This commit is contained in:
github-actions[bot] 2023-04-10 10:09:23 +00:00
parent ca9a5baf5f
commit 0eeb91b632
44 changed files with 490 additions and 4618 deletions

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -510,36 +510,8 @@
<li class="md-nav__item">
<a href="../../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -517,36 +517,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>
@ -1503,12 +1475,12 @@
<h1>Optional Configuration</h1>
<p>This is a list of all configuration files and directories which are optional or automatically generated in your <code>docker-data/dms/config/</code> directory.</p>
<p>This is a list of all configuration files and directories which are optional or automatically generated in your <code>docker-data/dms/config/</code> directory. We use this path to reference the local config directory in our docs, which you should attach a volume into the container at <code>/tmp/docker-mailserver</code>.</p>
<h2 id="directories"><a class="toclink" href="#directories">Directories</a></h2>
<ul>
<li><strong>sieve-filter:</strong> directory for sieve filter scripts. (Docs: <a href="../mail-sieve/">Sieve</a>)</li>
<li><strong>sieve-pipe:</strong> directory for sieve pipe scripts. (Docs: <a href="../mail-sieve/">Sieve</a>)</li>
<li><strong>opendkim:</strong> DKIM directory. Auto-configurable via <a href="../../setup.sh/"><code>setup.sh config dkim</code></a>. (Docs: <a href="../../best-practices/dkim/">DKIM</a>)</li>
<li><strong>opendkim:</strong> DKIM directory. Auto-configurable via <a href="../../setup.sh/"><code>setup.sh config dkim</code></a>. (Docs: <a href="../../best-practices/dkim_dmarc_spf/#dkim">DKIM</a>)</li>
<li><strong>ssl:</strong> SSL Certificate directory if <code>SSL_TYPE</code> is set to <code>self-signed</code> or <code>custom</code>. (Docs: <a href="../../security/ssl/">SSL</a>)</li>
</ul>
<h2 id="files"><a class="toclink" href="#files">Files</a></h2>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -510,36 +510,8 @@
<li class="md-nav__item">
<a href="../../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -510,36 +510,8 @@
<li class="md-nav__item">
<a href="../../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -15,7 +15,7 @@
<link rel="canonical" href="https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/autodiscover/">
<link rel="prev" href="../spf/">
<link rel="prev" href="../dkim_dmarc_spf/">
<link rel="next" href="../../security/understanding-the-ports/">
@ -78,6 +78,11 @@
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#auto-discovery-of-services" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
@ -512,36 +517,8 @@
<li class="md-nav__item">
<a href="../dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../spf/" class="md-nav__link">
SPF
<a href="../dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>
@ -561,6 +538,8 @@
<a href="./" class="md-nav__link md-nav__link--active">
Auto-discovery
</a>
@ -1422,6 +1401,8 @@
</nav>
</div>
</div>
@ -1438,8 +1419,7 @@
<h1>Auto-discovery</h1>
<h1 id="auto-discovery-of-services"><a class="toclink" href="#auto-discovery-of-services">Auto-Discovery of Services</a></h1>
<p>Email auto-discovery means a client email is able to automagically find out about what ports and security options to use, based on the mail-server URI. It can help simplify the tedious / confusing task of adding own's email account for non-tech savvy users.</p>
<p>Email clients will search for auto-discoverable settings and prefill almost everything when a user enters its email address <img alt="❤" class="twemoji" src="https://cdnjs.cloudflare.com/ajax/libs/twemoji/14.0.2/svg/2764.svg" title=":heart:" /></p>
<p>There exists <a href="https://hub.docker.com/r/monogramm/autodiscover-email-settings/">autodiscover-email-settings</a> on which provides IMAP/POP/SMTP/LDAP autodiscover capabilities on Microsoft Outlook/Apple Mail, autoconfig capabilities for Thunderbird or kmail and configuration profiles for iOS/Apple Mail.</p>

