docker-mailserver/edge/config/best-practices/dkim_dmarc_spf/index.html
github-actions[bot] af3e2d5a12 deploy: 7af7546d88
2023-05-23 15:25:42 +00:00

1935 lines
64 KiB
HTML

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="A fullstack but simple mail-server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) using Docker.">
<meta name="author" content="docker-mailserver (Github Organization)">
<link rel="canonical" href="https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/dkim_dmarc_spf/">
<link rel="prev" href="../../user-management/">
<link rel="next" href="../autodiscover/">
<link rel="icon" href="../../../assets/logo/favicon-32x32.png">
<meta name="generator" content="mkdocs-1.4.2, mkdocs-material-9.1.5">
<title>DKIM, DMARC & SPF - Docker Mailserver</title>
<link rel="stylesheet" href="../../../assets/stylesheets/main.7a7fce14.min.css">
<link rel="stylesheet" href="../../../assets/stylesheets/palette.a0c5b2b5.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../../assets/css/customizations.css">
<script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#dkim-dmarc-spf" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-color-scheme="default" data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../.." title="Docker Mailserver" class="md-header__button md-logo" aria-label="Docker Mailserver" data-md-component="logo">
<img src="../../../assets/logo/dmo-logo-white.min.svg" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Docker Mailserver
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
DKIM, DMARC & SPF
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_2" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="m17.75 4.09-2.53 1.94.91 3.06-2.63-1.81-2.63 1.81.91-3.06-2.53-1.94L12.44 4l1.06-3 1.06 3 3.19.09m3.5 6.91-1.64 1.25.59 1.98-1.7-1.17-1.7 1.17.59-1.98L15.75 11l2.06-.05L18.5 9l.69 1.95 2.06.05m-2.28 4.95c.83-.08 1.72 1.1 1.19 1.85-.32.45-.66.87-1.08 1.27C15.17 23 8.84 23 4.94 19.07c-3.91-3.9-3.91-10.24 0-14.14.4-.4.82-.76 1.27-1.08.75-.53 1.93.36 1.85 1.19-.27 2.86.69 5.83 2.89 8.02a9.96 9.96 0 0 0 8.02 2.89m-1.64 2.02a12.08 12.08 0 0 1-7.8-3.47c-2.17-2.19-3.33-5-3.49-7.82-2.81 3.14-2.7 7.96.31 10.98 3.02 3.01 7.84 3.12 10.98.31Z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="blue" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_2">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 7a5 5 0 0 1 5 5 5 5 0 0 1-5 5 5 5 0 0 1-5-5 5 5 0 0 1 5-5m0 2a3 3 0 0 0-3 3 3 3 0 0 0 3 3 3 3 0 0 0 3-3 3 3 0 0 0-3-3m0-7 2.39 3.42C13.65 5.15 12.84 5 12 5c-.84 0-1.65.15-2.39.42L12 2M3.34 7l4.16-.35A7.2 7.2 0 0 0 5.94 8.5c-.44.74-.69 1.5-.83 2.29L3.34 7m.02 10 1.76-3.77a7.131 7.131 0 0 0 2.38 4.14L3.36 17M20.65 7l-1.77 3.79a7.023 7.023 0 0 0-2.38-4.15l4.15.36m-.01 10-4.14.36c.59-.51 1.12-1.14 1.54-1.86.42-.73.69-1.5.83-2.29L20.64 17M12 22l-2.41-3.44c.74.27 1.55.44 2.41.44.82 0 1.63-.17 2.37-.44L12 22Z"/></svg>
</label>
</form>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/docker-mailserver/docker-mailserver" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.3.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</div>
<div class="md-source__repository">
docker-mailserver
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../../.." class="md-tabs__link">
Home
</a>
</li>
<li class="md-tabs__item">
<a href="../../../introduction/" class="md-tabs__link">
Introduction
</a>
</li>
<li class="md-tabs__item">
<a href="../../../usage/" class="md-tabs__link">
Usage
</a>
</li>
<li class="md-tabs__item">
<a href="../../environment/" class="md-tabs__link md-tabs__link--active">
Configuration
</a>
</li>
<li class="md-tabs__item">
<a href="../../../examples/tutorials/basic-installation/" class="md-tabs__link">
Examples
</a>
</li>
<li class="md-tabs__item">
<a href="../../../faq/" class="md-tabs__link">
FAQ
</a>
</li>
<li class="md-tabs__item">
<a href="../../../contributing/general/" class="md-tabs__link">
Contributing
</a>
</li>
<li class="md-tabs__item">
<a href="https://hub.docker.com/r/mailserver/docker-mailserver/" class="md-tabs__link">
DockerHub
</a>
</li>
<li class="md-tabs__item">
<a href="https://github.com/docker-mailserver/docker-mailserver/pkgs/container/docker-mailserver" class="md-tabs__link">
GHCR
</a>
</li>
</ul>
</div>
</nav>
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../.." title="Docker Mailserver" class="md-nav__button md-logo" aria-label="Docker Mailserver" data-md-component="logo">
<img src="../../../assets/logo/dmo-logo-white.min.svg" alt="logo">
</a>
Docker Mailserver
</label>
<div class="md-nav__source">
