SPF, DKIM and DMARC are three important tools against spam, which play similar but different roles. SPF is passive and helps others from getting spam in your name, DKIM is both active and passive and helps you block spam as well as others, while DMARC is a passive method that combines the powers of SPF and DKIM together.
Prepare
The following TXT records need to be setup for all hosted domains, subdomains, including the FQDN of the server itself. For our example, lets pretend that we own the domain "
example.tld", thus a typical system will have:
- example.tld (domain name)
- myserver.example.tld (FQDN of the server)
- www.example.tld (subdomain name)
Typically, your website will be
www.example.tld, your email server will appear as the FQDN
myserver.example.tld and your email addresses will look like
something@example.tld.
What you need to understand, is that you need TXT records FOR ALL 3 of the above names, not just
example.tld.
SPF
This is simple to setup because it is a passive protection. For the most part, a single server tells others that he is the only one allowed to send emails on behalf of its hosted domains, like this:
Code:
v=spf1 +a +mx -all
In some cases, we don't want emails for a particular domain and/or subdomain. For example, we don't want
something@www.example.tld. In these cases, we use an empty SPF record, like this:
Code:
v=spf1 -all
Create TXT records for all domains and subdomains:
Code:
Name Value
v=spf1 +a +mx -all (blank name implies the domain name)
myserver v=spf1 +a +mx -all
www v=spf1 -all
Allow myself (A record), my mail server (MX record) and reject emails originating from all others. If you want, you may add more addresses, or even
include additional SPF records. More details about SPF syntax you can find at
openspf.org.
DKIM
This is more complex system and requires an active daemon that generates an encrypted signature and also performs foreign signature checks. CentOS comes with OpenDKIM. If you are using the
self-hosting script then OpenDKIM is already installed and configured for you.
By default, OpenDKIM will keep a copy of a TXT record at:
/etc/opendkim/keys/default.txt which looks like this:
Code:
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=longstringinhere" ) ; ----- DKIM key default for example.tld
Just copy the two quoted strings without the double quotes and create a TXT record that you can use with Linode's DNS Manager, so the above would look like:
Code:
v=DKIM1; k=rsa; p=longstringinhere
Now create TXT records for all your domains, subdomains and the FQDN of the server, for example:
Code:
Name Value
default._domainkey v=DKIM1; k=rsa; p=longstringinhere
default._domainkey.myserver v=DKIM1; k=rsa; p=longstringinhere
default._domainkey.www v=DKIM1; k=rsa; p=longstringinhere
DMARC
While this technology is easy to setup, because it is similarly passive as SPF, but the implications are very widespread. DMARC will prevent others from sending emails in your name, while that sounds awesome, it will affect mailing lists which forward your emails without modification. All major mailing lists have been improved and now compensate for DMARC so there is nothing to worry about there. You can read more about this technology at the
DMARC FAQ and
DMARC Overview.
A restrictive DMARC record that blocks foreign emails from using your name looks like this:
Code:
v=DMARC1; p=reject; adkim=s; aspf=s; sp=reject
Create a TXT record for your domain, for example:
Code:
Name Value
_dmarc v=DMARC1; p=reject; adkim=s; aspf=s; sp=reject