2023-05-10 08:37:26 +00:00
<!doctype html>
< html lang = "en" class = "no-js" >
< head >
< meta charset = "utf-8" >
< meta name = "viewport" content = "width=device-width,initial-scale=1" >
< meta name = "description" content = "A fullstack but simple mail-server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) using Docker." >
< meta name = "author" content = "docker-mailserver (Github Organization)" >
< link rel = "canonical" href = "https://docker-mailserver.github.io/docker-mailserver/latest/config/best-practices/dkim_dmarc_spf/" >
< link rel = "prev" href = "../../user-management/" >
< link rel = "next" href = "../autodiscover/" >
< link rel = "icon" href = "../../../assets/logo/favicon-32x32.png" >
< meta name = "generator" content = "mkdocs-1.4.2, mkdocs-material-9.1.5" >
< title > DKIM, DMARC & SPF - Docker Mailserver< / title >
< link rel = "stylesheet" href = "../../../assets/stylesheets/main.7a7fce14.min.css" >
< link rel = "stylesheet" href = "../../../assets/stylesheets/palette.a0c5b2b5.min.css" >
< link rel = "preconnect" href = "https://fonts.gstatic.com" crossorigin >
< link rel = "stylesheet" href = "https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback" >
< style > : root { --md-text-font : "Roboto" ; --md-code-font : "Roboto Mono" } < / style >
< link rel = "stylesheet" href = "../../../assets/css/customizations.css" >
< script > _ _md _scope = new URL ( "../../.." , location ) , _ _md _hash = e => [ ... e ] . reduce ( ( e , _ ) => ( e << 5 ) - e + _ . charCodeAt ( 0 ) , 0 ) , _ _md _get = ( e , _ = localStorage , t = _ _md _scope ) => JSON . parse ( _ . getItem ( t . pathname + "." + e ) ) , _ _md _set = ( e , _ , t = localStorage , a = _ _md _scope ) => { try { t . setItem ( a . pathname + "." + e , JSON . stringify ( _ ) ) } catch ( e ) { } } < / script >
< / head >
< body dir = "ltr" data-md-color-scheme = "default" data-md-color-primary = "indigo" data-md-color-accent = "indigo" >
< script > var palette = _ _md _get ( "__palette" ) ; if ( palette && "object" == typeof palette . color ) for ( var key of Object . keys ( palette . color ) ) document . body . setAttribute ( "data-md-color-" + key , palette . color [ key ] ) < / script >
< input class = "md-toggle" data-md-toggle = "drawer" type = "checkbox" id = "__drawer" autocomplete = "off" >
< input class = "md-toggle" data-md-toggle = "search" type = "checkbox" id = "__search" autocomplete = "off" >
< label class = "md-overlay" for = "__drawer" > < / label >
< div data-md-component = "skip" >
< a href = "#dkim-dmarc-spf" class = "md-skip" >
Skip to content
< / a >
< / div >
< div data-md-component = "announce" >
< / div >
< div data-md-color-scheme = "default" data-md-component = "outdated" hidden >
< / div >
< header class = "md-header" data-md-component = "header" >
< nav class = "md-header__inner md-grid" aria-label = "Header" >
< a href = "../../.." title = "Docker Mailserver" class = "md-header__button md-logo" aria-label = "Docker Mailserver" data-md-component = "logo" >
< img src = "../../../assets/logo/dmo-logo-white.min.svg" alt = "logo" >
< / a >
< label class = "md-header__button md-icon" for = "__drawer" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z" / > < / svg >
< / label >
< div class = "md-header__title" data-md-component = "header-title" >
< div class = "md-header__ellipsis" >
< div class = "md-header__topic" >
< span class = "md-ellipsis" >
Docker Mailserver
< / span >
< / div >
< div class = "md-header__topic" data-md-component = "header-topic" >
< span class = "md-ellipsis" >
DKIM, DMARC & SPF
< / span >
< / div >
< / div >
< / div >
< form class = "md-header__option" data-md-component = "palette" >
< input class = "md-option" data-md-color-media = "(prefers-color-scheme: light)" data-md-color-scheme = "default" data-md-color-primary = "indigo" data-md-color-accent = "indigo" aria-label = "Switch to dark mode" type = "radio" name = "__palette" id = "__palette_1" >
< label class = "md-header__button md-icon" title = "Switch to dark mode" for = "__palette_2" hidden >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "m17.75 4.09-2.53 1.94.91 3.06-2.63-1.81-2.63 1.81.91-3.06-2.53-1.94L12.44 4l1.06-3 1.06 3 3.19.09m3.5 6.91-1.64 1.25.59 1.98-1.7-1.17-1.7 1.17.59-1.98L15.75 11l2.06-.05L18.5 9l.69 1.95 2.06.05m-2.28 4.95c.83-.08 1.72 1.1 1.19 1.85-.32.45-.66.87-1.08 1.27C15.17 23 8.84 23 4.94 19.07c-3.91-3.9-3.91-10.24 0-14.14.4-.4.82-.76 1.27-1.08.75-.53 1.93.36 1.85 1.19-.27 2.86.69 5.83 2.89 8.02a9.96 9.96 0 0 0 8.02 2.89m-1.64 2.02a12.08 12.08 0 0 1-7.8-3.47c-2.17-2.19-3.33-5-3.49-7.82-2.81 3.14-2.7 7.96.31 10.98 3.02 3.01 7.84 3.12 10.98.31Z" / > < / svg >
< / label >
< input class = "md-option" data-md-color-media = "(prefers-color-scheme: dark)" data-md-color-scheme = "slate" data-md-color-primary = "indigo" data-md-color-accent = "blue" aria-label = "Switch to light mode" type = "radio" name = "__palette" id = "__palette_2" >
< label class = "md-header__button md-icon" title = "Switch to light mode" for = "__palette_1" hidden >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M12 7a5 5 0 0 1 5 5 5 5 0 0 1-5 5 5 5 0 0 1-5-5 5 5 0 0 1 5-5m0 2a3 3 0 0 0-3 3 3 3 0 0 0 3 3 3 3 0 0 0 3-3 3 3 0 0 0-3-3m0-7 2.39 3.42C13.65 5.15 12.84 5 12 5c-.84 0-1.65.15-2.39.42L12 2M3.34 7l4.16-.35A7.2 7.2 0 0 0 5.94 8.5c-.44.74-.69 1.5-.83 2.29L3.34 7m.02 10 1.76-3.77a7.131 7.131 0 0 0 2.38 4.14L3.36 17M20.65 7l-1.77 3.79a7.023 7.023 0 0 0-2.38-4.15l4.15.36m-.01 10-4.14.36c.59-.51 1.12-1.14 1.54-1.86.42-.73.69-1.5.83-2.29L20.64 17M12 22l-2.41-3.44c.74.27 1.55.44 2.41.44.82 0 1.63-.17 2.37-.44L12 22Z" / > < / svg >
< / label >
< / form >
< label class = "md-header__button md-icon" for = "__search" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z" / > < / svg >
< / label >
< div class = "md-search" data-md-component = "search" role = "dialog" >
< label class = "md-search__overlay" for = "__search" > < / label >
< div class = "md-search__inner" role = "search" >
< form class = "md-search__form" name = "search" >
< input type = "text" class = "md-search__input" name = "query" aria-label = "Search" placeholder = "Search" autocapitalize = "off" autocorrect = "off" autocomplete = "off" spellcheck = "false" data-md-component = "search-query" required >
