You are here: Home > OpenBSD mail server: DKIM & DMARC

No Hair Github Pages

Setting up a mailserver on OpenBSD 6.9: DKIM & DMARC

B. DKIM and DMARC

1. DKIM is a method for cryptographic signing of the mail for a server. The private key is kept on the server and signs the message; the public key is placed in a DNS record so other servers can confirm the origin of the message.

First, lets generate the key pair. Create a user and group dkim:

$ doas groupadd -v _dkimsign
$ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _smtpd _dkimsign

You'll also need user and group _dovecot so, if you haven't already, install Dovecot:

$ doas pkg_add dovecot

Now make the /etc/mail/dkim directory:

doas mkdir /etc/mail/dkim
cd /etc/mail/dkim

Generate the key pair:

$ openssl genrsa -out private.key 2048
$ openssl rsa -in private.key -pubout -out public.key

Fix the ownership and permissions:

$ chmod 0400 private.key
$ chmod 0444 public.key
$ doas chown -R _smtpd:_dovecot /etc/mail/dkim/

Now, lets create the DNS record. The format is:

anyalphanumstring._domainkey   86400   IN      TXT     "k=rsa; t=s; p="

"anyalphanumstring" can be anything; I usually use the date of the key generation so I can track if a new one has been added. _domainkey is the actual word; this does not refer to your domain's name.

<public key> is the actual key value, stripped of the first and last line. You can generate this with:

doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -

or use you favorite editor.

You may read about _adsp. dkim records, but this has been deprecated. You can leave these off.

You can sign the outgoing emails with dkim-proxy (in ports) or with rspamd (since v 1.5). We will use rspamd. When you set it up, you need to add a stanza to get the emails signed:

allow_username_mismatch = true;

domain {
	example.com {
		path = "/ect/mail/dkim/private.key";
		selector = "anyalhpanumstring";
	}
}

where "anyalphanumstring" it the same selector you used in the DKIM TXT DNS record. We'll get back to this below.

2. DMARC

This is relatively simple:

_dmarc.example.com. TXT "v=DMARC1; p=reject; sp=reject; pct=100; aspf=s; adkim=s; fo=1; ruf=mailto ="someone@example.com"

using the address of where the mail server adminstrator/postmaster, like postmaster@example.com. The address does not have to be on the mail server we are building here.

3. Testing DKIM and DMARC

You can use https://mxtoolbox.com/ to check all your DNS records are published and for confirmation of spelling and syntax.

You can use https://dkimvalidator.com/ to actually send an email, but that assumes you have the system working.

Sources:

There are multiple sources for this on the web. The most complete for DKIM configuration is https://wiki.ircnow.org/index.php?n=DNS.DKIM#toc-4

The section on DMARC is good here: https://prefetch.eu/blog/2020/email-server/#dkim

Next: Set Get TLS certificates

Previous: DNS

Posted by Gordon, No Hair Github Pages, August 12, 2021

© nohair.net and the author

For comments, corrections, and addenda, email: gordon[AT]nohair.net

Github Pages index | Nohair.net | Links | Surfcams