<a href="https://github.com/docker-mailserver/docker-mailserver" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.3.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</div>
<div class="md-source__repository">
docker-mailserver
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../.." class="md-nav__link">
Home
</a>
</li>
<li class="md-nav__item">
<a href="../../../introduction/" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../../usage/" class="md-nav__link">
Usage
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../environment/" class="md-nav__link">
Environment Variables
</a>
</li>
<li class="md-nav__item">
<a href="../../user-management/" class="md-nav__link">
User Management
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" checked>
<label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex="0">
Best Practices
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_4_3">
<span class="md-nav__icon md-icon"></span>
Best Practices
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
DKIM, DMARC & SPF
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
DKIM, DMARC & SPF
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#dkim" class="md-nav__link">
DKIM
</a>
<nav class="md-nav" aria-label="DKIM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generating-keys" class="md-nav__link">
Generating Keys
</a>
</li>
<li class="md-nav__item">
<a href="#dkim-dns" class="md-nav__link">
DNS Record
</a>
</li>
<li class="md-nav__item">
<a href="#dkim-debug" class="md-nav__link">
Troubleshooting
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#dmarc" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="#spf" class="md-nav__link">
SPF
</a>
<nav class="md-nav" aria-label="SPF">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#adding-an-spf-record" class="md-nav__link">
Adding an SPF Record
</a>
</li>
<li class="md-nav__item">
<a href="#backup-mx-secondary-mx-for-policyd-spf" class="md-nav__link">
Backup MX &amp; Secondary MX for policyd-spf
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../autodiscover/" class="md-nav__link">
Auto-discovery
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_4" >
<label class="md-nav__link" for="__nav_4_4" id="__nav_4_4_label" tabindex="0">
Security
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_4">
<span class="md-nav__icon md-icon"></span>
Security
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../security/understanding-the-ports/" class="md-nav__link">
Understanding the Ports
</a>
</li>
<li class="md-nav__item">
<a href="../../security/ssl/" class="md-nav__link">
SSL/TLS
</a>
</li>
<li class="md-nav__item">
<a href="../../security/fail2ban/" class="md-nav__link">
Fail2Ban
</a>
</li>
<li class="md-nav__item">
<a href="../../security/mail_crypt/" class="md-nav__link">
Mail Encryption
</a>
</li>
<li class="md-nav__item">
<a href="../../security/rspamd/" class="md-nav__link">
Rspamd
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../debugging/" class="md-nav__link">
Debugging
</a>
</li>
<li class="md-nav__item">
<a href="../../pop3/" class="md-nav__link">
Mail Delivery with POP3
</a>
</li>
<li class="md-nav__item">
<a href="../../setup.sh/" class="md-nav__link">
About setup.sh
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_8" >
<label class="md-nav__link" for="__nav_4_8" id="__nav_4_8_label" tabindex="0">
Advanced Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_8">
<span class="md-nav__icon md-icon"></span>
Advanced Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/optional-config/" class="md-nav__link">
Optional Configuration
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_8_2" >
<label class="md-nav__link" for="__nav_4_8_2" id="__nav_4_8_2_label" tabindex="0">
Maintenance
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_8_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_8_2">
<span class="md-nav__icon md-icon"></span>
Maintenance
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/maintenance/update-and-cleanup/" class="md-nav__link">
Update and Cleanup
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_8_3" >
<label class="md-nav__link" for="__nav_4_8_3" id="__nav_4_8_3_label" tabindex="0">
Override the Default Configs
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_8_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_8_3">
<span class="md-nav__icon md-icon"></span>
Override the Default Configs
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/override-defaults/dovecot/" class="md-nav__link">
Dovecot
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/override-defaults/postfix/" class="md-nav__link">
Postfix