< label class = "md-search__icon md-icon" for = "__search" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z" / > < / svg >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z" / > < / svg >
< / label >
< nav class = "md-search__options" aria-label = "Search" >
< button type = "reset" class = "md-search__icon md-icon" title = "Clear" aria-label = "Clear" tabindex = "-1" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z" / > < / svg >
< / button >
< / nav >
< / form >
< div class = "md-search__output" >
< div class = "md-search__scrollwrap" data-md-scrollfix >
< div class = "md-search-result" data-md-component = "search-result" >
< div class = "md-search-result__meta" >
Initializing search
< / div >
< ol class = "md-search-result__list" role = "presentation" > < / ol >
< / div >
< / div >
< / div >
< / div >
< / div >
< div class = "md-header__source" >
< a href = "https://github.com/docker-mailserver/docker-mailserver" title = "Go to repository" class = "md-source" data-md-component = "source" >
< div class = "md-source__icon md-icon" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 496 512" > <!-- ! Font Awesome Free 6.3.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc. --> < path d = "M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z" / > < / svg >
< / div >
< div class = "md-source__repository" >
docker-mailserver
< / div >
< / a >
< / div >
< / nav >
< / header >
< div class = "md-container" data-md-component = "container" >
< nav class = "md-tabs" aria-label = "Tabs" data-md-component = "tabs" >
< div class = "md-grid" >
< ul class = "md-tabs__list" >
< li class = "md-tabs__item" >
< a href = "../../.." class = "md-tabs__link" >
Home
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../../../introduction/" class = "md-tabs__link" >
Introduction
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../../../usage/" class = "md-tabs__link" >
Usage
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../../environment/" class = "md-tabs__link md-tabs__link--active" >
Configuration
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../../../examples/tutorials/basic-installation/" class = "md-tabs__link" >
Examples
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../../../faq/" class = "md-tabs__link" >
FAQ
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../../../contributing/general/" class = "md-tabs__link" >
Contributing
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "https://hub.docker.com/r/mailserver/docker-mailserver/" class = "md-tabs__link" >
DockerHub
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "https://github.com/docker-mailserver/docker-mailserver/pkgs/container/docker-mailserver" class = "md-tabs__link" >
GHCR
< / a >
< / li >
< / ul >
< / div >
< / nav >
< main class = "md-main" data-md-component = "main" >
< div class = "md-main__inner md-grid" >
< div class = "md-sidebar md-sidebar--primary" data-md-component = "sidebar" data-md-type = "navigation" >
< div class = "md-sidebar__scrollwrap" >
< div class = "md-sidebar__inner" >
< nav class = "md-nav md-nav--primary md-nav--lifted" aria-label = "Navigation" data-md-level = "0" >
< label class = "md-nav__title" for = "__drawer" >
< a href = "../../.." title = "Docker Mailserver" class = "md-nav__button md-logo" aria-label = "Docker Mailserver" data-md-component = "logo" >
< img src = "../../../assets/logo/dmo-logo-white.min.svg" alt = "logo" >
< / a >
Docker Mailserver
< / label >
< div class = "md-nav__source" >
< a href = "https://github.com/docker-mailserver/docker-mailserver" title = "Go to repository" class = "md-source" data-md-component = "source" >
< div class = "md-source__icon md-icon" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 496 512" > <!-- ! Font Awesome Free 6.3.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc. --> < path d = "M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z" / > < / svg >
< / div >
< div class = "md-source__repository" >
docker-mailserver
< / div >
< / a >
< / div >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../.." class = "md-nav__link" >
Home
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../../introduction/" class = "md-nav__link" >
Introduction
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../../usage/" class = "md-nav__link" >
Usage
< / a >
< / li >
< li class = "md-nav__item md-nav__item--active md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle " type = "checkbox" id = "__nav_4" checked >
< label class = "md-nav__link" for = "__nav_4" id = "__nav_4_label" tabindex = "0" >
Configuration
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "1" aria-labelledby = "__nav_4_label" aria-expanded = "true" >
< label class = "md-nav__title" for = "__nav_4" >
< span class = "md-nav__icon md-icon" > < / span >
Configuration
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../environment/" class = "md-nav__link" >
Environment Variables
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-management/" class = "md-nav__link" >
User Management
< / a >
< / li >
< li class = "md-nav__item md-nav__item--active md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle " type = "checkbox" id = "__nav_4_3" checked >
< label class = "md-nav__link" for = "__nav_4_3" id = "__nav_4_3_label" tabindex = "0" >
Best Practices
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "2" aria-labelledby = "__nav_4_3_label" aria-expanded = "true" >
< label class = "md-nav__title" for = "__nav_4_3" >
< span class = "md-nav__icon md-icon" > < / span >
Best Practices
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item md-nav__item--active" >
< input class = "md-nav__toggle md-toggle" type = "checkbox" id = "__toc" >
< label class = "md-nav__link md-nav__link--active" for = "__toc" >
DKIM, DMARC & SPF
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< a href = "./" class = "md-nav__link md-nav__link--active" >
DKIM, DMARC & SPF
< / a >
< nav class = "md-nav md-nav--secondary" aria-label = "Table of contents" >
< label class = "md-nav__title" for = "__toc" >
< span class = "md-nav__icon md-icon" > < / span >
Table of contents
< / label >
< ul class = "md-nav__list" data-md-component = "toc" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "#dkim" class = "md-nav__link" >
DKIM
< / a >
< nav class = "md-nav" aria-label = "DKIM" >
< ul class = "md-nav__list" >
< li class = "md-nav__item" >
< a href = "#generating-keys" class = "md-nav__link" >
