomaincom.txt

#set the base config
echo -e '
InternalHosts           refile:/etc/opendkim/trusted
ExternalIgnoreList      refile:/etc/opendkim/trusted
SigningTable            refile:/etc/opendkim/signing.table
KeyTable                refile:/etc/opendkim/key.table
SignatureAlgorithm      rsa-sha256
AutoRestart             yes
AutoRestartRate         10/1h
Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes
UMask                   002
Canonicalization        relaxed/simple
Mode                    sv
Socket                  inet:12345@localhost
PidFile                 /var/run/opendkim/opendkim.pid
OversignHeaders         From
UserID                  opendkim:opendkim
' > /etc/opendkim.conf

# set the overriding config
echo "RUNDIR=/var/run/opendkim" > /etc/default/opendkim

# fix permissions and ownership
chown -R opendkim:opendkim /etc/opendkim
chmod -R go-rwx /etc/opendkim/keys

## nano /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir
## and add below "127.0.0.1:10025 inet n......."

-o smtpd_milters=

## nano /etc/univention/templates/files/etc/postfix/main.cf.d/10_general
## and add below basic path definitions

#opendkim definitions
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345


univention-config-registry commit /etc/postfix/master.cf
univention-config-registry commit /etc/postfix/main.cf
service postfix restart


######################################################
########### MANUAL TASK BELOW ########################
IMPORTANT!!! DO NOT SKIP THIS STEP!!!

cat /etc/opendkim/keys/yourdomaincom.txt
#This will include some hidden characters, which mess up the server
#and extract string like 'v=DKIM1; h=sha256; k=rsa; s=email; p=MIIC......WEROo24==' (without "") for yourdomain.com
#check with https://dkimcore.org/c/keycheck
#from this website you copy the verified key !!!!! IMPORTANT, DO NOT SKIP!!!!!!
#this step will get rid of the bogus characters

#Now: go to the UCS management Portal: Domain->DNS->yourdomain.com and create a TXT record in zone yourdomain.com:
#TXT: name=202008._domainkey value=//the_verifiered_key_copied_from_https://dkimcore.org/c/keycheck//

opendkim-testkey -d yourdomain.com -s 202008 -vvv
###   output should look like this:
#  opendkim-testkey: using default configfile /etc/opendkim.conf
#  opendkim-testkey: checking key '202008._domainkey.yourdomain.com'
#  opendkim-testkey: key not secure
#  opendkim-testkey: key OK
###   do NOT worry about key not secure, this is OK if you do not use DNSSEC
########### MANUAL TASK ABOVE ########################
######################################################



#check final config:
#https://www.mail-tester.com/

Any questions, please ask! :slight_smile:

Enjoy and best regards
pate1337