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/override-defaults/user-patches/" class="md-nav__link">
Modifications via Script
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../advanced/auth-ldap/" class="md-nav__link">
LDAP Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/mail-sieve/" class="md-nav__link">
Email Filtering with Sieve
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/mail-fetchmail/" class="md-nav__link">
Email Gathering with Fetchmail
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/mail-getmail/" class="md-nav__link">
Email Gathering with Getmail
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_8_8" >
<label class="md-nav__link" for="__nav_4_8_8" id="__nav_4_8_8_label" tabindex="0">
Email Forwarding
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_8_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_8_8">
<span class="md-nav__icon md-icon"></span>
Email Forwarding
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/mail-forwarding/relay-hosts/" class="md-nav__link">
Relay Hosts
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/mail-forwarding/aws-ses/" class="md-nav__link">
AWS SES
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../advanced/full-text-search/" class="md-nav__link">
Full-Text Search
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/kubernetes/" class="md-nav__link">
Kubernetes
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/ipv6/" class="md-nav__link">
IPv6
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/podman/" class="md-nav__link">
Podman
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/dovecot-master-accounts/" class="md-nav__link">
Dovecot Master Accounts
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
Examples
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5_1" >
<label class="md-nav__link" for="__nav_5_1" id="__nav_5_1_label" tabindex="0">
Tutorials
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_5_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5_1">
<span class="md-nav__icon md-icon"></span>
Tutorials
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../examples/tutorials/basic-installation/" class="md-nav__link">
Basic Installation
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/tutorials/mailserver-behind-proxy/" class="md-nav__link">
Mailserver behind Proxy
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/tutorials/docker-build/" class="md-nav__link">
Building your own Docker image
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/tutorials/blog-posts/" class="md-nav__link">
Blog Posts
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5_2" >
<label class="md-nav__link" for="__nav_5_2" id="__nav_5_2_label" tabindex="0">
Use Cases
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_5_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5_2">
<span class="md-nav__icon md-icon"></span>
Use Cases
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../examples/use-cases/forward-only-mailserver-with-ldap-authentication/" class="md-nav__link">
Forward-Only Mail-Server with LDAP
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/use-cases/imap-folders/" class="md-nav__link">
Customize IMAP Folders
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../../faq/" class="md-nav__link">
FAQ
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
Contributing
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Contributing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../contributing/general/" class="md-nav__link">
General Information
</a>
</li>
<li class="md-nav__item">
<a href="../../../contributing/tests/" class="md-nav__link">
Tests
</a>
</li>
<li class="md-nav__item">
<a href="../../../contributing/issues-and-pull-requests/" class="md-nav__link">
Issues and Pull Requests
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="https://hub.docker.com/r/mailserver/docker-mailserver/" class="md-nav__link">
DockerHub
</a>
</li>
<li class="md-nav__item">
<a href="https://github.com/docker-mailserver/docker-mailserver/pkgs/container/docker-mailserver" class="md-nav__link">
GHCR
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#dkim" class="md-nav__link">
DKIM
</a>
<nav class="md-nav" aria-label="DKIM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generating-keys" class="md-nav__link">
Generating Keys
</a>
</li>
<li class="md-nav__item">
<a href="#dkim-dns" class="md-nav__link">
DNS Record
</a>
</li>
<li class="md-nav__item">
<a href="#dkim-debug" class="md-nav__link">
Troubleshooting
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#dmarc" class="md-nav__link">
DMARC
</a>
</li>
<li class="md-nav__item">