Generating Keys
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#dkim-dns" class = "md-nav__link" >
DNS Record
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#dkim-debug" class = "md-nav__link" >
Troubleshooting
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "#dmarc" class = "md-nav__link" >
DMARC
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#spf" class = "md-nav__link" >
SPF
< / a >
< nav class = "md-nav" aria-label = "SPF" >
< ul class = "md-nav__list" >
< li class = "md-nav__item" >
< a href = "#adding-an-spf-record" class = "md-nav__link" >
Adding an SPF Record
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#backup-mx-secondary-mx-for-policyd-spf" class = "md-nav__link" >
Backup MX & Secondary MX for policyd-spf
< / a >
< / li >
< / ul >
< / nav >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "../autodiscover/" class = "md-nav__link" >
Auto-discovery
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_4_4" >
< label class = "md-nav__link" for = "__nav_4_4" id = "__nav_4_4_label" tabindex = "0" >
Security
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "2" aria-labelledby = "__nav_4_4_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_4_4" >
< span class = "md-nav__icon md-icon" > < / span >
Security
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../security/understanding-the-ports/" class = "md-nav__link" >
Understanding the Ports
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../security/ssl/" class = "md-nav__link" >
SSL/TLS
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../security/fail2ban/" class = "md-nav__link" >
Fail2Ban
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../security/mail_crypt/" class = "md-nav__link" >
Mail Encryption
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../security/rspamd/" class = "md-nav__link" >
Rspamd
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "../../debugging/" class = "md-nav__link" >
Debugging
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../pop3/" class = "md-nav__link" >
Mail Delivery with POP3
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../setup.sh/" class = "md-nav__link" >
About setup.sh
< / a >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_4_8" >
< label class = "md-nav__link" for = "__nav_4_8" id = "__nav_4_8_label" tabindex = "0" >
Advanced Configuration
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "2" aria-labelledby = "__nav_4_8_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_4_8" >
< span class = "md-nav__icon md-icon" > < / span >
Advanced Configuration
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../advanced/optional-config/" class = "md-nav__link" >
Optional Configuration
< / a >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_4_8_2" >
< label class = "md-nav__link" for = "__nav_4_8_2" id = "__nav_4_8_2_label" tabindex = "0" >
Maintenance
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "3" aria-labelledby = "__nav_4_8_2_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_4_8_2" >
< span class = "md-nav__icon md-icon" > < / span >
Maintenance
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../advanced/maintenance/update-and-cleanup/" class = "md-nav__link" >
Update and Cleanup
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_4_8_3" >
< label class = "md-nav__link" for = "__nav_4_8_3" id = "__nav_4_8_3_label" tabindex = "0" >
Override the Default Configs
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "3" aria-labelledby = "__nav_4_8_3_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_4_8_3" >
< span class = "md-nav__icon md-icon" > < / span >
Override the Default Configs
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../advanced/override-defaults/dovecot/" class = "md-nav__link" >
Dovecot
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/override-defaults/postfix/" class = "md-nav__link" >
Postfix
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/override-defaults/user-patches/" class = "md-nav__link" >
Modifications via Script
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/auth-ldap/" class = "md-nav__link" >
LDAP Authentication
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/mail-sieve/" class = "md-nav__link" >
Email Filtering with Sieve
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/mail-fetchmail/" class = "md-nav__link" >
Email Gathering with Fetchmail
< / a >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_4_8_7" >
< label class = "md-nav__link" for = "__nav_4_8_7" id = "__nav_4_8_7_label" tabindex = "0" >
Email Forwarding
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "3" aria-labelledby = "__nav_4_8_7_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_4_8_7" >
< span class = "md-nav__icon md-icon" > < / span >
Email Forwarding
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../advanced/mail-forwarding/relay-hosts/" class = "md-nav__link" >
Relay Hosts
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/mail-forwarding/aws-ses/" class = "md-nav__link" >
AWS SES
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/full-text-search/" class = "md-nav__link" >
Full-Text Search
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/kubernetes/" class = "md-nav__link" >
Kubernetes
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/ipv6/" class = "md-nav__link" >
IPv6
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/podman/" class = "md-nav__link" >
Podman
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../advanced/dovecot-master-accounts/" class = "md-nav__link" >
Dovecot Master Accounts
< / a >
< / li >
< / ul >
< / nav >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_5" >
< label class = "md-nav__link" for = "__nav_5" id = "__nav_5_label" tabindex = "0" >
Examples
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "1" aria-labelledby = "__nav_5_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_5" >
< span class = "md-nav__icon md-icon" > < / span >
Examples
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_5_1" >
< label class = "md-nav__link" for = "__nav_5_1" id = "__nav_5_1_label" tabindex = "0" >
Tutorials
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "2" aria-labelledby = "__nav_5_1_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_5_1" >
< span class = "md-nav__icon md-icon" > < / span >