File diff suppressed because it is too large Load diff

View file

@ -12,10 +12,10 @@
<meta name="author" content="docker-mailserver (Github Organization)">
<link rel="canonical" href="https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/spf/">
<link rel="canonical" href="https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/dkim_dmarc_spf/">
<link rel="prev" href="../dmarc/">
<link rel="prev" href="../../user-management/">
<link rel="next" href="../autodiscover/">
@ -25,7 +25,7 @@
<title>Best Practices | SPF - Docker Mailserver</title>
<title>DKIM, DMARC & SPF - Docker Mailserver</title>
@ -79,7 +79,7 @@
<div data-md-component="skip">
<a href="#add-a-spf-record" class="md-skip">
<a href="#dkim-dmarc-spf" class="md-skip">
Skip to content
</a>
@ -115,7 +115,7 @@
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Best Practices | SPF
DKIM, DMARC & SPF
</span>
</div>
@ -344,8 +344,6 @@
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
@ -516,34 +514,6 @@
<li class="md-nav__item">
<a href="../dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item md-nav__item--active">
@ -552,13 +522,15 @@
<label class="md-nav__link md-nav__link--active" for="__toc">
SPF
DKIM, DMARC & SPF
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
SPF
DKIM, DMARC & SPF
</a>
@ -568,6 +540,8 @@
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
@ -575,17 +549,71 @@
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#add-a-spf-record" class="md-nav__link">
Add a SPF Record
<a href="#dkim" class="md-nav__link">
DKIM
</a>
<nav class="md-nav" aria-label="DKIM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generating-keys" class="md-nav__link">
Generating Keys
</a>
</li>
<li class="md-nav__item">
<a href="#dkim-dns" class="md-nav__link">
DNS Record
</a>
</li>
<li class="md-nav__item">
<a href="#dkim-debug" class="md-nav__link">
Troubleshooting
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#dmarc" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="#backup-mx-secondary-mx" class="md-nav__link">
Backup MX, Secondary MX
<a href="#spf" class="md-nav__link">
SPF
</a>
<nav class="md-nav" aria-label="SPF">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#adding-an-spf-record" class="md-nav__link">
Adding an SPF Record
</a>
</li>
<li class="md-nav__item">
<a href="#backup-mx-secondary-mx-for-policyd-spf" class="md-nav__link">
Backup MX &amp; Secondary MX for policyd-spf
</a>
</li>
</ul>
</nav>
</li>
</ul>
@ -1451,9 +1479,7 @@
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" hidden>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
@ -1463,6 +1489,8 @@
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
@ -1470,17 +1498,71 @@
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#add-a-spf-record" class="md-nav__link">
Add a SPF Record
<a href="#dkim" class="md-nav__link">
DKIM
</a>
<nav class="md-nav" aria-label="DKIM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generating-keys" class="md-nav__link">
Generating Keys
</a>
</li>
<li class="md-nav__item">
<a href="#dkim-dns" class="md-nav__link">
DNS Record
</a>
</li>
<li class="md-nav__item">
<a href="#dkim-debug" class="md-nav__link">
Troubleshooting
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#dmarc" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="#backup-mx-secondary-mx" class="md-nav__link">
Backup MX, Secondary MX
<a href="#spf" class="md-nav__link">
SPF
</a>
<nav class="md-nav" aria-label="SPF">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#adding-an-spf-record" class="md-nav__link">
Adding an SPF Record
</a>
</li>
<li class="md-nav__item">
<a href="#backup-mx-secondary-mx-for-policyd-spf" class="md-nav__link">
Backup MX &amp; Secondary MX for policyd-spf
</a>
</li>
</ul>
</nav>
</li>
</ul>
@ -1501,33 +1583,271 @@
<h1>SPF</h1>
<p>From <a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">Wikipedia</a>:</p>
<h1 id="dkim-dmarc-spf"><a class="toclink" href="#dkim-dmarc-spf">DKIM, DMARC &amp; SPF</a></h1>
<p>Cloudflare has written an <a href="https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/">article about DKIM, DMARC and SPF</a> that we highly recommend you to read to get acquainted with the topic.</p>
<div class="admonition note">
<p class="admonition-title">Rspamd vs Individual validators</p>
<p>With v12.0.0, Rspamd was integrated into DMS. It can perform validations for DKIM, DMARC and SPF as part of the <code>spam-score-calculation</code> for an email. DMS provides individual alternatives for each validation that can be used instead of deferring to Rspamd:</p>
<ul>
<li>DKIM: <code>opendkim</code> is used as a milter (like Rspamd)</li>
<li>DMARC: <code>opendmarc</code> is used as a milter (like Rspamd)</li>
<li>SPF: <code>policyd-spf</code> is used in Postfix's <code>smtpd_recipient_restrictions</code></li>
</ul>
<p>In a future release Rspamd will become the default for these validations, with a deprecation notice issued prior to the removal of the above alternatives.</p>
<p>We encourage everyone to prefer Rspamd via <code>ENABLE_RSPAMD=1</code>.</p>
</div>
<div class="admonition warning">
<p class="admonition-title">DNS Caches &amp; Propagation</p>
<p>While modern DNS providers are quick, it may take minutes or even hours for new DNS records to become available / propagate.</p>
</div>
<h2 id="dkim"><a class="toclink" href="#dkim">DKIM</a></h2>
<div class="admonition quote">
<p class="admonition-title">Quote</p>
<p>Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.</p>
<p class="admonition-title">What is DKIM</p>
<p>DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.</p>
<p><a href="https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail">Source</a></p>
</div>
<p>When DKIM is enabled:</p>
<ol>
<li>Inbound mail will verify any included DKIM signatures</li>
<li>Outbound mail is signed (<em>when you're sending domain has a configured DKIM key</em>)</li>
</ol>
<p>DKIM requires a public/private key pair to enable <strong>signing (<em>via private key</em>)</strong> your outgoing mail, while the receiving end must query DNS to <strong>verify (<em>via public key</em>)</strong> that the signature is trustworthy.</p>
<h3 id="generating-keys"><a class="toclink" href="#generating-keys">Generating Keys</a></h3>