<a href="#spf" class="md-nav__link">
SPF
</a>
<nav class="md-nav" aria-label="SPF">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#adding-an-spf-record" class="md-nav__link">
Adding an SPF Record
</a>
</li>
<li class="md-nav__item">
<a href="#backup-mx-secondary-mx-for-policyd-spf" class="md-nav__link">
Backup MX &amp; Secondary MX for policyd-spf
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/docker-mailserver/docker-mailserver/edit/master/docs/content/config/best-practices/dkim_dmarc_spf.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4v-2m10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1 2.1 2.1Z"/></svg>
</a>
<a href="https://github.com/docker-mailserver/docker-mailserver/raw/master/docs/content/config/best-practices/dkim_dmarc_spf.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.15 8.15 0 0 1-1.23-2Z"/></svg>
</a>
<h1 id="dkim-dmarc-spf"><a class="toclink" href="#dkim-dmarc-spf">DKIM, DMARC &amp; SPF</a></h1>
<p>Cloudflare has written an <a href="https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/">article about DKIM, DMARC and SPF</a> that we highly recommend you to read to get acquainted with the topic.</p>
<div class="admonition note">
<p class="admonition-title">Rspamd vs Individual validators</p>
<p>With v12.0.0, Rspamd was integrated into DMS. It can perform validations for DKIM, DMARC and SPF as part of the <code>spam-score-calculation</code> for an email. DMS provides individual alternatives for each validation that can be used instead of deferring to Rspamd:</p>
<ul>
<li>DKIM: <code>opendkim</code> is used as a milter (like Rspamd)</li>
<li>DMARC: <code>opendmarc</code> is used as a milter (like Rspamd)</li>
<li>SPF: <code>policyd-spf</code> is used in Postfix's <code>smtpd_recipient_restrictions</code></li>
</ul>
<p>In a future release Rspamd will become the default for these validations, with a deprecation notice issued prior to the removal of the above alternatives.</p>
<p>We encourage everyone to prefer Rspamd via <code>ENABLE_RSPAMD=1</code>.</p>
</div>
<div class="admonition warning">
<p class="admonition-title">DNS Caches &amp; Propagation</p>
<p>While modern DNS providers are quick, it may take minutes or even hours for new DNS records to become available / propagate.</p>
</div>
<h2 id="dkim"><a class="toclink" href="#dkim">DKIM</a></h2>
<div class="admonition quote">
<p class="admonition-title">What is DKIM</p>
<p>DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.</p>
<p><a href="https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail">Source</a></p>
</div>
<p>When DKIM is enabled:</p>
<ol>
<li>Inbound mail will verify any included DKIM signatures</li>
<li>Outbound mail is signed (<em>when you're sending domain has a configured DKIM key</em>)</li>
</ol>
<p>DKIM requires a public/private key pair to enable <strong>signing (<em>via private key</em>)</strong> your outgoing mail, while the receiving end must query DNS to <strong>verify (<em>via public key</em>)</strong> that the signature is trustworthy.</p>
<h3 id="generating-keys"><a class="toclink" href="#generating-keys">Generating Keys</a></h3>
<p>You should have:</p>
<ul>
<li>At least one <a href="../../user-management/#adding-a-new-account">email account setup</a></li>
<li>Attached a <a href="../../advanced/optional-config/">volume for config</a> to persist the generated files to local storage</li>
</ul>
<div class="admonition warning">
<p class="admonition-title">RSA Key Sizes &gt;= 4096 Bit</p>
<p>Keys of 4096 bits could be denied by some mail servers. According to <a href="https://tools.ietf.org/html/rfc6376">RFC 6376</a>, keys are <a href="https://github.com/docker-mailserver/docker-mailserver/issues/1854">preferably between 512 and 2048 bits</a>.</p>
</div>
<p>DKIM is currently supported by either OpenDKIM or Rspamd:</p>
<div class="tabbed-set tabbed-alternate" data-tabs="1:2"><input checked="checked" id="__tabbed_1_1" name="__tabbed_1" type="radio" /><input id="__tabbed_1_2" name="__tabbed_1" type="radio" /><div class="tabbed-labels"><label for="__tabbed_1_1">OpenDKIM</label><label for="__tabbed_1_2">Rspamd</label></div>
<div class="tabbed-content">
<div class="tabbed-block">
<p>OpenDKIM is currently <a href="../../environment/#enable_opendkim">enabled by default</a>.</p>
<p>The command <code>docker exec &lt;CONTAINER NAME&gt; setup config dkim help</code> details supported config options, along with some examples.</p>
<div class="admonition example">
<p class="admonition-title">Creating a DKIM key</p>
