Setup Email Server From Scratch On FreeBSD #2 - 06 SPF DKIM DMARC

05 PostfixAdmin <- Intro -> 07 RoundCube WebMail

We believe in data independence, and support others who want data independence.
Debian Email From Scratch version 2 finished 2025-07-30.
We are still adding to it but it all works!

#########################################
# Setting Up SPF DMARC and DKIM Records #
#########################################

To improve mail delivery to other email servers we need to setup SPF, DKIM, and
DMARC records so recipient mail servers can identify we are allowed to send
emails for our domain. We also need these mail filters, milters, to mark or
block incoming spam. To setup these records we need to modify the DNS records
for our domain. I covered DMARC and SPF DNS setup on the first page of server
installation, and I'll post it here again to refresh.

Login to your DNS provider, which is usually the same as domain registrar. I use
Namecheap and DNS is included with the domain registration, no extra charge.

DKIM requires dnssec so enable dns security aka dnssec. Go to the NameCheap
advanced DNS page and toggle on DNSSEC. The toggle may be a little broken, so
click in the empty space where it's supposed to appear till it toggles on and
is visible. Test with dig and look for the ad flag using another dnssec
enabled name server. The 'ad' flag won't show up if you test against the
master nameserver for the same domain.

Namecheap Advanced DNS -> Toggle On DNS Sec

Test if dnssec is enabled, look for the line with the 'ad' flag

root@okdeb.com:~# dig @8.8.8.8 okdeb.com +dnssec +multiline
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

Here is what you should have setup with your DNS already.

Namecheap -> Account -> Domains -> DNS -> Advanced DNS

Add New Records
A @ 15.204.113.148
AAAA @ 2604:2dc0:202:300::3645
A mail 15.204.113.148
A mx 15.204.113.148
AAAA mail 2604:2dc0:202:300::3645
AAAA mx 2604:2dc0:202:300::3645
CNAME autoconfig mx.okdeb.com
CNAME autodiscover mx.okdeb.com
CNAME www okdeb.com
TXT @ v=spf1 ip4:15.204.113.148 ip6:2604:2dc0:202:300::3645/64 mx ~all
TXT _dmarc v=DMARC1; p=quarantine; rua=mailto:postmaster@okdeb.com; ruf=mailto:postmaster@okdeb.com; sp=quarantine

In Custom MX Records
MX @ mx.okdeb.com 0
MX @ mail.okdeb.com 10

You will need to add a SV records for Autodiscover
Type Service Protocol Priority Weight Port Target
SRV Record _autodiscover _tcp 5 0 443 mx.okdeb.com

DMARC tells recieving servers what action to take if SPF lookup fails or
doesn't match and where to send reports of failures or problems.

SPF identifies which servers are authorized to send email on the domains behalf,
in DNS the @ means this domain and the domain name is appended to the other
entries unless you put a dot on the end.

Check the spf record ...

nslookup -type=txt okdeb.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
okdeb.com text = "v=spf1 ip4:15.204.113.148 ip6:2604:2dc0:202:300::3645/64 mx ~all

Check the dmarc record ...

nslookup -type=txt _dmarc.okdeb.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
_dmarc.okdeb.com text = "v=DMARC1; p=quarantine; rua=mailto:postmaster@okdeb.com; ruf=mailto:postmaster@okdeb.com; sp=quarantine"

You can also check your record validity with mxtoolbox.com
https://mxtoolbox.com/
Enter your domain name and submit

Setup SPF milter to check SPF records for incoming email.

apt install postfix-policyd-spf-python

Integrate policyd-spf with postfix

nano /etc/postfix/master.cf
--- add at the end ---

If there already is a smtpd_recipient_restrictions, add the "check_policy_service"
after the "reject_unauth_destination" or the server will become an open relay.

nano /etc/postfix/main.cf

Optional, change the format of the spf header line, leave as default
Header-Type = Recieved-SPF (default)
Header-Type = AR requires Authserv_Id = hostname

nano /etc/postfix-policyd-spf-python/policyd-spf.conf

systemctl restart postfix dovecot

Check if the unix socket is created in the correct location

ls /var/spool/postfix/private/policyd-spf
/var/spool/postfix/private/policyd-spf

Send a test email and check the raw email source for a line like ...