<p>You should have:</p>
<ul>
<li>At least one <a href="../../user-management/#adding-a-new-account">email account setup</a></li>
<li>Attached a <a href="../../advanced/optional-config/">volume for config</a> to persist the generated files to local storage</li>
</ul>
<p>DKIM is currently supported by either OpenDKIM or Rspamd:</p>
<div class="tabbed-set tabbed-alternate" data-tabs="1:2"><input checked="checked" id="__tabbed_1_1" name="__tabbed_1" type="radio" /><input id="__tabbed_1_2" name="__tabbed_1" type="radio" /><div class="tabbed-labels"><label for="__tabbed_1_1">OpenDKIM</label><label for="__tabbed_1_2">Rspamd</label></div>
<div class="tabbed-content">
<div class="tabbed-block">
<p>OpenDKIM is currently <a href="../../environment/#enable_opendkim">enabled by default</a>.</p>
<p>The command <code>docker exec &lt;CONTAINER NAME&gt; setup config dkim help</code> details supported config options, along with some examples.</p>
<div class="admonition example">
<p class="admonition-title">Create a DKIM key</p>
<p>Generate the DKIM files with:</p>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-ti<span class="w"> </span>&lt;CONTAINER<span class="w"> </span>NAME&gt;<span class="w"> </span>setup<span class="w"> </span>config<span class="w"> </span>dkim
</code></pre></div>
<p>Your new DKIM key(s) and OpenDKIM config files have been added to <code>/tmp/docker-mailserver/opendkim/</code>.</p>
</div>
<details class="note">
<summary>LDAP accounts need to specify domains explicitly</summary>
<p>The command is unable to infer the domains from LDAP user accounts, you must specify them:</p>
<div class="highlight"><pre><span></span><code>setup<span class="w"> </span>config<span class="w"> </span>dkim<span class="w"> </span>domain<span class="w"> </span><span class="s1">&#39;example.com,example.io&#39;</span>
</code></pre></div>
</details>
<details class="tip">
<summary>Changing the key size</summary>
<p>The private key presently defaults to RSA-4096. To create an RSA 2048-bit key run:</p>
<div class="highlight"><pre><span></span><code>setup<span class="w"> </span>config<span class="w"> </span>dkim<span class="w"> </span>keysize<span class="w"> </span><span class="m">2048</span>
</code></pre></div>
</details>
</div>
<div class="tabbed-block">
<p>Opt-in via <a href="../../environment/#enable_rspamd"><code>ENABLE_RSPAMD=1</code></a> (<em>and disable the default OpenDKIM: <code>ENABLE_OPENDKIM=0</code></em>).</p>
<p>Rspamd provides DKIM support through two separate modules:</p>
<ol>
<li><a href="https://www.rspamd.com/doc/modules/dkim.html">Verifying DKIM signatures from inbound mail</a> is enabled by default.</li>
<li><a href="https://www.rspamd.com/doc/modules/dkim_signing.html">Signing outbound mail with your DKIM key</a> needs additional setup (key + dns + config).</li>
</ol>
<div class="admonition example">
<p class="admonition-title">Create a DKIM key</p>
<p>Presently only OpenDKIM is supported with <code>setup config dkim</code>. To generate your DKIM key and DNS files you'll need to specify:</p>
<ul>
<li><code>-s</code> The DKIM selector (<em>eg: <code>mail</code>, it can be anything you like</em>)</li>
<li><code>-d</code> The sender address domain (<em>everything after <code>@</code> from the email address</em>)</li>
</ul>
<p>See <code>rspamadm dkim_keygen -h</code> for an overview of the supported options.</p>
<hr />
<ol>
<li>Go inside the container with <code>docker exec -ti &lt;CONTAINER NAME&gt; bash</code></li>
<li>Add <code>rspamd/dkim/</code> folder to your config volume and switch to it: <code>cd /tmp/docker-mailserver/rspamd/dkim</code></li>
<li>Run: <code>rspamadm dkim_keygen -s mail -b 2048 -d example.com -k mail.private &gt; mail.txt</code> (<em>change <code>-d</code> to your domain-part</em>)</li>
<li>Presently you must ensure Rspamd can read the <code>&lt;selector&gt;.private</code> file, run:
-<code>chgrp _rspamd mail.private</code>
-<code>chmod g+r mail.private</code></li>
</ol>
</div>
<hr />
<div class="admonition bug inline end">
<p class="admonition-title">DMS config volume support is not ready for Rspamd</p>
<p>Presently you'll need to <a href="../../security/rspamd/#manually">explicitly mount <code>rspamd/modules/override.d/</code></a> as an additional volume; do not use <a href="../../security/rspamd/#with-the-help-of-a-custom-file"><code>rspamd-modules.conf</code></a> for this purpose.</p>
</div>
<p>Create a configuration file for the DKIM signing module at <code>rspamd/modules/override.d/dkim_signing.conf</code> and populate it with config as shown in the example below:</p>
<details class="example">
<summary>DKIM Signing Module Configuration Examples</summary>
<p>A simple configuration could look like this:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># documentation: https://rspamd.com/doc/modules/dkim_signing.html</span>
<span class="na">enabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">sign_authenticated</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">sign_local</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">use_domain</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;header&quot;</span><span class="c1">;</span>
<span class="na">use_redis</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">false</span><span class="c1">; # don&#39;t change unless Redis also provides the DKIM keys</span>
<span class="na">use_esld</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">check_pubkey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">; # you wan&#39;t to use this in the beginning</span>
<span class="na">domain {</span>
<span class="w"> </span><span class="na">example.com {</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/mail.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;mail&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="na">}</span>
</code></pre></div>
<p>As shown next, you can:</p>
<ul>
<li>You can add more domains into the <code>domain { ... }</code> section.</li>
<li>A domain can also be configured with multiple selectors and keys within a <code>selectors [ ... ]</code> array.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># ...</span>