<p>Generate the DKIM files with:</p>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-ti<span class="w"> </span>&lt;CONTAINER<span class="w"> </span>NAME&gt;<span class="w"> </span>setup<span class="w"> </span>config<span class="w"> </span>dkim
</code></pre></div>
<p>Your new DKIM key(s) and OpenDKIM config files have been added to <code>/tmp/docker-mailserver/opendkim/</code>.</p>
</div>
<details class="note">
<summary>LDAP accounts need to specify domains explicitly</summary>
<p>The command is unable to infer the domains from LDAP user accounts, you must specify them:</p>
<div class="highlight"><pre><span></span><code>setup<span class="w"> </span>config<span class="w"> </span>dkim<span class="w"> </span>domain<span class="w"> </span><span class="s1">&#39;example.com,example.io&#39;</span>
</code></pre></div>
</details>
<details class="tip">
<summary>Changing the key size</summary>
<p>The private key presently defaults to RSA-4096. To create an RSA 2048-bit key run:</p>
<div class="highlight"><pre><span></span><code>setup<span class="w"> </span>config<span class="w"> </span>dkim<span class="w"> </span>keysize<span class="w"> </span><span class="m">2048</span>
</code></pre></div>
</details>
<div class="admonition info">
<p class="admonition-title">Restart required</p>
<p>After restarting DMS, outgoing mail will now be signed with your new DKIM key(s) <img alt="🎉" class="twemoji" src="https://cdnjs.cloudflare.com/ajax/libs/twemoji/14.0.2/svg/1f389.svg" title=":tada:" /></p>
<p>You'll need to repeat this process if you add any new domains.</p>
</div>
</div>
<div class="tabbed-block">
<p>Opt-in via <a href="../../environment/#enable_rspamd"><code>ENABLE_RSPAMD=1</code></a> (<em>and disable the default OpenDKIM: <code>ENABLE_OPENDKIM=0</code></em>).</p>
<p>Rspamd provides DKIM support through two separate modules:</p>
<ol>
<li><a href="https://www.rspamd.com/doc/modules/dkim.html">Verifying DKIM signatures from inbound mail</a> is enabled by default.</li>
<li><a href="https://www.rspamd.com/doc/modules/dkim_signing.html">Signing outbound mail with your DKIM key</a> needs additional setup (key + dns + config).</li>
</ol>
<div class="admonition example">
<p class="admonition-title">Creating DKIM Keys</p>
<p>You can simply run</p>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-ti<span class="w"> </span>&lt;CONTAINER<span class="w"> </span>NAME&gt;<span class="w"> </span>setup<span class="w"> </span>config<span class="w"> </span>dkim<span class="w"> </span><span class="nb">help</span>
</code></pre></div>
<p>which provides you with an overview of what the script can do. Just running</p>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-ti<span class="w"> </span>&lt;CONTAINER<span class="w"> </span>NAME&gt;<span class="w"> </span>setup<span class="w"> </span>config<span class="w"> </span>dkim
</code></pre></div>
<p>will execute the helper script with default parameters.</p>
</div>
<details class="warning">
<summary>Using Multiple Domains</summary>
<p>Unlike the current script for OpenDKIM, the Rspamd script will <strong>not</strong> create keys for all domains DMS is managing, but only for the one it assumes to be the main domain (derived from DMS' domain name). Moreover, the default <code>dkim_signing.conf</code> configuration file that DMS ships will also only contain one domain. If you have multiple domains, you need to run the command <code>docker exec -ti &lt;CONTAINER NAME&gt; setup config dkim domain &lt;DOMAIN&gt;</code> multiple times to create all the keys for all domains, and then provide a custom <code>dkim_signing.conf</code> (for which an example is shown below).</p>
</details>
<div class="admonition info">
<p class="admonition-title">About the Helper Script</p>
<p>The script will persist the keys in <code>/tmp/docker-mailserver/rspamd/dkim/</code>. Hence, if you are already using the default volume mounts, the keys are persisted in a volume. The script also restarts Rspamd directly, so changes take effect without restarting DMS.</p>
<p>The script provides you with log messages along the way of creating keys. In case you want to read the complete log, use <code>-v</code> (verbose) or <code>-vv</code> (very verbose).</p>
<hr />
<p>In case you have not already provided a default DKIM signing configuration, the script will create one and write it to <code>/etc/rspamd/override.d/dkim_signing.conf</code>. If this file already exist, it will not be overwritten. When you're already using <a href="../../security/rspamd/#manually">the <code>rspamd/override.d/</code> directory</a>, the file is created inside your volume and therefore persisted correctly. If you are not using <code>rspamd/override.d/</code>, you will need to persist the file yourself (otherwise it is lost on container restart).</p>
