Knowledgebase » Email » How do I set up SPF and DKIM on Linux?

How do I set up SPF and DKIM on Linux?

SPF

SPF is pretty straight forward if you know how to add a TXT DNS records.

But the syntax can be confusing. Probably the most confusing part of SPF is the end bit, as it could take in two possibilities:

~all = softfail-all = hardfail

Here is a sample record that adds an IP and Outlook settings:

“v=spf1 a mx ip4:a.b.c.d include:spf.protection.outlook.com -all”

Don’t ask what the difference is between – and ~, but just take it as the most confusing parameter ever.
The difference between the dash and the tilde is:

The tilde and dash identify they different types of failures. Consider a message that doesn’t match the parameters specified in the SPF record. Tilde is for a softfail, the message will be accepted and marked if it doesn’t match parameters specified. Dash is for a hardfail, the message will be rejected if it doesn’t match.

https://serverfault.com/questions/663087/what-is-the-difference-between-all-and-all-in-a-dns-spf-record

Caveats with SPF

SPF records can only have 10 entries. See here:
https://support.google.com/a/answer/10685928?hl=en

Can you forward email to Google from a non-Google domain and still have SPF pass?

In our opinion, it’s impossible to forward email to Google from a non-Google domain and still have SPF pass. This is most likely due to security restrictions – how can Google be programmed to accept legitimate email from “any” domain and make it pass?

Edit: It’s possible to forward email to Google and make SPF pass. You need Postfix and root access to the server. See here:

https://kb.vander.host/email/srs-a-beautiful-technology-which-means-you-can-forward-your-emails-to-google/

Here is some substantiation to that claim:

https://serverfault.com/questions/613943/spf-softfail-for-forwarded-emails-to-gmail-account/613961

A typically Google fail for SPF forwarding will look like this:

After SRS implementation you have this:

More SPF guides

Hard fail versus soft fail

https://knowledge.ondmarc.redsift.com/en/articles/1148885-spf-hard-fail-vs-spf-soft-fail

DKIM

DKIM guide is quite intense but if you follow the exact guide below, and the tip, then you will be good.

Reference

https://philio.me/setting-up-dkim-with-sendmail-on-ubuntu-14-04/

If you don’t have a listener on port 8891, then follow the last answer on this post, the one about ExecStart

https://serverfault.com/questions/863468/milter-opendkim-error-connecting-to-filter-connection-refused-by-localhost

How to test? Well, when you’re done, send a message to Gmail, reveal entire message, and then look for PASS x 2.

Google DKIM

https://support.google.com/a/answer/174124

https://support.google.com/a/answer/180504

Other guides

Google SPF

https://support.google.com/a/answer/33786?hl=en

General SPF

https://mediatemple.net/community/products/dv/204404314/how-can-i-create-an-spf-record-for-my-domain

Include more than one SPF (DON’T ADD 2 X TXT!!!)

https://serverfault.com/questions/283125/how-to-include-multiple-domains-in-an-spf-txt-record

Office 365 @ Go Daddy

https://docs.microsoft.com/en-us/office365/admin/dns/create-dns-records-at-godaddy?view=o365-worldwide

 

Share this article

Share on facebook
Share on twitter
Share on linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top