<span class="na">domain {</span>
<span class="w"> </span><span class="na">example.com {</span>
<span class="w"> </span><span class="na">selectors [</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/example.com/rsa.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-rsa&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">},</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">/tmp/docker-mailserver/rspamd/example.com/ed25519.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-ed25519&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="w"> </span><span class="na">]</span>
<span class="w"> </span><span class="na">}</span>
<span class="w"> </span><span class="na">example.org {</span>
<span class="w"> </span><span class="na">selectors [</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/example.org/rsa.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-rsa&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">},</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/example.org/ed25519.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-ed25519&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="w"> </span><span class="na">]</span>
<span class="w"> </span><span class="na">}</span>
<span class="na">}</span>
</code></pre></div>
<div class="admonition warning">
<p class="admonition-title">Support for DKIM keys using Ed25519</p>
<p>This modern elliptic curve is supported by Rspamd, but support by third-parties for <a href="https://serverfault.com/questions/1023674/is-ed25519-well-supported-for-the-dkim-validation/1074545#1074545">verifying Ed25519 DKIM signatures is unreliable</a>.</p>
<p>If you sign your mail with this key type, you should include RSA as a fallback, like shown in the above example.</p>
</div>
<div class="admonition tip">
<p class="admonition-title">DKIM Signing config: <code>check_pubkey = true;</code></p>
<p>This setting will have Rspamd query the DNS record for each DKIM selector, verifying each public key matches the private key configured.</p>
<p>If there is a mismatch, a warning will be omitted to the Rspamd log (<code>/var/log/supervisor/rspamd.log</code>).</p>
</div>
</details>
</div>
</div>
</div>
<div class="admonition info">
<p class="admonition-title">Restart required</p>
<p>After restarting <code>docker-mailserver</code>, outgoing mail will now be signed with your new DKIM key(s) <img alt="🎉" class="twemoji" src="https://cdnjs.cloudflare.com/ajax/libs/twemoji/14.0.2/svg/1f389.svg" title=":tada:" /></p>
<p>You'll need to repeat this process if you add any new domains.</p>
</div>
<div class="admonition warning">
<p class="admonition-title">RSA Key Sizes &gt;= 4096 Bit</p>
<p>Keys of 4096 bits could denied by some mail servers. According to <a href="https://tools.ietf.org/html/rfc6376">RFC 6376</a> keys are <a href="https://github.com/docker-mailserver/docker-mailserver/issues/1854">preferably between 512 and 2048 bits</a>.</p>
</div>
<h3 id="dkim-dns"><a class="toclink" href="#dkim-dns">DNS Record</a></h3>
<p>When mail signed with your DKIM key is sent from your mail server, the receiver needs to check a DNS <code>TXT</code> record to verify the DKIM signature is trustworthy.</p>
<div class="admonition example">
<p class="admonition-title">Configuring DNS - DKIM record</p>
<p>When you generated your key in the previous step, the DNS data was saved into a file <code>&lt;selector&gt;.txt</code> (default: <code>mail.txt</code>). Use this content to update your <a href="https://www.vultr.com/docs/introduction-to-vultr-dns/">DNS via Web Interface</a> or directly edit your <a href="https://en.wikipedia.org/wiki/Zone_file">DNS Zone file</a>:</p>
<div class="tabbed-set tabbed-alternate" data-tabs="2:2"><input checked="checked" id="__tabbed_2_1" name="__tabbed_2" type="radio" /><input id="__tabbed_2_2" name="__tabbed_2" type="radio" /><div class="tabbed-labels"><label for="__tabbed_2_1">Web Interface</label><label for="__tabbed_2_2">DNS Zone file</label></div>
<div class="tabbed-content">
<div class="tabbed-block">
<p>Create a new record:</p>
<table>
<thead>
<tr>
<th>Field</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>Type</td>
<td><code>TXT</code></td>
</tr>
<tr>
<td>Name</td>
<td><code>&lt;selector&gt;._domainkey</code> (<em>default: <code>mail._domainkey</code></em>)</td>
</tr>
<tr>
<td>TTL</td>
<td>Use the default (<em>otherwise <a href="https://www.digicert.com/faq/dns/what-is-ttl">3600 seconds is appropriate</a></em>)</td>
</tr>
<tr>
<td>Data</td>
<td>File content within <code>( ... )</code> (<em>formatted as advised below</em>)</td>
</tr>
</tbody>
</table>
</div>
<div class="tabbed-block">
<p><code>&lt;selector&gt;.txt</code> is already formatted as a snippet for adding to your <a href="https://en.wikipedia.org/wiki/Zone_file">DNS Zone file</a>.</p>
<p>Just copy/paste the file contents into your existing DNS zone. The <code>TXT</code> value has been split into separate strings every 255 characters for compatibility.</p>
</div>
</div>
</div>
</div>
<details class="info">
<summary><code>&lt;selector&gt;.txt</code> - Formatting the <code>TXT</code> record value correctly</summary>
<p>This file was generated for use within a <a href="https://en.wikipedia.org/wiki/Zone_file">DNS zone file</a>. DNS <code>TXT</code> records values that are longer than 255 characters need to be split into multiple parts. This is why the public key has multiple parts wrapped within double-quotes between <code>(</code> and <code>)</code>.</p>
<p>A DNS web-interface may handle this internally instead, while <a href="https://serverfault.com/questions/763815/route-53-doesnt-allow-adding-dkim-keys-because-length-is-too-long">others may not, but expect the input as a single line</a>_). You'll need to manually format the value as described below.</p>
<p>Your DNS record file (eg: <code>mail.txt</code>) should look similar to this:</p>
<div class="highlight"><pre><span></span><code>mail._domainkey IN TXT ( &quot;v=DKIM1; k=rsa; &quot;
&quot;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ&quot;
&quot;5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB&quot;
) ;
</code></pre></div>