<p>An example of what a default configuration file for DKIM signing looks like can be found by expanding the example below.</p>
</div>
<details class="example">
<summary>DKIM Signing Module Configuration Examples</summary>
<p>A simple configuration could look like this:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># documentation: https://rspamd.com/doc/modules/dkim_signing.html</span>
<span class="na">enabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">sign_authenticated</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">sign_local</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">use_domain</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;header&quot;</span><span class="c1">;</span>
<span class="na">use_redis</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">false</span><span class="c1">; # don&#39;t change unless Redis also provides the DKIM keys</span>
<span class="na">use_esld</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
<span class="na">check_pubkey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">; # you want to use this in the beginning</span>
<span class="na">domain {</span>
<span class="w"> </span><span class="na">example.com {</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/mail.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;mail&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="na">}</span>
</code></pre></div>
<p>As shown next:</p>
<ul>
<li>You can add more domains into the <code>domain { ... }</code> section (in the following example: <code>example.com</code> and <code>example.org</code>).</li>
<li>A domain can also be configured with multiple selectors and keys within a <code>selectors [ ... ]</code> array (in the following example, this is done for <code>example.org</code>).</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># ...</span>
<span class="na">domain {</span>
<span class="w"> </span><span class="na">example.com {</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">/tmp/docker-mailserver/rspamd/example.com/ed25519.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-ed25519&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="w"> </span><span class="na">example.org {</span>
<span class="w"> </span><span class="na">selectors [</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/example.org/rsa.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-rsa&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">},</span>
<span class="w"> </span><span class="na">{</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/example.org/ed25519.private&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;dkim-ed25519&quot;</span><span class="c1">;</span>
<span class="w"> </span><span class="na">}</span>
<span class="w"> </span><span class="na">]</span>
<span class="w"> </span><span class="na">}</span>
<span class="na">}</span>
</code></pre></div>
</details>
<details class="warning">
<summary>Support for DKIM Keys using ED25519</summary>
<p>This modern elliptic curve is supported by Rspamd, but support by third-parties for <a href="https://serverfault.com/questions/1023674/is-ed25519-well-supported-for-the-dkim-validation/1074545#1074545">verifying Ed25519 DKIM signatures is unreliable</a>.</p>
<p>If you sign your mail with this key type, you should include RSA as a fallback, like shown in the above example.</p>
</details>
<details class="tip">
<summary>Let Rspamd Check Your Keys</summary>
<p>When <code>check_pubkey = true;</code> is set, Rspamd will query the DNS record for each DKIM selector, verifying each public key matches the private key configured.</p>
<p>If there is a mismatch, a warning will be emitted to the Rspamd log <code>/var/log/supervisor/rspamd.log</code>.</p>
</details>
</div>
</div>
</div>
<h3 id="dkim-dns"><a class="toclink" href="#dkim-dns">DNS Record</a></h3>
<p>When mail signed with your DKIM key is sent from your mail server, the receiver needs to check a DNS <code>TXT</code> record to verify the DKIM signature is trustworthy.</p>
<div class="admonition example">
<p class="admonition-title">Configuring DNS - DKIM record</p>
<p>When you generated your key in the previous step, the DNS data was saved into a file <code>&lt;selector&gt;.txt</code> (default: <code>mail.txt</code>). Use this content to update your <a href="https://www.vultr.com/docs/introduction-to-vultr-dns/">DNS via Web Interface</a> or directly edit your <a href="https://en.wikipedia.org/wiki/Zone_file">DNS Zone file</a>:</p>