Tutorials
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../../examples/tutorials/basic-installation/" class = "md-nav__link" >
Basic Installation
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../../examples/tutorials/mailserver-behind-proxy/" class = "md-nav__link" >
Mailserver behind Proxy
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../../examples/tutorials/docker-build/" class = "md-nav__link" >
Building your own Docker image
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../../examples/tutorials/blog-posts/" class = "md-nav__link" >
Blog Posts
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_5_2" >
< label class = "md-nav__link" for = "__nav_5_2" id = "__nav_5_2_label" tabindex = "0" >
Use Cases
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "2" aria-labelledby = "__nav_5_2_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_5_2" >
< span class = "md-nav__icon md-icon" > < / span >
Use Cases
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../../examples/use-cases/forward-only-mailserver-with-ldap-authentication/" class = "md-nav__link" >
Forward-Only Mail-Server with LDAP
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../../examples/use-cases/imap-folders/" class = "md-nav__link" >
Customize IMAP Folders
< / a >
< / li >
< / ul >
< / nav >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "../../../faq/" class = "md-nav__link" >
FAQ
< / a >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle md-toggle--indeterminate" type = "checkbox" id = "__nav_7" >
< label class = "md-nav__link" for = "__nav_7" id = "__nav_7_label" tabindex = "0" >
Contributing
< span class = "md-nav__icon md-icon" > < / span >
< / label >
< nav class = "md-nav" data-md-level = "1" aria-labelledby = "__nav_7_label" aria-expanded = "false" >
< label class = "md-nav__title" for = "__nav_7" >
< span class = "md-nav__icon md-icon" > < / span >
Contributing
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../../contributing/general/" class = "md-nav__link" >
General Information
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../../contributing/tests/" class = "md-nav__link" >
Tests
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../../contributing/issues-and-pull-requests/" class = "md-nav__link" >
Issues and Pull Requests
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "https://hub.docker.com/r/mailserver/docker-mailserver/" class = "md-nav__link" >
DockerHub
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "https://github.com/docker-mailserver/docker-mailserver/pkgs/container/docker-mailserver" class = "md-nav__link" >
GHCR
< / a >
< / li >
< / ul >
< / nav >
< / div >
< / div >
< / div >
< div class = "md-sidebar md-sidebar--secondary" data-md-component = "sidebar" data-md-type = "toc" >
< div class = "md-sidebar__scrollwrap" >
< div class = "md-sidebar__inner" >
< nav class = "md-nav md-nav--secondary" aria-label = "Table of contents" >
< label class = "md-nav__title" for = "__toc" >
< span class = "md-nav__icon md-icon" > < / span >
Table of contents
< / label >
< ul class = "md-nav__list" data-md-component = "toc" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "#dkim" class = "md-nav__link" >
DKIM
< / a >
< nav class = "md-nav" aria-label = "DKIM" >
< ul class = "md-nav__list" >
< li class = "md-nav__item" >
< a href = "#generating-keys" class = "md-nav__link" >
Generating Keys
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#dkim-dns" class = "md-nav__link" >
DNS Record
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#dkim-debug" class = "md-nav__link" >
Troubleshooting
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "#dmarc" class = "md-nav__link" >
DMARC
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#spf" class = "md-nav__link" >
SPF
< / a >
< nav class = "md-nav" aria-label = "SPF" >
< ul class = "md-nav__list" >
< li class = "md-nav__item" >
< a href = "#adding-an-spf-record" class = "md-nav__link" >
Adding an SPF Record
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#backup-mx-secondary-mx-for-policyd-spf" class = "md-nav__link" >
Backup MX & Secondary MX for policyd-spf
< / a >
< / li >
< / ul >
< / nav >
< / li >
< / ul >
< / nav >
< / div >
< / div >
< / div >
< div class = "md-content" data-md-component = "content" >
< article class = "md-content__inner md-typeset" >
< h1 id = "dkim-dmarc-spf" > < a class = "toclink" href = "#dkim-dmarc-spf" > DKIM, DMARC & SPF< / a > < / h1 >
< p > Cloudflare has written an < a href = "https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/" > article about DKIM, DMARC and SPF< / a > that we highly recommend you to read to get acquainted with the topic.< / p >
< div class = "admonition note" >
< p class = "admonition-title" > Rspamd vs Individual validators< / p >
< p > With v12.0.0, Rspamd was integrated into DMS. It can perform validations for DKIM, DMARC and SPF as part of the < code > spam-score-calculation< / code > for an email. DMS provides individual alternatives for each validation that can be used instead of deferring to Rspamd:< / p >
< ul >
< li > DKIM: < code > opendkim< / code > is used as a milter (like Rspamd)< / li >
< li > DMARC: < code > opendmarc< / code > is used as a milter (like Rspamd)< / li >
< li > SPF: < code > policyd-spf< / code > is used in Postfix's < code > smtpd_recipient_restrictions< / code > < / li >
< / ul >
< p > In a future release Rspamd will become the default for these validations, with a deprecation notice issued prior to the removal of the above alternatives.< / p >
< p > We encourage everyone to prefer Rspamd via < code > ENABLE_RSPAMD=1< / code > .< / p >
< / div >
< div class = "admonition warning" >
< p class = "admonition-title" > DNS Caches & Propagation< / p >
< p > While modern DNS providers are quick, it may take minutes or even hours for new DNS records to become available / propagate.< / p >
< / div >
< h2 id = "dkim" > < a class = "toclink" href = "#dkim" > DKIM< / a > < / h2 >
< div class = "admonition quote" >
< p class = "admonition-title" > What is DKIM< / p >
< p > DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.< / p >
< p > < a href = "https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail" > Source< / a > < / p >
< / div >
< p > When DKIM is enabled:< / p >
< ol >
< li > Inbound mail will verify any included DKIM signatures< / li >