<p>Take the content between <code>( ... )</code>, and combine all the quote wrapped content and remove the double-quotes including the white-space between them. That is your <code>TXT</code> record value, the above example would become this:</p>
<div class="highlight"><pre><span></span><code>v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB
</code></pre></div>
<p>To test that your new DKIM record is correct, query it with the <code>dig</code> command. The <code>TXT</code> value response should be a single line split into multiple parts wrapped in double-quotes:</p>
<div class="highlight"><pre><span></span><code><span class="gp">$ </span>dig<span class="w"> </span>+short<span class="w"> </span>TXT<span class="w"> </span>dkim-rsa._domainkey.example.com
<span class="go">&quot;v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39&quot; &quot;KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB&quot;</span>
</code></pre></div>
</details>
<h3 id="dkim-debug"><a class="toclink" href="#dkim-debug">Troubleshooting</a></h3>
<p><a href="https://mxtoolbox.com/dkim.aspx">MxToolbox has a DKIM Verifier</a> that you can use to check your DKIM DNS record(s).</p>
<p>When using Rspamd, we recommend you turn on <code>check_pubkey = true;</code> in <code>dkim_signing.conf</code>. Rspamd will then check whether your private key matches your public key, and you can check possible mismatches by looking at <code>/var/log/supervisor/rspamd.log</code>.</p>
<h2 id="dmarc"><a class="toclink" href="#dmarc">DMARC</a></h2>
<p>With DMS, DMARC is pre-configured out of the box. You may disable extra and excessive DMARC checks when using Rspamd via <code>ENABLE_OPENDMARC=0</code>.</p>
<p>The only thing you need to do in order to enable DMARC on a "DNS-level" is to add new <code>TXT</code>. In contrast to <a href="#dkim">DKIM</a>, DMARC DNS entries do not require any keys, but merely setting the <a href="https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md#overview-of-dmarc-configuration-tags">configuration values</a>. You can either handcraft the entry by yourself or use one of available generators (like <a href="https://dmarcguide.globalcyberalliance.org">this one</a>).</p>
<p>Typically something like this should be good to start with:</p>
<div class="highlight"><pre><span></span><code>_dmarc.example.com. IN TXT &quot;v=DMARC1; p=none; sp=none; fo=0; adkim=4; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@example.com; ruf=mailto:dmarc.report@example.com&quot;
</code></pre></div>
<p>Or a bit more strict policies (<em>mind <code>p=quarantine</code> and <code>sp=quarantine</code></em>):</p>
<div class="highlight"><pre><span></span><code>_dmarc.example.com. IN TXT &quot;v=DMARC1; p=quarantine; sp=quarantine; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@example.com; ruf=mailto:dmarc.report@example.com&quot;
</code></pre></div>
<p>The DMARC status may not be displayed instantly due to delays in DNS (caches). Dmarcian has <a href="https://dmarcian.com/dmarc-tools/">a few tools</a> you can use to verify your DNS records.</p>
<h2 id="spf"><a class="toclink" href="#spf">SPF</a></h2>
<div class="admonition quote">
<p class="admonition-title">What is SPF</p>
<p>Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.</p>
<p><a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">Source</a></p>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>For a more technical review: <a href="https://github.com/internetstandards/toolbox-wiki/blob/master/SPF-how-to.md">https://github.com/internetstandards/toolbox-wiki/blob/master/SPF-how-to.md</a></p>
<p class="admonition-title">Disabling <code>policyd-spf</code>?</p>
<p>As of now, <code>policyd-spf</code> cannot be disabled. This is WIP.</p>
</div>
<h2 id="add-a-spf-record"><a class="toclink" href="#add-a-spf-record">Add a SPF Record</a></h2>
<h3 id="adding-an-spf-record"><a class="toclink" href="#adding-an-spf-record">Adding an SPF Record</a></h3>
<p>To add a SPF record in your DNS, insert the following line in your DNS zone:</p>
<div class="highlight"><pre><span></span><code>; MX record must be declared for SPF to work
example.com. IN MX 1 mail.example.com.
; SPF record
example.com. IN TXT &quot;v=spf1 mx ~all&quot;
<div class="highlight"><pre><span></span><code>example.com. IN TXT &quot;v=spf1 mx ~all&quot;
</code></pre></div>
<p>This enables the <em>Softfail</em> mode for SPF. You could first add this SPF record with a very low TTL.</p>
<p><em>SoftFail</em> is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox.</p>
<p>This enables the <em>Softfail</em> mode for SPF. You could first add this SPF record with a very low TTL. <em>SoftFail</em> is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox.</p>
<p>After verification, you <em>might</em> want to change your SPF record to <code>v=spf1 mx -all</code> so as to enforce the <em>HardFail</em> policy. See <a href="http://www.open-spf.org/SPF_Record_Syntax">http://www.open-spf.org/SPF_Record_Syntax</a> for more details about SPF policies.</p>
<p>In any case, increment the SPF record's TTL to its final value.</p>
<h2 id="backup-mx-secondary-mx"><a class="toclink" href="#backup-mx-secondary-mx">Backup MX, Secondary MX</a></h2>
<h3 id="backup-mx-secondary-mx-for-policyd-spf"><a class="toclink" href="#backup-mx-secondary-mx-for-policyd-spf">Backup MX &amp; Secondary MX for <code>policyd-spf</code></a></h3>
<p>For whitelisting an IP Address from the SPF test, you can create a config file (see <a href="https://www.linuxcertif.com/man/5/policyd-spf.conf"><code>policyd-spf.conf</code></a>) and mount that file into <code>/etc/postfix-policyd-spf-python/policyd-spf.conf</code>.</p>
<p><strong>Example:</strong></p>
<p>Create and edit a <code>policyd-spf.conf</code> file at <code>docker-data/dms/config/postfix-policyd-spf.conf</code>:</p>
<p><strong>Example:</strong> Create and edit a <code>policyd-spf.conf</code> file at <code>docker-data/dms/config/postfix-policyd-spf.conf</code>:</p>
<div class="highlight"><pre><span></span><code><span class="na">debugLevel</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">1</span>
<span class="c1">#0(only errors)-4(complete data received)</span>
@ -1547,8 +1867,6 @@ example.com. IN TXT &quot;v=spf1 mx ~all&quot;
</article>
</div>

