Before visit Bind9 DNS server configurations
add TXT Record on bind9 server or Domain host and Configurations db on bind9:
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA domain.com. root.domain.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
domain.com IN A 83.136.253.111
@ IN MX 10 mail.domain.com.
@ IN TXT "v=spf1 mx a:domain.com ip4:192.4.66.7 ip6:2a0b:5a60::eb74:651f:858a:1/112 include:_spf.google.com ~all"
@ IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArw+jkhwYC0SpuVtXtuVKysWXjq6uCu/c1sqTE6DoFE8V4adol90VxiT93HpbKG4Ih2wevDXXhWZsN//u0qhkLb3iBlEtkRzryX1Dz2MeX3W72fm/tbi5Q6SASxxetAojrQQjJtpqDZnLCnqFsWLBj+0hl6SVyo96g7h6PReAd7o27zRE1EC3W4dSOArKtQzbufCKkvURuVtnWH1kntjLRFN3yqfvW5wAzMRCC8Cdk4KERhpzxFtjL7r2sdyrjVTTJTpzX2Hea74H/bVSWefHjubjkZBy634RSAWmpao4rQt2eaUkB6bKpg5VJlFZEebPQr2GZkzViuDi5gyf+0byhQIDAQAB"
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:info@domain.com; ruf=mailto:info@domain.com; sp=reject; aspf=s; adkim=s; fo=0:1:d:s;"
DNS Record (A):
domain.com IN A 83.136.253.111
PTR Record:
83.136.253.in-addr.arpa. IN SOA domain.com.
MX Records:
domain.com IN MX 10 domain.com.
@ IN MX 10 mail.domain.com.
domain.com IN A 1.2.3.4
SPF Records:
@ IN TXT "v=spf1 mx a:domain.com ip4:192.4.66.7 ip6:2a0b:5a60::eb74:651f:858a:1/112 include:_spf.google.com ~all"
DKIM Record:
@ IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArw+jkhwYC0SpuVtXtuVKysWXjq6uCu/c1sqTE6DoFE8V4adol90VxiT93HpbKG4Ih2wevDXXhWZsN//u0qhkLb3iBlEtkRzryX1Dz2MeX3W72fm/tbi5Q6SASxxetAojrQQjJtpqDZnLCnqFsWLBj+0hl6SVyo96g7h6PReAd7o27zRE1EC3W4dSOArKtQzbufCKkvURuVtnWH1kntjLRFN3yqfvW5wAzMRCC8Cdk4KERhpzxFtjL7r2sdyrjVTTJTpzX2Hea74H/bVSWefHjubjkZBy634RSAWmpao4rQt2eaUkB6bKpg5VJlFZEebPQr2GZkzViuDi5gyf+0byhQIDAQAB"
DMARC Record:
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:info@domain.com; ruf=mailto:info@domain.com; sp=reject; aspf=s; adkim=s; fo=0:1:d:s;"
Troubleshooting:
dig domain.com
MTA-STS Use this link to MTA-STS Generator MTA-STS
Result:
v=STSv1; id=20240229082100
Policy content:
version: STSv1
mode: none
mx: mx.domain.com
max_age: 604800
Create mta-sts.domain.com subdomain and upload generated mta-sts.txt policy file to ".well-known" folder so that it can be accessible through https://mta-sts.domain.com/.well-known/mta-sts.txt link
sudo apt install opendkim
sudo chown -R opendkim:opendkim /etc/opendkim
sudo nano /etc/opendkim.conf
- Update this configurations:
AutoRestart Yes
AutoRestartRate 10/1h
Umask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Mode sv
Canonicalization relaxed/simple
UserID opendkim:opendkim
Socket inet:12301@localhost
PidFile /var/run/opendkim/opendkim.pid
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyFile /etc/opendkim/keys/domain/domain.private
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Domain domain.com
RequireSafeKeys False
sudo nano /etc/default/opendkim
Add the following line, edit the port number only if a custom one is used
SOCKET="inet:12301@localhost"
sudo nano /etc/postfix/main.cf
milter_protocol = 2
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
or
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
optional
smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301
non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301
sudo mkdir /etc/opendkim
sudo mkdir /etc/opendkim/keys
sudo nano /etc/opendkim/TrustedHosts
127.0.0.1
localhost
192.168.0.1/24
*.domain.com
#*.domain.net
#*.domain.org
sudo nano /etc/opendkim/KeyTable
Customize and add the following lines to the newly created file. Multiple domains can be specified, do not edit the first three lines:
- Add the following line:
youselector._domainkey.yourdomain.com yourdomain.com:selector:/etc/opendkim/keys/yourdomain.com/default.private
This line specifies the location of the DKIM private key. In this screenshot, the selector is the “default”.
In this screenshot, selector is defined as default In this screenshot, selector is defined as default
sudo nano /etc/opendkim/SigningTable
This file is used for declaring the domains/email addresses and their selectors.
*@example.com mail._domainkey.example.com
#*@example.net mail._domainkey.example.net
#*@example.org mail._domainkey.example.org
Change to the keys directory:
cd /etc/opendkim/keys
Create a separate folder for the domain to hold the keys:
sudo mkdir example.com
cd example.com
Generate the keys
sudo opendkim-genkey -b 1024 -d domain.com -D /etc/opendkim/keys/domain.com -s yourselector -v
-s specifies the selector and -d the domain, this command will create two files, mail.private is our private key and mail.txt contains the public key.
Change the owner of the private key to opendkim:
sudo chown opendkim:opendkim mail.private
sudo cat /etc/opendkim/keys/domain.com/default.txt
Open mail.txt:
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBPpo8HHbcFfCIIV10Hwo4PhCoGZSaKVHOjDm4yefKXhQjM7iKzEPuBatE7O47hAx1CJpNuIdLxhILSbEmbMxJrJAG0HZVn8z6EAoOHZNaPHmK2h4UUrjOG8zA5BHfzJf7tGwI+K619fFUwIDAQAB" ; ----- DKIM key mail for example.com
-
Copy that key and add a TXT record to your domain’s DNS entries:
-
Implement it in your DNS (In this example, Cloudflare).
Important Notes: Name/Target: yourselector._domainkey Content: Value you’ve copied in the previous stage. Make sure to remove any spaces or double-quotes.
Name: mail._domainkey.example.com.
Text: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBPpo8HHbcFfCIIV10Hwo4PhCoGZSaKVHOjDm4yefKXhQjM7iKzEPuBatE7O47hAx1CJpNuIdLxhILSbEmbMxJrJAG0HZVn8z6EAoOHZNaPHmK2h4UUrjOG8zA5BHfzJf7tGwI+K619fFUwIDAQAB"
sudo service postfix restart
sudo service opendkim restart
The configuration can be tested by sending an empty email to
check-auth@verifier.port25.com
and a reply will be received. If everything works correctly you should see DKIMcheck: pass
under Summary of Results.
Alternatively, you can send a message to a Gmail address that you control, view the received email’s headers in your Gmail inbox, dkim=pass should be present in the Authentication-Results header field.
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of contact@example.com designates --- as permitted sender) smtp.mail=contact@example.com;
dkim=pass header.i=@example.com;