< li > Outbound mail is signed (< em > when you're sending domain has a configured DKIM key< / em > )< / li >
< / ol >
< p > DKIM requires a public/private key pair to enable < strong > signing (< em > via private key< / em > )< / strong > your outgoing mail, while the receiving end must query DNS to < strong > verify (< em > via public key< / em > )< / strong > that the signature is trustworthy.< / p >
< h3 id = "generating-keys" > < a class = "toclink" href = "#generating-keys" > Generating Keys< / a > < / h3 >
< p > You should have:< / p >
< ul >
< li > At least one < a href = "../../user-management/#adding-a-new-account" > email account setup< / a > < / li >
< li > Attached a < a href = "../../advanced/optional-config/" > volume for config< / a > to persist the generated files to local storage< / li >
< / ul >
< div class = "admonition warning" >
< p class = "admonition-title" > RSA Key Sizes > = 4096 Bit< / p >
< p > Keys of 4096 bits could be denied by some mail servers. According to < a href = "https://tools.ietf.org/html/rfc6376" > RFC 6376< / a > , keys are < a href = "https://github.com/docker-mailserver/docker-mailserver/issues/1854" > preferably between 512 and 2048 bits< / a > .< / p >
< / div >
< p > DKIM is currently supported by either OpenDKIM or Rspamd:< / p >
< div class = "tabbed-set tabbed-alternate" data-tabs = "1:2" > < input checked = "checked" id = "__tabbed_1_1" name = "__tabbed_1" type = "radio" / > < input id = "__tabbed_1_2" name = "__tabbed_1" type = "radio" / > < div class = "tabbed-labels" > < label for = "__tabbed_1_1" > OpenDKIM< / label > < label for = "__tabbed_1_2" > Rspamd< / label > < / div >
< div class = "tabbed-content" >
< div class = "tabbed-block" >
< p > OpenDKIM is currently < a href = "../../environment/#enable_opendkim" > enabled by default< / a > .< / p >
< p > The command < code > docker exec < CONTAINER NAME> setup config dkim help< / code > details supported config options, along with some examples.< / p >
< div class = "admonition example" >
< p class = "admonition-title" > Creating a DKIM key< / p >
< p > Generate the DKIM files with:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > docker< span class = "w" > < / span > < span class = "nb" > exec< / span > < span class = "w" > < / span > -ti< span class = "w" > < / span > < CONTAINER< span class = "w" > < / span > NAME> < span class = "w" > < / span > setup< span class = "w" > < / span > config< span class = "w" > < / span > dkim
< / code > < / pre > < / div >
< p > Your new DKIM key(s) and OpenDKIM config files have been added to < code > /tmp/docker-mailserver/opendkim/< / code > .< / p >
< / div >
< details class = "note" >
< summary > LDAP accounts need to specify domains explicitly< / summary >
< p > The command is unable to infer the domains from LDAP user accounts, you must specify them:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > setup< span class = "w" > < / span > config< span class = "w" > < / span > dkim< span class = "w" > < / span > domain< span class = "w" > < / span > < span class = "s1" > ' example.com,example.io' < / span >
< / code > < / pre > < / div >
< / details >
< details class = "tip" >
< summary > Changing the key size< / summary >
< p > The private key presently defaults to RSA-4096. To create an RSA 2048-bit key run:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > setup< span class = "w" > < / span > config< span class = "w" > < / span > dkim< span class = "w" > < / span > keysize< span class = "w" > < / span > < span class = "m" > 2048< / span >
< / code > < / pre > < / div >
< / details >
< div class = "admonition info" >
< p class = "admonition-title" > Restart required< / p >
< p > After restarting DMS, outgoing mail will now be signed with your new DKIM key(s) < img alt = "🎉" class = "twemoji" src = "https://cdnjs.cloudflare.com/ajax/libs/twemoji/14.0.2/svg/1f389.svg" title = ":tada:" / > < / p >
< p > You'll need to repeat this process if you add any new domains.< / p >
< / div >
< / div >
< div class = "tabbed-block" >
< p > Opt-in via < a href = "../../environment/#enable_rspamd" > < code > ENABLE_RSPAMD=1< / code > < / a > (< em > and disable the default OpenDKIM: < code > ENABLE_OPENDKIM=0< / code > < / em > ).< / p >
< p > Rspamd provides DKIM support through two separate modules:< / p >
< ol >
< li > < a href = "https://www.rspamd.com/doc/modules/dkim.html" > Verifying DKIM signatures from inbound mail< / a > is enabled by default.< / li >
< li > < a href = "https://www.rspamd.com/doc/modules/dkim_signing.html" > Signing outbound mail with your DKIM key< / a > needs additional setup (key + dns + config).< / li >
< / ol >
< div class = "admonition example" >
< p class = "admonition-title" > Creating DKIM Keys< / p >
< p > You can simply run< / p >
< div class = "highlight" > < pre > < span > < / span > < code > docker< span class = "w" > < / span > < span class = "nb" > exec< / span > < span class = "w" > < / span > -ti< span class = "w" > < / span > < CONTAINER< span class = "w" > < / span > NAME> < span class = "w" > < / span > setup< span class = "w" > < / span > config< span class = "w" > < / span > dkim< span class = "w" > < / span > < span class = "nb" > help< / span >
< / code > < / pre > < / div >
< p > which provides you with an overview of what the script can do. Just running< / p >
< div class = "highlight" > < pre > < span > < / span > < code > docker< span class = "w" > < / span > < span class = "nb" > exec< / span > < span class = "w" > < / span > -ti< span class = "w" > < / span > < CONTAINER< span class = "w" > < / span > NAME> < span class = "w" > < / span > setup< span class = "w" > < / span > config< span class = "w" > < / span > dkim
< / code > < / pre > < / div >
< p > will execute the helper script with default parameters.< / p >
< / div >
< div class = "admonition info" >
< p class = "admonition-title" > About the Helper Script< / p >
< p > The script will persist the keys in < code > /tmp/docker-mailserver/rspamd/dkim/< / code > . Hence, if you are already using the default volume mounts, the keys are persisted in a volume. The script also restarts Rspamd directly, so changes take effect without restarting DMS.< / p >
< p > The script provides you with log messages along the way of creating keys. In case you want to read the complete log, use < code > -v< / code > (verbose) or < code > -vv< / code > (very verbose).< / p >