File diff suppressed because it is too large Load diff

View file

@ -517,36 +517,8 @@
<li class="md-nav__item">
<a href="../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/spf/" class="md-nav__link">
SPF
<a href="../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -1492,36 +1492,8 @@
<li class="md-nav__item">
<a href="../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/spf/" class="md-nav__link">
SPF
<a href="../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -512,36 +512,8 @@
<li class="md-nav__item">
<a href="../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/spf/" class="md-nav__link">
SPF
<a href="../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -517,36 +517,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>
@ -1795,7 +1767,7 @@
<p>Note that when also <a href="#with-the-help-of-a-custom-file">using the <code>rspamd-commands</code> file</a>, files in <code>override.d</code> may be overwritten in case you adjust them manually and with the help of the file.</p>
</div>
<h3 id="with-the-help-of-a-custom-file"><a class="toclink" href="#with-the-help-of-a-custom-file">With the Help of a Custom File</a></h3>
<p>DMS provides the ability to do simple adjustments to Rspamd modules with the help of a single file. Just place a file called <code>rspamd-modules.conf</code> into the directory <code>docker-data/dms/config/</code> (which translates to <code>/tmp/docker-mailserver/</code> in the container). If this file is present, DMS will evaluate it. The structure is <em>very</em> simple. Each line in the file looks like this:</p>
<p>DMS provides the ability to do simple adjustments to Rspamd modules with the help of a single file. Just place a file called <code>rspamd-modules.conf</code> into the <a href="../../advanced/optional-config/">local config directory <code>docker-data/dms/config/</code></a>. If this file is present, DMS will evaluate it. The structure is <em>very</em> simple. Each line in the file looks like this:</p>
<div class="highlight"><pre><span></span><code>COMMAND ARGUMENT1 ARGUMENT2 ARGUMENT3
</code></pre></div>
<p>where <code>COMMAND</code> can be:</p>
@ -1838,76 +1810,7 @@
<li>But the chartable module gets on your nerves? Just disable it by adding another line: <code>disable-module chartable</code>.</li>
</ol>
<h3 id="dkim-signing"><a class="toclink" href="#dkim-signing">DKIM Signing</a></h3>
<p>By default, DMS offers no option to generate and configure signing e-mails with DKIM. This is because the parsing would be difficult. But don't worry: the process is relatively straightforward nevertheless. The <a href="https://rspamd.com/doc/modules/dkim_signing.html">official Rspamd documentation for the DKIM signing module</a> is pretty good. Basically, you need to</p>
<ol>
<li><code>exec</code> into the container</li>
<li>Run a command similar to <code>rspamadm dkim_keygen -s 'woosh' -b 2048 -d example.com -k example.private &gt; example.txt</code>, adjusted to your needs</li>
<li>Make sure to then persists the files <code>example.private</code> and <code>example.txt</code> (created in step 2) in the container (for example with a Docker bind mount)</li>
<li>Create a configuration for the DKIM signing module, i.e. a file called <code>dkim_signing.conf</code> that you mount to <code>/etc/rspamd/local.d/</code> or <code>/etc/rspamd/override.d/</code>. We provide example configurations down below. We recommend mounting this file into the container as well (as described <a href="#manually">here</a>); do not use <a href="#with-the-help-of-a-custom-file"><code>rspamd-modules.conf</code></a> for this purpose.</li>
</ol>
<details class="example">
<summary>DKIM Signing Module Configuration Examples</summary>
<p>A simple configuration could look like this:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># documentation: https://rspamd.com/doc/modules/dkim_signing.html</span>
<span class="na">enabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">sign_authenticated</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">sign_local</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">use_domain</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;header&quot;</span><span class="c1">;</span>
<span class="na">use_redis</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">false</span><span class="c1">; # don&#39;t change unless Redis also provides the DKIM keys</span>
<span class="na">use_esld</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">check_pubkey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">domain {</span>
<span class="w"> </span><span class="na">example.com {</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/path/to/example.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;woosh&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="na">}</span>
</code></pre></div>
<p>If you have multiple domains and you want to sign with the modern ED25519 elliptic curve but also with RSA (you will likely want to have RSA as a fallback!):</p>
