How-To: SPF, DKIM, DMARC configuration

pate1337 · August 6, 2020, 11:58am

Hi,

I have struggled a lot with SPF, DKIM and DMARC config, so I’d like to share my experience with you.
First of all, I’d like to mention, that I’m using my UCS as a public DNS (glue record needed).

#add mailserver via mgmt portal
ucr set mail/dovecot/pop3="no"
ucr set mail/postfix/postscreen/enabled="yes"

#TODO: check possible postscreen settings:
#ucr search postscreen

#-----------------------------------------------
#---- configure SPF & DMARC

# SPF
# create DNS TXT (with "")
udm dns/forward_zone modify \
--dn zoneName=yourdomain.com,cn=dns,dc=yourdomain,dc=com \
--append txt="\"v=spf1 a mx -all\""

# DMARC
# create DNS TXT (with "") 
udm dns/txt_record create \
--superordinate zoneName=yourdomain.com,cn=dns,dc=yourdomain,dc=com \
--set name=_dmarc \
--set txt="\"v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_rua@yourdomain.com;\"" \
--set zonettl=10800



#-----------------------------------------------
#---- install/configure DKIM
#helpful links:
#https://help.univention.com/t/dkim-txt-dns-recort-problem/11190/5
#https://www.cubewerk.de/2017/12/04/spf-und-dkim-mit-univention-ucs-server/
#https://kofler.info/dkim-konfiguration-fuer-postfix/


univention-install -yy opendkim opendkim-tools

mkdir /etc/opendkim
mkdir /etc/opendkim/keys

echo -e '
127.0.0.1
:1
localhost
yourdomain
yourdomain.com
' > /etc/opendkim/trusted

echo "*@yourdomain.com yourdomaincom" > /etc/opendkim/signing.table

echo "yourdomaincom yourdomain.com:202008:/etc/opendkim/keys/yourdomaincom.private" \
> /etc/opendkim/key.table

cd /etc/opendkim
opendkim-genkey -d yourdomain.com -b 4096 -r -s 202008
mv 202008.private keys/yourdomaincom.private
mv 202008.txt     keys/yourdomaincom.txt

#set the base config
echo -e '
InternalHosts           refile:/etc/opendkim/trusted
ExternalIgnoreList      refile:/etc/opendkim/trusted
SigningTable            refile:/etc/opendkim/signing.table
KeyTable                refile:/etc/opendkim/key.table
SignatureAlgorithm      rsa-sha256
AutoRestart             yes
AutoRestartRate         10/1h
Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes
UMask                   002
Canonicalization        relaxed/simple
Mode                    sv
Socket                  inet:12345@localhost
PidFile                 /var/run/opendkim/opendkim.pid
OversignHeaders         From
UserID                  opendkim:opendkim
' > /etc/opendkim.conf

# set the overriding config
echo "RUNDIR=/var/run/opendkim" > /etc/default/opendkim

# fix permissions and ownership
chown -R opendkim:opendkim /etc/opendkim
chmod -R go-rwx /etc/opendkim/keys

## nano /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir
## and add below "127.0.0.1:10025 inet n......."

-o smtpd_milters=

## nano /etc/univention/templates/files/etc/postfix/main.cf.d/10_general
## and add below basic path definitions

#opendkim definitions
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345


univention-config-registry commit /etc/postfix/master.cf
univention-config-registry commit /etc/postfix/main.cf
service postfix restart


######################################################
########### MANUAL TASK BELOW ########################
IMPORTANT!!! DO NOT SKIP THIS STEP!!!

cat /etc/opendkim/keys/yourdomaincom.txt
#This will include some hidden characters, which mess up the server
#and extract string like 'v=DKIM1; h=sha256; k=rsa; s=email; p=MIIC......WEROo24==' (without "") for yourdomain.com
#check with https://dkimcore.org/c/keycheck
#from this website you copy the verified key !!!!! IMPORTANT, DO NOT SKIP!!!!!!
#this step will get rid of the bogus characters

#Now: go to the UCS management Portal: Domain->DNS->yourdomain.com and create a TXT record in zone yourdomain.com:
#TXT: name=202008._domainkey value=//the_verifiered_key_copied_from_https://dkimcore.org/c/keycheck//

opendkim-testkey -d yourdomain.com -s 202008 -vvv
###   output should look like this:
#  opendkim-testkey: using default configfile /etc/opendkim.conf
#  opendkim-testkey: checking key '202008._domainkey.yourdomain.com'
#  opendkim-testkey: key not secure
#  opendkim-testkey: key OK
###   do NOT worry about key not secure, this is OK if you do not use DNSSEC
########### MANUAL TASK ABOVE ########################
######################################################



#check final config:
#https://www.mail-tester.com/

Any questions, please ask!

Enjoy and best regards
pate1337

djmlondon · June 23, 2021, 10:20am

Thanks for sharing!
I was planning to urgently migrate away from UCS and Kopano due to lack of clear documentation/support on this topic, that has become the pinnacle of email - security.
Kopano seem to have been dropped in UCS 5 so a move is inevitable. But with this guide I can now get SPF, DKIM and DMARC implemented and become security compliant ASAP.

Thanks again from a very grateful DIYer

fbartels · June 23, 2021, 2:53pm

It’s not dropped, but just takes a bit longer before it’s available.

Rudi9719 · November 22, 2021, 6:54pm

What is the significance of 202008? I followed the guide but replaced ‘dkim’ with 202008 and only had one issue, where you moved the key to 202008.private, UCS 5.0 wanted the key as 202008.key for some reason. Aside from that, this is amazing and still functional in UCS 5.0!

Some notes:
/etc/default/opendkim already had info in it so I did not override.
For some reason I had a port set up with different info (could be security thing?)
There’s a typo (I think) where it says yourdomaincom, should it be yourdomain.com ?

lebernd · November 23, 2021, 8:19am

Convention: it means august 2020

It is not specified I think as industrial standard. But I’ve read that the keys are thought to be renewed every three months or so. Which so far nobody does.

Best, Bernd

Rudi9719 · November 23, 2021, 5:48pm

Thank you for clarifying! Do you know if there is anything accepted as an industry standard? I think I’ve seen mail, and dkim used in non-univention tutorials.

lebernd · November 23, 2021, 5:57pm

I don’t understand your question. “Industry standard” was just referring to the naming convention, not the technologies for securing email communication. They sure are standardized I think.

Best, Bernd

Rudi9719 · November 23, 2021, 6:01pm

For example, industry standard is that your MX servers will sit behind mx.domain.tld or {imap,smtp}.domain.tld for example. Web servers behind www etc. I don’t think I fully understand how a receiver knows what selector to use for sending mail, so I’d assume that there’s a default that servers just look for?