< hr / >
< p > In case you have not already provided a default DKIM signing configuration, the script will create one and write it to < code > /etc/rspamd/override.d/dkim_signing.conf< / code > . If this file already exist, it will not be overwritten. When you're already using < a href = "../../security/rspamd/#manually" > the < code > rspamd/override.d/< / code > directory< / a > , the file is created inside your volume and therefore persisted correctly. If you are not using < code > rspamd/override.d/< / code > , you will need to persist the file yourself (otherwise it is lost on container restart).< / p >
< p > An example of what a default configuration file for DKIM signing looks like can be found by expanding the example below.< / p >
< / div >
< details class = "example" >
< summary > DKIM Signing Module Configuration Examples< / summary >
< p > A simple configuration could look like this:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > < span class = "c1" > # documentation: https://rspamd.com/doc/modules/dkim_signing.html< / span >
< span class = "na" > enabled< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > true< / span > < span class = "c1" > ;< / span >
< span class = "na" > sign_authenticated< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > true< / span > < span class = "c1" > ;< / span >
< span class = "na" > sign_local< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > true< / span > < span class = "c1" > ;< / span >
< span class = "na" > use_domain< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " header" < / span > < span class = "c1" > ;< / span >
< span class = "na" > use_redis< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > false< / span > < span class = "c1" > ; # don' t change unless Redis also provides the DKIM keys< / span >
< span class = "na" > use_esld< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > true< / span > < span class = "c1" > ;< / span >
< span class = "na" > check_pubkey< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > true< / span > < span class = "c1" > ; # you wan' t to use this in the beginning< / span >
< span class = "na" > domain {< / span >
< span class = "w" > < / span > < span class = "na" > example.com {< / span >
< span class = "w" > < / span > < span class = "na" > path< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " /tmp/docker-mailserver/rspamd/dkim/mail.private" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > selector< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " mail" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > }< / span >
< span class = "na" > }< / span >
< / code > < / pre > < / div >
< p > As shown next:< / p >
< ul >
< li > You can add more domains into the < code > domain { ... }< / code > section.< / li >
< li > A domain can also be configured with multiple selectors and keys within a < code > selectors [ ... ]< / code > array.< / li >
< / ul >
< div class = "highlight" > < pre > < span > < / span > < code > < span class = "c1" > # ...< / span >
< span class = "na" > domain {< / span >
< span class = "w" > < / span > < span class = "na" > example.com {< / span >
< span class = "w" > < / span > < span class = "na" > selectors [< / span >
< span class = "w" > < / span > < span class = "na" > {< / span >
< span class = "w" > < / span > < span class = "na" > path< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " /tmp/docker-mailserver/rspamd/dkim/example.com/rsa.private" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > selector< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " dkim-rsa" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > },< / span >
< span class = "w" > < / span > < span class = "na" > {< / span >
< span class = "w" > < / span > < span class = "na" > path< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > /tmp/docker-mailserver/rspamd/example.com/ed25519.private" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > selector< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " dkim-ed25519" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > }< / span >
< span class = "w" > < / span > < span class = "na" > ]< / span >
< span class = "w" > < / span > < span class = "na" > }< / span >
< span class = "w" > < / span > < span class = "na" > example.org {< / span >
< span class = "w" > < / span > < span class = "na" > selectors [< / span >
< span class = "w" > < / span > < span class = "na" > {< / span >
< span class = "w" > < / span > < span class = "na" > path< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " /tmp/docker-mailserver/rspamd/dkim/example.org/rsa.private" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > selector< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " dkim-rsa" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > },< / span >
< span class = "w" > < / span > < span class = "na" > {< / span >
< span class = "w" > < / span > < span class = "na" > path< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " /tmp/docker-mailserver/rspamd/dkim/example.org/ed25519.private" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > selector< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > " dkim-ed25519" < / span > < span class = "c1" > ;< / span >
< span class = "w" > < / span > < span class = "na" > }< / span >
< span class = "w" > < / span > < span class = "na" > ]< / span >
< span class = "w" > < / span > < span class = "na" > }< / span >
< span class = "na" > }< / span >
< / code > < / pre > < / div >
< / details >
< details class = "warning" >
< summary > Support for DKIM Keys using ED25519< / summary >
< p > This modern elliptic curve is supported by Rspamd, but support by third-parties for < a href = "https://serverfault.com/questions/1023674/is-ed25519-well-supported-for-the-dkim-validation/1074545#1074545" > verifying Ed25519 DKIM signatures is unreliable< / a > .< / p >
< p > If you sign your mail with this key type, you should include RSA as a fallback, like shown in the above example.< / p >
< / details >
< details class = "tip" >
< summary > Let Rspamd Check Your Keys< / summary >
< p > When < code > check_pubkey = true;< / code > is set, Rspamd will query the DNS record for each DKIM selector, verifying each public key matches the private key configured.< / p >
