Hi guys, i want to install DKIM into my Ubuntu 14.04 with ISPConfog3. I found this tutorial: https://www.exratione.com/2014/07/setting-up-spf-and-dkim-for-an-ubuntu-1404-mail-server/ Should it work?
For DKIM check https://blog.schaal-24.de/ispconfig/dkim-patch-1-0/ SPF can be easily integreated like described here https://www.howtoforge.com/postfix_spf Just instead of doing perl -MCPAN -e shell or wget / download the needed files, use your package manager to install the needed tools/files Code: apt-get install postfix-policyd-spf-perl libmail-spf-perl libnetaddr-ip-perl
You can use openDKIM as described in the link. But you will loose a lot of features. Better use the link from ztk.me. The dkim-patch is a backport from the upcoming ispconfig-release and it`s working very well for over a year with all needed features. If you run postfix with a milter you should take care, that the milter is always running.
Now thinking about SPF. I added txt record v=spf1 a mx ip4:my.ip ~all then tested with http://www.kitterman.com/spf/validate.html with result: SPF record lookup and validation for: mydomain.com SPF records are published in DNS as TXT records. The TXT records found for your domain are: v=spf1 a mx ip4:my.ip ~all Checking to see if there is a valid SPF record. Found v=spf1 record for mydomain.com: v=spf1 a mx ip4:my.ip ~all evaluating... SPF record passed validation test with pySPF (Python SPF library)! But anyway i should install https://www.howtoforge.com/postfix_spf ?
You should install it, the postfix_spf does the magic of checking on your server wether incoming server is allowed to use the from-adress it claims - if SPF is set of course. And "~all" is just for testing, to make it pass google & co you need to "turn it on" by using "-all"
I installed https://blog.schaal-24.de/ispconfig/dkim-patch-1-0/ Now i should check "Enable DKIM" in each mail domain, then generate key, ant add txt record (from DNS-Record window) to my external domain name provider ("v=DKIM1; t=s; p=code code code code") ?
SPF has nothing to do with DKIM. But to ue DMARC you need DKIM and SPF. If you want to sign mails with dkim, you must create a DKIM-Keypair for each domain and publish the public-key in the dns-zone. You must insert the full record show in the interface and not just "v=DKIM1..." v=spf1 a mx ip4:my.ip ~all is my.ip not listed in your dns-zone as a-record? do you send mails from the server that points to the mx-record _and_ from _all_ ips with a A-record? usually, v=spf1 mx ~all is enough.
Understand, so i will add full txt string: default._domainkey.mydomain.com. 3600 TXT v=DKIM1; t=s; p=MIGf.............................................................. End i will edit SPF string, will be v=spf1 mx ~all I'm right?
Hi guys, now situation is next: ISPConfig- Server Config- Mail- DKIM strenght- strong (4096); Each mail domain- checked Enable DKIM, generated keys; DNS Records from interface are copied to my external domain name provider, they sent screenshots to me: i sent email to test server, i got: SPF check: pass DomainKeys check: neutral DKIM check: temperror Sender-ID check: pass SpamAssassin check: ham ... ---------------------------------------------------------- DKIM check details: ---------------------------------------------------------- Result: temperror (error retrieving key record: IOException, status = StatusDnsQueryFailed) ID(s) verified: Canonicalized Headers: ... DNS record(s): default._domainkey.MYDOMAIN.lt. TXT (StatusDnsQueryFailed) From another onlite tester i got: DKIM Record for default._domainkey.MYDOMAIN.com This is not a good DKIM key record. You should fix the errors shown in red. DNS query failed for 'default._domainkey.MYDOMAIN.com':SERVFAIL A public-key (p=) is required
You should discuss this with your domain provider. The result from http://dkimcore.org/c/keycheck is: DNS query failed for 'default...':SERVFAIL A public-key (p=) is required
some DNS servers need quotes for TXT records, some don't, try deleteing the " a rare case can be: text is too long, then u need multiple TXT fields but... haven't come across those issues to give a solution to that.
Last edit. We tried 2048 bits- i found something like "too long" in test results. Then i did 1024- DKIM test is pass!!! as i found here: https://support.google.com/mail/answer/81126 1024 is ok with gmail, so should i keep it as is? Next question- DMARK. Should i just put _dmarc.MYDOMAIN.com. IN TXT "v=DMARC1; p=none" to my domain server?
now i did dmarc.mydomain.com IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]" I will check reports, and later i will put reject.
Do you think, that DMARC is really usefull? Personally, i like the idea behind DMARC. But a DMARC test passes, if DKIM or SPF is valid. If you set "p=none" this does not eliminates anything. The main purpose for DMARC is getting reports (btw: i use the services at https://dmarcian.com/ to receive and analyze the reports).
Depends, most of the times I'd say no - because the reports the average person gets will go to trash, unread, 99% of the times. DKIM and SPF is good enough. I don't think increasing the amount of mails handled will help much reducing spam or work time needed to manage systems. Using external tools analyzing your mail flow ... well I don't really like the idea handing details out to 3rd party - so one has to operate his/her own analyzing tools ... and asking him/herself - what for. Do I miss something important about DMARC reports / why they are really useful and one is basically forced to implement it?
