How to Configure SPF, DKIM, and DMARC on an iRedMail Server (CentOS 10 or 11)
Email security is crucial in preventing phishing, spoofing, and spam. Without proper authentication mechanisms, attackers can impersonate your domain, damaging your reputation and reducing email deliverability.
To enhance the security of your iRedMail server running CentOS 10 or 11, you need to configure SPF, DKIM, and DMARC.
SPF (Sender Policy Framework) verifies which mail servers are authorized to send emails on behalf of your domain.
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails to confirm authenticity.
DMARC (Domain-based Message Authentication, Reporting & Conformance) provides policies for handling emails that fail SPF or DKIM verification.
Below is a step-by-step guide to installing and configuring these protocols on your iRedMail server.
Step 1: Install Required Packages
First, update your system and install OpenDKIM and OpenDMARC by running the following command.
sudo yum install opendkim opendmarc -y
These packages will help in signing outgoing emails (DKIM) and enforcing DMARC policies.
Step 2: Generate DKIM Keys
Create a directory to store your DKIM keys securely.
sudo mkdir -p /etc/opendkim/keys/example.com
Replace example.com with your actual domain name.
Now, generate the DKIM key pair for your domain.
sudo opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default
The -D flag specifies the directory where keys will be saved.
The -d flag is your domain name.
The -s flag sets the selector name, which in this case is default.
Set the correct ownership for the DKIM key files.
sudo chown -R opendkim:opendkim /etc/opendkim/keys/example.com
Step 3: Configure OpenDKIM
Open the OpenDKIM configuration file for editing.
sudo nano /etc/opendkim.conf
Add or modify the following lines at the bottom of the file.
Domain example.com
KeyFile /etc/opendkim/keys/example.com/default.private
Selector default
Save and exit the file.
Step 4: Configure OpenDMARC
Open the OpenDMARC configuration file.
sudo nano /etc/opendmarc.conf
Add the following lines at the bottom.
AuthservID example.com
TrustedAuthservIDs example.com
Save and exit the file.
Step 5: Enable and Start DKIM and DMARC Services
Ensure OpenDKIM and OpenDMARC start automatically when the server boots.
sudo systemctl enable opendkim opendmarc
Start the services.
sudo systemctl start opendkim
sudo systemctl start opendmarc
Check their status to confirm they are running.
sudo systemctl status opendkim
sudo systemctl status opendmarc
If the services are active, proceed to the next step.
Step 6: Configure SPF, DKIM, and DMARC in DNS
To apply these security features, update your domain’s DNS records with SPF, DKIM, and DMARC settings.
SPF Record
Add the following TXT record in your domain’s DNS settings.
example.com. IN TXT “v=spf1 mx ~all”
The v=spf1 specifies the SPF version.
The mx allows mail to be sent only from the domain’s mail servers.
The ~all allows soft failures, meaning unauthorized servers may still send emails but will be marked as suspicious. If you want strict enforcement, replace ~all with -all.
DKIM Record
Extract your public DKIM key from the generated file.
cat /etc/opendkim/keys/example.com/default.txt
Copy the key and add it as a TXT record in your DNS settings.
default._domainkey.example.com. IN TXT “v=DKIM1; k=rsa; p=your-public-key”
Replace your-public-key with the actual key from default.txt.
DMARC Record
To enable DMARC, add the following TXT record in your DNS settings.
_dmarc.example.com. IN TXT “v=DMARC1; p=none; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com; fo=1”
The p=none means emails will be monitored but not rejected. You can change this to p=quarantine or p=reject for stricter enforcement.
The rua and ruf define email addresses where DMARC failure reports should be sent.
Step 7: Restart OpenDKIM and OpenDMARC
Once the DNS records are updated, restart the services to apply the changes.
sudo systemctl restart opendkim
sudo systemctl restart opendmarc
Step 8: Test SPF, DKIM, and DMARC Configuration
Use online tools to verify your configuration.
To check SPF, visit mxtoolbox.com/spf.aspx
To test DKIM, visit mxtoolbox.com/dkim.aspx
To analyze DMARC, visit dmarcanalyzer.com
You can also send a test email to mail-tester.com and review your SPF, DKIM, and DMARC results.
Conclusion
By configuring SPF, DKIM, and DMARC, you have significantly enhanced the security and credibility of your iRedMail server on CentOS 10 or 11.
These authentication mechanisms help prevent domain spoofing, improve email deliverability, and strengthen your email reputation.
To maintain a secure mail server, regularly monitor authentication reports, check DNS configurations, and adjust policies as needed. Stay proactive in email security to ensure your communications remain safe and trusted.