Check if SPF milter is working, send an email to the new account jack@okdeb.com
and view the source and make sure it contains a line like ...

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip...
- or -
Authentication-Results: mx.okdeb.com; spf=pass (sender SPF authorized) ...

If you have problems recieving email check with

journalctl -eu postfix
journalctl -eu dovecot


DKIM is a signature that is included in the email, the recieving server looks up
the DKIM public record on DNS does some sort of comparison with the signature in
the email to determine if it is from a valid sender. Configure the email server
to append the DKIM signature, and add the public key the DNS record.

DKIM is supposed to report secure if dnssec is enabled, so make sure dnssec is
enabled. I won't go into setting up a dnssec nameserver here.

apt install opendkim opendkim-tools

adduser postfix opendkim

Configure opendkim - change and add to
nano /etc/opendkim.conf

mkdir -p /etc/dkimkeys
chown -R opendkim:opendkim /etc/dkimkeys
chmod go-rw /etc/dkimkeys

nano /etc/opendkim/signingtable

nano /etc/opendkim/keytable

nano /etc/opendkim/trustedhosts

mkdir -p /etc/dkimkeys/okdeb.com
opendkim-genkey -b 2048 -d okdeb.com -D /etc/dkimkeys/okdeb.com -s 20250718 -v
find /etc/dkimkeys/* -type d -exec chown -R opendkim:postfix {} \;
find /etc/dkimkeys/* -type d -exec chmod 700 {} \;
chmod 600 /etc/dkimkeys/*/*.private

chown opendkim:postfix /var/spool/postfix/opendkim

echo '.*' > /etc/mail/bodylengthdb.cfg

Publish the public key with your nameserver, again I am using NameCheap, go to
Domains -> Domain -> Manage -> Advanced DNS

Make sure you have enabeled dnssec here

cat /etc/dkimkeys/okdeb.com/*.txt

This will output the key as several lines, you will need to paste this as one line,
there are usually 2 " " sections to remove and also remove the beginning and ending
quote. Then remove the quotes and spaces like ....

"v=DKIM1; h=sha256; k=rsa; " "p=MII...
v=DKIM1; h=sha256; k=rsa; p=MII...

and

...1234" "5678...
...12345678...

add this to your DNS, choose TXT Record and add the selector._domainkey then the
DKIM line all one line ...
20250718._domainkey v=DKIM1; h=sha256; k=rsa; p=MIIBI ... a very long line no spaces

The txt record can take time to propagate but is usually a few minutes.
Check it - it is normal to have a space and quotes in the output here

dig txt 20250718._domainkey.okdeb.com +dnssec +multiline
nslookup -type=txt 20250718._domainkey.okdeb.com

Test the key - in some situations it will say key not secure, it can be
ignored and is usually the result of /etc/dkimkeys directory permissions not
being secure, TrustAnchorFile is not specified in opendkim.conf, dnssec is not
enabled for the domain, using a local authoritative dns server, or dnssec
depends on ntpsec .. eg time problems.

opendkim-testkey -d okdeb.com -s 20250718 -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '20250718._domainkey.okdeb.com'
opendkim-testkey: key secure
opendkim-testkey: key OK

Check it with mxtoolbox

https://mxtoolbox.com

Configure openkim socket

mkdir -p /var/spool/postfix/opendkim
chown -R opendkim:postfix /var/spool/postfix/opendkim

nano /etc/default/opendkim
--- change the SOCKET line as follows ---

Configure openkim in postfix

nano /etc/postfix/main.cf
--- add these to end of file ---

systemctl restart opendkim postfix dovecot

Now try sending an email from the jack@okdeb.com account to see if the header has
been signed by opendkim. You should see some lines as follows...