<div class="highlight"><pre><span></span><code><span class="c1"># documentation: https://rspamd.com/doc/modules/dkim_signing.html</span>
<span class="na">enabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">sign_authenticated</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">sign_local</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">use_domain</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;header&quot;</span><span class="c1">;</span>
<span class="na">use_redis</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">false</span><span class="c1">; # don&#39;t change unless Redis also provides the DKIM keys</span>
<span class="na">use_esld</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">check_pubkey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">domain {</span>
<span class="w"> </span><span class="na">example.com {</span>
<span class="w"> </span><span class="na">selectors [</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/path/to/com.example.rsa.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-rsa&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">},</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">/path/to/com.example.ed25519.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-ed25519&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="w"> </span><span class="na">]</span>
<span class="w"> </span><span class="na">}</span>
<span class="w"> </span><span class="na">example.org {</span>
<span class="w"> </span><span class="na">selectors [</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/path/to/org.example.rsa.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-rsa&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">},</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/path/to/org.example.ed25519.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-ed25519&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="w"> </span><span class="na">]</span>
<span class="w"> </span><span class="na">}</span>
<span class="na">}</span>
</code></pre></div>
</details>
<p>There is a dedicated <a href="../../best-practices/dkim_dmarc_spf/#dkim">section for setting up DKIM with Rspamd in our documentation</a>.</p>
<h3 id="abusix-integration"><a class="toclink" href="#abusix-integration"><em>Abusix</em> Integration</a></h3>
<p>This subsection gives information about the integration of <a href="https://abusix.com/">Abusix</a>, "a set of blocklists that work as an additional email security layer for your existing mail environment". The setup is straight-forward and well documented:</p>
<ol>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../best-practices/spf/" class="md-nav__link">
SPF
<a href="../../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -512,36 +512,8 @@
<li class="md-nav__item">
<a href="../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/spf/" class="md-nav__link">
SPF
<a href="../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -18,7 +18,7 @@
<link rel="prev" href="../environment/">
<link rel="next" href="../best-practices/dkim/">
<link rel="next" href="../best-practices/dkim_dmarc_spf/">
<link rel="icon" href="../../assets/logo/favicon-32x32.png">
<meta name="generator" content="mkdocs-1.4.2, mkdocs-material-9.1.5">
@ -630,36 +630,8 @@
<li class="md-nav__item">
<a href="../best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../best-practices/spf/" class="md-nav__link">
SPF
<a href="../best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -513,36 +513,8 @@
<li class="md-nav__item">
<a href="../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>
@ -1645,7 +1617,7 @@ ufw<span class="w"> </span>allow<span class="w"> </span><span class="m">465</spa
</details>
</li>
<li>
<p>Configure your DNS service to use an MX record for the <em>hostname</em> (eg: <code>mail</code>) you configured in the previous step and add the <a href="../../../config/best-practices/spf/">SPF</a> TXT record.</p>
<p>Configure your DNS service to use an MX record for the <em>hostname</em> (eg: <code>mail</code>) you configured in the previous step and add the <a href="../../../config/best-practices/dkim_dmarc_spf/#spf">SPF</a> TXT record.</p>
<div class="admonition tip">
<p class="admonition-title">If you manually manage the DNS zone file for the domain</p>
<p>It would look something like this:</p>
@ -1663,7 +1635,7 @@ mail IN A 10.11.12.13
</div>
</li>
<li>
<p><a href="../../../config/best-practices/dkim/">Generate DKIM keys</a> for your domain via <code>setup config dkim</code>.</p>
<p><a href="../../../config/best-practices/dkim_dmarc_spf/#dkim">Generate DKIM keys</a> for your domain via <code>setup config dkim</code>.</p>
<p>Copy the content of the file <code>docker-data/dms/config/opendkim/keys/example.com/mail.txt</code> and add it to your DNS records as a TXT like SPF was handled above.</p>
<p>I use <a href="https://github.com/docker-scripts/bind9">bind9</a> for managing my domains, so I just paste it on <code>example.com.db</code>:</p>
<div class="highlight"><pre><span></span><code>mail._domainkey IN TXT ( &quot;v=DKIM1; h=sha256; k=rsa; &quot;

