/munetakaJupyterHub/Computer/2024/NextCloud/SetUpSPFandDKIMwithPostfix-Ubuntu Server.md

How to Set up SPF and DKIM with Postfix on Ubuntu Server

In this post I want to show how to set up the SPF (Sender Policy Framework) and DomainKeys Identified Mail (DKIM) for postfix running on Ubuntu.

Both of them are used in combination with DMARC (Domain-based Message Authentication, Reporting and Conformance) to combat against E-Mail spoofing and phishing.

DMARC itself is just a DNS TXT record which can be used by any receiving email server to authenticate the incoming email based on the instructions published by the domain owner of the sending email domain in this DNS TXT record. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record, the email could be delivered, quarantined or rejected.

DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain.

DMARC (Domain-based Message Authentication, Reporting and Conformance) https://en.wikipedia.org/wiki/DMARC

SPF allows the owner of an Internet domain to specify which computers (IPs and FQDNs are authorized to send mail with envelope-from addresses in that domain, using DNS records.

According the published DMARC policy (DNS record) from the domain owner of the sending email, postfix can deliver, quarantine or reject the email.

<Sender Policy Framework (SPF) https://en.wikipedia.org/wiki/Sender_Policy_Framework

DKIM is also a DNS TXT record and like SPF you also have to install a package (opendkim) on Ubuntu, which will generate a private and public key pair (DKIM signature) used by postfix to sign outbound email messages. Further the package can check the DKIM signature from inbound email messages.

For inbound email messages, postfix then can also use the DMARC policy (DNS record) and the instructions held within, what it will do with the incoming email, reject, quarantine or deliver it.

opendkim https://wiki.debian.org/opendkim

OpenDKIM can add DKIM signatures to outbound mail and check DKIM signatures on inbound mail. It can be configured to reject mail that has missing or invalid DKIM signatures.