<div class="tabbed-set tabbed-alternate" data-tabs="2:2"><input checked="checked" id="__tabbed_2_1" name="__tabbed_2" type="radio" /><input id="__tabbed_2_2" name="__tabbed_2" type="radio" /><div class="tabbed-labels"><label for="__tabbed_2_1">Web Interface</label><label for="__tabbed_2_2">DNS Zone file</label></div>
<div class="tabbed-content">
<div class="tabbed-block">
<p>Create a new record:</p>
<table>
<thead>
<tr>
<th>Field</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>Type</td>
<td><code>TXT</code></td>
</tr>
<tr>
<td>Name</td>
<td><code>&lt;selector&gt;._domainkey</code> (<em>default: <code>mail._domainkey</code></em>)</td>
</tr>
<tr>
<td>TTL</td>
<td>Use the default (<em>otherwise <a href="https://www.digicert.com/faq/dns/what-is-ttl">3600 seconds is appropriate</a></em>)</td>
</tr>
<tr>
<td>Data</td>
<td>File content within <code>( ... )</code> (<em>formatted as advised below</em>)</td>
</tr>
</tbody>
</table>
<p>When using Rspamd, the helper script has already provided you with the contents (the "Data" field) of the DNS record you need to create - you can just copy-paste this text.</p>
</div>
<div class="tabbed-block">
<p><code>&lt;selector&gt;.txt</code> is already formatted as a snippet for adding to your <a href="https://en.wikipedia.org/wiki/Zone_file">DNS Zone file</a>.</p>
<p>Just copy/paste the file contents into your existing DNS zone. The <code>TXT</code> value has been split into separate strings every 255 characters for compatibility.</p>
</div>
</div>
</div>
</div>
<details class="info">
<summary><code>&lt;selector&gt;.txt</code> - Formatting the <code>TXT</code> record value correctly</summary>
<p>This file was generated for use within a <a href="https://en.wikipedia.org/wiki/Zone_file">DNS zone file</a>. DNS <code>TXT</code> records values that are longer than 255 characters need to be split into multiple parts. This is why the public key has multiple parts wrapped within double-quotes between <code>(</code> and <code>)</code>.</p>
<p>A DNS web-interface may handle this internally instead, while <a href="https://serverfault.com/questions/763815/route-53-doesnt-allow-adding-dkim-keys-because-length-is-too-long">others may not, but expect the input as a single line</a>_). You'll need to manually format the value as described below.</p>
<p>Your DNS record file (eg: <code>mail.txt</code>) should look similar to this:</p>
<div class="highlight"><pre><span></span><code>mail._domainkey IN TXT ( &quot;v=DKIM1; k=rsa; &quot;
&quot;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ&quot;
&quot;5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB&quot;
) ;
</code></pre></div>
<p>Take the content between <code>( ... )</code>, and combine all the quote wrapped content and remove the double-quotes including the white-space between them. That is your <code>TXT</code> record value, the above example would become this:</p>
<div class="highlight"><pre><span></span><code>v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB
</code></pre></div>
<p>To test that your new DKIM record is correct, query it with the <code>dig</code> command. The <code>TXT</code> value response should be a single line split into multiple parts wrapped in double-quotes:</p>
<div class="highlight"><pre><span></span><code><span class="gp">$ </span>dig<span class="w"> </span>+short<span class="w"> </span>TXT<span class="w"> </span>dkim-rsa._domainkey.example.com
<span class="go">&quot;v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39&quot; &quot;KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB&quot;</span>
</code></pre></div>
</details>
<h3 id="dkim-debug"><a class="toclink" href="#dkim-debug">Troubleshooting</a></h3>
<p><a href="https://mxtoolbox.com/dkim.aspx">MxToolbox has a DKIM Verifier</a> that you can use to check your DKIM DNS record(s).</p>
<p>When using Rspamd, we recommend you turn on <code>check_pubkey = true;</code> in <code>dkim_signing.conf</code>. Rspamd will then check whether your private key matches your public key, and you can check possible mismatches by looking at <code>/var/log/supervisor/rspamd.log</code>.</p>
<h2 id="dmarc"><a class="toclink" href="#dmarc">DMARC</a></h2>
<p>With DMS, DMARC is pre-configured out of the box. You may disable extra and excessive DMARC checks when using Rspamd via <code>ENABLE_OPENDMARC=0</code>.</p>
<p>The only thing you need to do in order to enable DMARC on a "DNS-level" is to add new <code>TXT</code>. In contrast to <a href="#dkim">DKIM</a>, DMARC DNS entries do not require any keys, but merely setting the <a href="https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md#overview-of-dmarc-configuration-tags">configuration values</a>. You can either handcraft the entry by yourself or use one of available generators (like <a href="https://dmarcguide.globalcyberalliance.org">this one</a>).</p>