< p > If there is a mismatch, a warning will be omitted to the Rspamd log < code > /var/log/supervisor/rspamd.log< / code > .< / p >
< / details >
< / div >
< / div >
< / div >
< h3 id = "dkim-dns" > < a class = "toclink" href = "#dkim-dns" > DNS Record< / a > < / h3 >
< p > When mail signed with your DKIM key is sent from your mail server, the receiver needs to check a DNS < code > TXT< / code > record to verify the DKIM signature is trustworthy.< / p >
< div class = "admonition example" >
< p class = "admonition-title" > Configuring DNS - DKIM record< / p >
< p > When you generated your key in the previous step, the DNS data was saved into a file < code > < selector> .txt< / code > (default: < code > mail.txt< / code > ). Use this content to update your < a href = "https://www.vultr.com/docs/introduction-to-vultr-dns/" > DNS via Web Interface< / a > or directly edit your < a href = "https://en.wikipedia.org/wiki/Zone_file" > DNS Zone file< / a > :< / p >
< div class = "tabbed-set tabbed-alternate" data-tabs = "2:2" > < input checked = "checked" id = "__tabbed_2_1" name = "__tabbed_2" type = "radio" / > < input id = "__tabbed_2_2" name = "__tabbed_2" type = "radio" / > < div class = "tabbed-labels" > < label for = "__tabbed_2_1" > Web Interface< / label > < label for = "__tabbed_2_2" > DNS Zone file< / label > < / div >
< div class = "tabbed-content" >
< div class = "tabbed-block" >
< p > Create a new record:< / p >
< table >
< thead >
< tr >
< th > Field< / th >
< th > Value< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > Type< / td >
< td > < code > TXT< / code > < / td >
< / tr >
< tr >
< td > Name< / td >
< td > < code > < selector> ._domainkey< / code > (< em > default: < code > mail._domainkey< / code > < / em > )< / td >
< / tr >
< tr >
< td > TTL< / td >
< td > Use the default (< em > otherwise < a href = "https://www.digicert.com/faq/dns/what-is-ttl" > 3600 seconds is appropriate< / a > < / em > )< / td >
< / tr >
< tr >
< td > Data< / td >
< td > File content within < code > ( ... )< / code > (< em > formatted as advised below< / em > )< / td >
< / tr >
< / tbody >
< / table >
< p > When using Rspamd, the helper script has already provided you with the contents (the "Data" field) of the DNS record you need to create - you can just copy-paste this text.< / p >
< / div >
< div class = "tabbed-block" >
< p > < code > < selector> .txt< / code > is already formatted as a snippet for adding to your < a href = "https://en.wikipedia.org/wiki/Zone_file" > DNS Zone file< / a > .< / p >
< p > Just copy/paste the file contents into your existing DNS zone. The < code > TXT< / code > value has been split into separate strings every 255 characters for compatibility.< / p >
< / div >
< / div >
< / div >
< / div >
< details class = "info" >
< summary > < code > < selector> .txt< / code > - Formatting the < code > TXT< / code > record value correctly< / summary >
< p > This file was generated for use within a < a href = "https://en.wikipedia.org/wiki/Zone_file" > DNS zone file< / a > . DNS < code > TXT< / code > records values that are longer than 255 characters need to be split into multiple parts. This is why the public key has multiple parts wrapped within double-quotes between < code > (< / code > and < code > )< / code > .< / p >
< p > A DNS web-interface may handle this internally instead, while < a href = "https://serverfault.com/questions/763815/route-53-doesnt-allow-adding-dkim-keys-because-length-is-too-long" > others may not, but expect the input as a single line< / a > _). You'll need to manually format the value as described below.< / p >
< p > Your DNS record file (eg: < code > mail.txt< / code > ) should look similar to this:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > mail._domainkey IN TXT ( " v=DKIM1; k=rsa; "
" p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ"
" 5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB"
) ;
< / code > < / pre > < / div >
< p > Take the content between < code > ( ... )< / code > , and combine all the quote wrapped content and remove the double-quotes including the white-space between them. That is your < code > TXT< / code > record value, the above example would become this:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB
< / code > < / pre > < / div >
< p > To test that your new DKIM record is correct, query it with the < code > dig< / code > command. The < code > TXT< / code > value response should be a single line split into multiple parts wrapped in double-quotes:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > < span class = "gp" > $ < / span > dig< span class = "w" > < / span > +short< span class = "w" > < / span > TXT< span class = "w" > < / span > dkim-rsa._domainkey.example.com
< span class = "go" > " v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39" " KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB" < / span >
< / code > < / pre > < / div >
< / details >
< h3 id = "dkim-debug" > < a class = "toclink" href = "#dkim-debug" > Troubleshooting< / a > < / h3 >
< p > < a href = "https://mxtoolbox.com/dkim.aspx" > MxToolbox has a DKIM Verifier< / a > that you can use to check your DKIM DNS record(s).< / p >
< p > When using Rspamd, we recommend you turn on < code > check_pubkey = true;< / code > in < code > dkim_signing.conf< / code > . Rspamd will then check whether your private key matches your public key, and you can check possible mismatches by looking at < code > /var/log/supervisor/rspamd.log< / code > .< / p >
< h2 id = "dmarc" > < a class = "toclink" href = "#dmarc" > DMARC< / a > < / h2 >
< p > With DMS, DMARC is pre-configured out of the box. You may disable extra and excessive DMARC checks when using Rspamd via < code > ENABLE_OPENDMARC=0< / code > .< / p >
< p > The only thing you need to do in order to enable DMARC on a "DNS-level" is to add new < code > TXT< / code > . In contrast to < a href = "#dkim" > DKIM< / a > , DMARC DNS entries do not require any keys, but merely setting the < a href = "https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md#overview-of-dmarc-configuration-tags" > configuration values< / a > . You can either handcraft the entry by yourself or use one of available generators (like < a href = "https://dmarcguide.globalcyberalliance.org" > this one< / a > ).< / p >