Send a test mail from your mail server, in this case jack@okdeb.com.

The mail should have a header that contains something like this ...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=okdeb.com;
s=CRHdAnOqqitUaWRuNkHLdIpbgw76; t=1747256382;
bh=6GInUBItXoVjcpY1TOdSfAVLN/R6eU2ujlFwzTrfFtw=;
h=Date:To:From:Subject:From;
b=RdNarAxFLxIVz/D4sMfkK7OTzpQdgzCBX1tN6Z1xiRlPAEtq3Z6PMEbIanKhBB5Zu
BbHUodrOHVuib8hyvoCV0U6sp5Kz0jexiYqgM4R2KQkHrg+nIICfewSj6PHtfwMy8i
Tq67eaEv7jr7ShwRkZaQcqNHaZHyjFUmXlMy9y82F0mH5f2vVw+bZ2zbVMMVW3AYEv
f/espHlUSbKbQsuLxEj/TTHcNGQ7YD3Moji7PL7e57vkQTS8r4QyFh3OkI8Jc62W8E
9Rj9BA0kZ6lEFcH89wvi/BwmJowspeOcLYX3OoQtJ2UeZhrvpXg8kZAlytXJap+1dv
xdjzbn58GIq4g==

Authentication-Results: mail.otherdomain.com (amavisd-new); dkim=pass (2048-bit key)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=okdeb.com;
s=20250718; t=1752857804;
bh=PU2XIErWsXvhvt1W96ntPWZ2VImjVZ3vBY2T/A+wA3A=;
h=Date:To:From:Subject:From;
b=bbdnwmFL4iZDHbP+u9feWSwHMbaqp7N+Stq7lF09ePLDjGzegxMR5Z2p4hrzMUHB/
...
m/KD8R8a5DOGQ==

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@okdeb.com header.s=20250718 header.b=O2Rb3Ztg;
spf=pass (google.com: domain of jack@okdeb.com designates 15.204.113.148 as permitted sender) smtp.mailfrom=jack@okdeb.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=okdeb.com


Install and Configure DMARC
We do not need reports so select dbconfig-common: No

apt install opendmarc
dbconfig-common: No

nano /etc/opendmarc.conf

Make the ignore.hosts file
nano /etc/opendmarc/ignore.hosts

Create and set permissions for opendmarc socket
mkdir -p /var/spool/postfix/opendmarc
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chmod -R 750 /var/spool/postfix/opendmarc
adduser postfix opendmarc

systemctl enable opendmarc
systemctl restart opendmarc
systemctl status opendmarc

Integrate DMARC into Postfix - change the line below to include the opendmarc socket
Do NOT use smtpd_milters = local:opendkim/opendkim.sock
Use smtpd_milters = unix:opendkim/opendkim.sock

nano /etc/postfix/main.cf

systemctl restart opendkim opendmarc postfix dovecot

If opendmarc opendkim or spf daemon fails to restart or usually it will give
the error restarting too quickly it is a configuration, path, or permissions
error. It can also be a module is not installed eg. I had a module not loading
error and though I had written it up in this howto I had not actually run the
command to install the module: apt get dovecot-mysql. Check permissions on the
socket files in /var/spool/postfix, this will usually show up as unable to
create socket or permissions error, or just can't restart. In another case I
used /etc/opendkim/keys then switched to /etc/dkimkeys and made the change in
this howto but not in the actual opendkim.conf ... so opendkim happily failed
to restart with a restarting too quickly error, no indication of what was the
actual problem. So went I went through the configuration files very carefully
till I found the mistake.

Send yourelf an email and check the mail header for DMARC results.

Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from ...

Send an email from another account to your new mail server to check DMARC

grep dmarc /var/log/maillog
May 15 12:15:48 okdeb opendmarc[96573]: A853C2BE2D: domain2.net pass

As suggested by linuxbabe, a great tool to test the spammyness if your emails is
https://www.mail-tester.com

Next up Roundcube Webmail

05 PostfixAdmin <- Intro -> 07 RoundCube WebMail