<p>Typically something like this should be good to start with:</p>
<div class="highlight"><pre><span></span><code>_dmarc.example.com. IN TXT &quot;v=DMARC1; p=none; sp=none; fo=0; adkim=4; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@example.com; ruf=mailto:dmarc.report@example.com&quot;
</code></pre></div>
<p>Or a bit more strict policies (<em>mind <code>p=quarantine</code> and <code>sp=quarantine</code></em>):</p>
<div class="highlight"><pre><span></span><code>_dmarc.example.com. IN TXT &quot;v=DMARC1; p=quarantine; sp=quarantine; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@example.com; ruf=mailto:dmarc.report@example.com&quot;
</code></pre></div>
<p>The DMARC status may not be displayed instantly due to delays in DNS (caches). Dmarcian has <a href="https://dmarcian.com/dmarc-tools/">a few tools</a> you can use to verify your DNS records.</p>
<h2 id="spf"><a class="toclink" href="#spf">SPF</a></h2>
<div class="admonition quote">
<p class="admonition-title">What is SPF</p>
<p>Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.</p>
<p><a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">Source</a></p>
</div>
<div class="admonition note">
<p class="admonition-title">Disabling <code>policyd-spf</code>?</p>
<p>As of now, <code>policyd-spf</code> cannot be disabled. This is WIP.</p>
</div>
<h3 id="adding-an-spf-record"><a class="toclink" href="#adding-an-spf-record">Adding an SPF Record</a></h3>
<p>To add a SPF record in your DNS, insert the following line in your DNS zone:</p>
<div class="highlight"><pre><span></span><code>example.com. IN TXT &quot;v=spf1 mx ~all&quot;
</code></pre></div>
<p>This enables the <em>Softfail</em> mode for SPF. You could first add this SPF record with a very low TTL. <em>SoftFail</em> is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox.</p>
<p>After verification, you <em>might</em> want to change your SPF record to <code>v=spf1 mx -all</code> so as to enforce the <em>HardFail</em> policy. See <a href="http://www.open-spf.org/SPF_Record_Syntax">http://www.open-spf.org/SPF_Record_Syntax</a> for more details about SPF policies.</p>
<p>In any case, increment the SPF record's TTL to its final value.</p>
<h3 id="backup-mx-secondary-mx-for-policyd-spf"><a class="toclink" href="#backup-mx-secondary-mx-for-policyd-spf">Backup MX &amp; Secondary MX for <code>policyd-spf</code></a></h3>
<p>For whitelisting an IP Address from the SPF test, you can create a config file (see <a href="https://www.linuxcertif.com/man/5/policyd-spf.conf"><code>policyd-spf.conf</code></a>) and mount that file into <code>/etc/postfix-policyd-spf-python/policyd-spf.conf</code>.</p>
<p><strong>Example:</strong> Create and edit a <code>policyd-spf.conf</code> file at <code>docker-data/dms/config/postfix-policyd-spf.conf</code>:</p>
<div class="highlight"><pre><span></span><code><span class="na">debugLevel</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">1</span>
<span class="c1">#0(only errors)-4(complete data received)</span>
<span class="na">skip_addresses</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">127.0.0.0/8,::ffff:127.0.0.0/104,::1</span>
<span class="c1"># Preferably use IP-Addresses for whitelist lookups:</span>
<span class="na">Whitelist</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">192.168.0.0/31,192.168.1.0/30</span>
<span class="c1"># Domain_Whitelist = mx1.not-example.com,mx2.not-example.com</span>
</code></pre></div>
<p>Then add this line to <code>compose.yaml</code>:</p>
<div class="highlight"><pre><span></span><code><span class="nt">volumes</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./docker-data/dms/config/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf</span>
</code></pre></div>
</article>
</div>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
<div class="md-copyright__highlight">
<p>&copy <a href="https://github.com/docker-mailserver"><em>Docker Mailserver Organization</em></a><br/><span>This project is licensed under the MIT license.</span></p>
</div>
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../..", "features": ["navigation.tabs", "navigation.top", "navigation.expand", "navigation.instant", "content.action.edit", "content.action.view", "content.code.annotate"], "search": "../../../assets/javascripts/workers/search.208ed371.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
<script src="../../../assets/javascripts/bundle.407015b8.min.js"></script>
</body>
</html>