Zen of Email Delivery

For many years (decades in fact) I ran servers for clients. In the main I did it to have control over the website hosting, but of course that usually comes with handling emails as well. A few years back I dropped out of the hosting game and just kept a few clients. This short article is a few notes on the steps that I’ve taken to make sure emails get delivered and not bounced/rejected. I couldn’t really find an overview article of the techniques and protocols that can be used, although plenty of scattered info. So here is my take. It’s not a detailed set of instructions, but an outline with links to other sources of more detailed info.

There are three main protocols to setup: SPF, DKIM and DMARC and here we’ll take a look at how to set them up and get them working together. All of them require access to your DNS entries at your registar, and DKIM will require access to the server running the MTA (postfix, exim, qmail).

SPF

The Sender Policy Framework or SPF is used to check the sender email addresses of an email. The receiving server can check the sender domain and IP number against a record in the DNS for that domain. If they match, it is a pass, if they don’t match, it is a fail.

A fast and easy way to setup an entry is to use SPF Wizard. Once you have created the text string, similar to "v=spf1 ip4:234.5.6.78/24 ip4:123.22.33.123 a -all", that needs to be inserted as an additional TXT record in the DNS for the domain. (There was at one time a special SPF record, but it seems the TXT is preferred now.)

When a server receives an email purporting to be from your server, it will check the DNS entry for that domain and then check that the email has arrived from that IP address. SPF allows for alternative servers and IPs for the mail delivery.

More at Wikipedia

DKIM

Domain Keys Identified Mail or DKIM is a means of attaching a digital signature to the header of an email which can be checked against a public key for proof. This implies that there must be some software that signs the email with a key when the email is sent out and a DNS entry containing the public key.

In the case of Postfix, it is the dkim-milter, other MTAs will have a similar variant. A search for postfix dkim with the server operating system should give you ample instruction. For example, with Ubuntu it requires in stalling OpenDKIM packages.

DKIM, like any protocol that involves cryptography, can be quite complex. Most of the implementations run as a daemon on the system and communicate via a socket, this can be set in the opendkim.conf file. Next, we create a public/private key pair using opendkim-genkey. Postfix then needs to be told to connect to the milter on sending emails. And finally we add the DNS TXT record for the DKIM information.

Note that the record is given the domain in the format xyzxyz._domainkey.example.com where ‘xyzxyz’ is called the selector and can be your choice of selector. This is first specified when creating the public/private keypair.

More at Wikipedia

DMARC

Domain-based Message Authentication, Reporting and Conformance or DMARC is an email authentication protocol that brings together SPF and DKIM and includes information on reporting spam and spoofing attempts. It is quite straightforward to setup and requires just a DNS TXT record. The subdomain is always _dmarc, for example _dmarc.example.com and contains information on what policy to use (reject, quarantine etc) and where to send reports, if required, for totals and forensic information.

Note that if the reporting email address is on a different domain, this will have to be indicated by a separate DMARC record on that domain. For example sender.otherdom._report._dmarc.example.com IN TXT 'v=DMARC1'.

More at Wikipedia

Summary

As an ISP responsible for sending emails, you first publish a SPF record telling the world which IP numbers are allowed to send email for you. You then setup a DKIM key used to sign the email. The public part of the key is published (in DNS). You create a DMARC record in DNS to inform the recipients of how to check authenticity and how to handle any false attempts at sending.

It’s important to check that all three methods are correctly setup and giving the expected information. The MXToolKit is an excellent resource for this, as well as the more specialized checkers (see below).

Useful pages

SPF spec
DKIM spec
DMARC spec
MXToolbox
DKIM checker
DKIM checker
DMARC checker

// end of file