View file

@ -510,36 +510,8 @@
<li class="md-nav__item">
<a href="../../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -517,36 +517,8 @@
<li class="md-nav__item">
<a href="../../../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../../../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -515,36 +515,8 @@
<li class="md-nav__item">
<a href="../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -595,36 +595,8 @@
<li class="md-nav__item">
<a href="config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="config/best-practices/spf/" class="md-nav__link">
SPF
<a href="config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

View file

@ -638,36 +638,8 @@
<li class="md-nav__item">
<a href="../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>

File diff suppressed because one or more lines are too long

View file

@ -126,17 +126,7 @@
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/dkim/</loc>
<lastmod>2023-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/dmarc/</loc>
<lastmod>2023-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/spf/</loc>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/dkim_dmarc_spf/</loc>
<lastmod>2023-04-10</lastmod>
<changefreq>daily</changefreq>
</url>

View file

@ -534,15 +534,8 @@
</li>
<li class="md-nav__item">
<a href="#dkim-keys" class="md-nav__link">
DKIM Keys
</a>
</li>
<li class="md-nav__item">
<a href="#advanced-dns-setup" class="md-nav__link">
Advanced DNS Setup
<a href="#advanced-dns-setup-dkim-dmarc-spf" class="md-nav__link">
Advanced DNS Setup - DKIM, DMARC &amp; SPF
</a>
</li>
@ -668,36 +661,8 @@
<li class="md-nav__item">
<a href="../config/best-practices/dkim/" class="md-nav__link">
DKIM
</a>
</li>
<li class="md-nav__item">
<a href="../config/best-practices/dmarc/" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="../config/best-practices/spf/" class="md-nav__link">
SPF
<a href="../config/best-practices/dkim_dmarc_spf/" class="md-nav__link">
DKIM, DMARC & SPF
</a>
</li>
@ -1665,15 +1630,8 @@
</li>
<li class="md-nav__item">
<a href="#dkim-keys" class="md-nav__link">
DKIM Keys
</a>
</li>
<li class="md-nav__item">
<a href="#advanced-dns-setup" class="md-nav__link">
Advanced DNS Setup
<a href="#advanced-dns-setup-dkim-dmarc-spf" class="md-nav__link">
Advanced DNS Setup - DKIM, DMARC &amp; SPF
</a>
</li>
@ -1842,29 +1800,8 @@ wget<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</s
<p>You should add at least one <a href="../config/user-management/#aliases">alias</a>, the <a href="../config/environment/#postmaster_address"><em>postmaster alias</em></a>. This is a common convention, but not strictly required.</p>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-ti<span class="w"> </span>&lt;CONTAINER<span class="w"> </span>NAME&gt;<span class="w"> </span>setup<span class="w"> </span><span class="nb">alias</span><span class="w"> </span>add<span class="w"> </span>postmaster@example.com<span class="w"> </span>user@example.com
</code></pre></div>
<h3 id="dkim-keys"><a class="toclink" href="#dkim-keys">DKIM Keys</a></h3>
<p>You can (<em>and you should</em>) generate DKIM keys. For more information:</p>
<ul>
<li>DKIM <a href="../config/best-practices/dkim/#enabling-dkim-signature">with OpenDKIM</a> (<em>enabled by default</em>)</li>
<li>DKIM <a href="../config/security/rspamd/#dkim-signing">with Rspamd</a> (<em>when using <code>ENABLE_RSPAMD=1</code></em>)</li>
</ul>
<p>When keys are generated, you can configure your DNS server by just pasting the content of <code>config/opendkim/keys/domain.tld/mail.txt</code> to <a href="https://mxtoolbox.com/dmarc/dkim/setup/how-to-setup-dkim">set up DKIM</a>. See the <a href="../config/best-practices/dkim/#configuration-using-a-web-interface">documentation</a> for more details.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In case you're using LDAP, the setup looks a bit different as you do not add user accounts directly. Postfix doesn't know your domain(s) and you need to provide it when configuring DKIM:</p>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-ti<span class="w"> </span>&lt;CONTAINER<span class="w"> </span>NAME&gt;<span class="w"> </span>setup<span class="w"> </span>config<span class="w"> </span>dkim<span class="w"> </span>domain<span class="w"> </span><span class="s1">&#39;&lt;domain.tld&gt;[,&lt;domain2.tld&gt;]&#39;</span>
</code></pre></div>
</div>
<h3 id="advanced-dns-setup"><a class="toclink" href="#advanced-dns-setup">Advanced DNS Setup</a></h3>
<p>You will very likely want to configure your DNS with these TXT records: <a href="https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/">SPF, DKIM, and DMARC</a>.</p>
<p>The following illustrates what a (rather strict) set of records could look like:</p>
<div class="highlight"><pre><span></span><code><span class="gp">$ </span>dig<span class="w"> </span>@1.1.1.1<span class="w"> </span>+short<span class="w"> </span>TXT<span class="w"> </span>example.com
<span class="go">&quot;v=spf1 mx -all&quot;</span>
<span class="gp">$ </span>dig<span class="w"> </span>@1.1.1.1<span class="w"> </span>+short<span class="w"> </span>TXT<span class="w"> </span>dkim-rsa._domainkey.example.com
<span class="go">&quot;v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQ...&quot;</span>
<span class="gp">$ </span>dig<span class="w"> </span>@1.1.1.1<span class="w"> </span>+short<span class="w"> </span>TXT<span class="w"> </span>_dmarc.example.com
<span class="go">&quot;v=DMARC1; p=reject; sp=reject; pct=100; adkim=s; aspf=s; fo=1&quot;</span>
</code></pre></div>
<h3 id="advanced-dns-setup-dkim-dmarc-spf"><a class="toclink" href="#advanced-dns-setup-dkim-dmarc-spf">Advanced DNS Setup - DKIM, DMARC &amp; SPF</a></h3>
<p>You will very likely want to configure your DNS with these TXT records: <a href="https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/">SPF, DKIM, and DMARC</a>. We also ship a <a href="../config/best-practices/dkim_dmarc_spf/">dedicated page in our documentation</a> about the setup of DKIM, DMARC &amp; SPF.</p>
<h3 id="custom-user-changes-patches"><a class="toclink" href="#custom-user-changes-patches">Custom User Changes &amp; Patches</a></h3>
<p>If you'd like to change, patch or alter files or behavior of <code>docker-mailserver</code>, you can use a script. See <a href="../faq/#how-to-adjust-settings-with-the-user-patchessh-script">this part of our documentation</a> for a detailed explanation.</p>
<h2 id="testing"><a class="toclink" href="#testing">Testing</a></h2>