SPF and DKIM on Postfix
A recent post by Jody Ribton laments the fact that DIY mail servers are having a hard time not getting blocked or rejected in today's email landscape. The ensuing Slashdot discussion dissected the problem, and came up with a few good pieces of advice also seen on this digitalocean guide:
- Make sure the server is not an open mail relay.
- Verify that the sender and server IP addresses are not blacklisted.
- Apply a Fully Qualified Domain Name (FQDN) and the same host name as the PTR record.
- Set a Sender Policy Framework (SPF) DNS record.
- Configure DomainKeys Identified Mail (DKIM) on the sending server and DNS.
Sender Policy Framework (SPF)
"Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators". [Wikipedia]. It is configured through a special TXT DNS record, and further setup on the sending part is not required.
This guide outlines the parameters, and the easiest way to get started is actually this Microsoft provided online wizard. Given a domain, it will guide you through the settings and present you with the DNS record to add at the end. If the domain already has a SPF record, it will verify it, and also take the current settings into account through the steps.
DomainKeys Identified Mail (DKIM) on Postfix
DKIM offers similar email spoofing protection, but also offers simple content signing. From Wikipedia: "DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signer's public key published in the DNS."
Configuration is quite straight forward on Postfix, and this guide shows a typical setup and some common pitfalls. If the same email server caters for multiple domains, an alternative configuration is required. This guide covers those details. Another DNS TXT record on the domain is also required. Finally, once the setup is complete, this tool can be used to verify the DNS record.
Verify the configuration
For both SPF and DKIM, the setup can also be verified by sending an email to check-auth@verifier.port25.com. In addition, an email can be sent to any Gmail account, and by viewing the original message and headers, an extra Authentication-Results header can be seen. See the last guide for further details.