< p > Typically something like this should be good to start with:< / p >
2023-11-04 21:06:13 +00:00
< div class = "highlight" > < pre > < span > < / span > < code > _dmarc.example.com. IN TXT " v=DMARC1; p=none; sp=none; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@example.com; ruf=mailto:dmarc.report@example.com"
2023-05-10 08:37:26 +00:00
< / code > < / pre > < / div >
< p > Or a bit more strict policies (< em > mind < code > p=quarantine< / code > and < code > sp=quarantine< / code > < / em > ):< / p >
< div class = "highlight" > < pre > < span > < / span > < code > _dmarc.example.com. IN TXT " v=DMARC1; p=quarantine; sp=quarantine; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@example.com; ruf=mailto:dmarc.report@example.com"
< / code > < / pre > < / div >
< p > The DMARC status may not be displayed instantly due to delays in DNS (caches). Dmarcian has < a href = "https://dmarcian.com/dmarc-tools/" > a few tools< / a > you can use to verify your DNS records.< / p >
< h2 id = "spf" > < a class = "toclink" href = "#spf" > SPF< / a > < / h2 >
< div class = "admonition quote" >
< p class = "admonition-title" > What is SPF< / p >
< p > Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.< / p >
< p > < a href = "https://en.wikipedia.org/wiki/Sender_Policy_Framework" > Source< / a > < / p >
< / div >
< div class = "admonition note" >
< p class = "admonition-title" > Disabling < code > policyd-spf< / code > ?< / p >
< p > As of now, < code > policyd-spf< / code > cannot be disabled. This is WIP.< / p >
< / div >
< h3 id = "adding-an-spf-record" > < a class = "toclink" href = "#adding-an-spf-record" > Adding an SPF Record< / a > < / h3 >
< p > To add a SPF record in your DNS, insert the following line in your DNS zone:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > example.com. IN TXT " v=spf1 mx ~all"
< / code > < / pre > < / div >
< p > This enables the < em > Softfail< / em > mode for SPF. You could first add this SPF record with a very low TTL. < em > SoftFail< / em > is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox.< / p >
< p > After verification, you < em > might< / em > want to change your SPF record to < code > v=spf1 mx -all< / code > so as to enforce the < em > HardFail< / em > policy. See < a href = "http://www.open-spf.org/SPF_Record_Syntax" > http://www.open-spf.org/SPF_Record_Syntax< / a > for more details about SPF policies.< / p >
< p > In any case, increment the SPF record's TTL to its final value.< / p >
< h3 id = "backup-mx-secondary-mx-for-policyd-spf" > < a class = "toclink" href = "#backup-mx-secondary-mx-for-policyd-spf" > Backup MX & Secondary MX for < code > policyd-spf< / code > < / a > < / h3 >
< p > For whitelisting an IP Address from the SPF test, you can create a config file (see < a href = "https://www.linuxcertif.com/man/5/policyd-spf.conf" > < code > policyd-spf.conf< / code > < / a > ) and mount that file into < code > /etc/postfix-policyd-spf-python/policyd-spf.conf< / code > .< / p >
< p > < strong > Example:< / strong > Create and edit a < code > policyd-spf.conf< / code > file at < code > docker-data/dms/config/postfix-policyd-spf.conf< / code > :< / p >
< div class = "highlight" > < pre > < span > < / span > < code > < span class = "na" > debugLevel< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > 1< / span >
< span class = "c1" > #0(only errors)-4(complete data received)< / span >
< span class = "na" > skip_addresses< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > 127.0.0.0/8,::ffff:127.0.0.0/104,::1< / span >
< span class = "c1" > # Preferably use IP-Addresses for whitelist lookups:< / span >
< span class = "na" > Whitelist< / span > < span class = "w" > < / span > < span class = "o" > =< / span > < span class = "w" > < / span > < span class = "s" > 192.168.0.0/31,192.168.1.0/30< / span >
< span class = "c1" > # Domain_Whitelist = mx1.not-example.com,mx2.not-example.com< / span >
< / code > < / pre > < / div >
< p > Then add this line to < code > docker-compose.yml< / code > :< / p >
< div class = "highlight" > < pre > < span > < / span > < code > < span class = "nt" > volumes< / span > < span class = "p" > :< / span >
< span class = "w" > < / span > < span class = "p p-Indicator" > -< / span > < span class = "w" > < / span > < span class = "l l-Scalar l-Scalar-Plain" > ./docker-data/dms/config/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf< / span >
< / code > < / pre > < / div >
< / article >
< / div >
< / div >
< button type = "button" class = "md-top md-icon" data-md-component = "top" hidden >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z" / > < / svg >
Back to top
< / button >
< / main >
< footer class = "md-footer" >
< div class = "md-footer-meta md-typeset" >
< div class = "md-footer-meta__inner md-grid" >
< div class = "md-copyright" >
< div class = "md-copyright__highlight" >
< p > & copy < a href = "https://github.com/docker-mailserver" > < em > Docker Mailserver Organization< / em > < / a > < br / > < span > This project is licensed under the MIT license.< / span > < / p >
< / div >
Made with
< a href = "https://squidfunk.github.io/mkdocs-material/" target = "_blank" rel = "noopener" >
Material for MkDocs
< / a >
< / div >
< / div >
< / div >
< / footer >
< / div >
< div class = "md-dialog" data-md-component = "dialog" >
< div class = "md-dialog__inner md-typeset" > < / div >
< / div >
< script id = "__config" type = "application/json" > { "base" : "../../.." , "features" : [ "navigation.tabs" , "navigation.top" , "navigation.expand" , "navigation.instant" , "content.code.annotate" ] , "search" : "../../../assets/javascripts/workers/search.208ed371.min.js" , "translations" : { "clipboard.copied" : "Copied to clipboard" , "clipboard.copy" : "Copy to clipboard" , "search.result.more.one" : "1 more on this page" , "search.result.more.other" : "# more on this page" , "search.result.none" : "No matching documents" , "search.result.one" : "1 matching document" , "search.result.other" : "# matching documents" , "search.result.placeholder" : "Type to start searching" , "search.result.term.missing" : "Missing" , "select.version" : "Select version" } , "version" : { "provider" : "mike" } } < / script >
< script src = "../../../assets/javascripts/bundle.407015b8.min.js" > < / script >
< / body >
< / html >
