[BlueOnyx:25873] Re: DKIM , SPF und DMARC on BlueOnyx

[Meaulnes Legler @ MailList]

hello Chris, Neal & Michael

It's a while ago, I had this problem Chris mentioned — providers, e.g. gmail, tagged e-mails coming from my servers as spam and users complained that their mails weren't delivered anymore or landed in the Junk folder... So tried to find a remedy, asked the list in July and Michael installed then OpenDKIM.

Chris, your guide to install DKIM would have been very helpful at that time, I had to figure it all out the hard way... First generating the key and then inserting the TXT record into the DNS. And I wanted to do this for each domain.

Then it occurred to me that the SPF *and* the DMARC TXT records must also be entered into the DNS. Whether DKIM, SPF and DMARK are charlatan products is an open question, but installing all three «authentication techniques» significantly reduced spam tagging and undelivered mail on my servers.

So my message:
if you have a bunch of domains without those implementations, then do the following (as I did):
• create all DKIM keys
• prepare the DMARC TXT record for each domain (see NOTE 1)
• prepare the SPF TXT record for each domain (see NOTE 2)
Then you can switch to your DNS server and insert the three TXT records. It's some kind of a «/Das tapfere Schneiderlein/» (The Valiant Little Tailor) but with only tree flies:-)

You'll have to do this one by one, unfortunately  (I created a shell script that does this partially, see NOTE3)
• generate all DKIM keys for each domain into /etc/opendkim/keys → Steps 1 to 4 in Chris' guide
• Step 5 is important: chown -R opendkim:opendkim /etc/opendkim (that was a tough one to find out:-)
• Step 6 and 7
Then you can switch to your DNS server for Step 8.

Browse thru each domain in [Select Domain... v] and add the three TXT records
• _dmarc . yourdomain.tld 	TXT	v=DMARC1; p=quarantine; rua=mailto:report at yourdomain.tld; ruf=mailto:report at yourdomain.tld
• yourdomain.tld.	TXT	v=spf1 ip4:ip.ip.ip.ip1/32 ip4:ip.ip.ip.ip2/32 include:_spf.google.com include:_spf.bluewin.ch ~all
• default._domainkey . yourdomain.tld	TXT	v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeQBM3pni6EN9A3+N47x10tiRHe3KUM4ciXUMBD9gABcv/dnpRQfdOXZOG1A8WrvwoKXywYIDv4MCyuBXgCHMppjkQ703lc8eKjuTZxGLheiQGQ/ISmTndbM2y+SG9tv+YvD9YwpVNLTuUJung3XpHeoiOXLr0HX8TfQPzG04hDQIDAQAB

Save the record, then save again for the domain, and when you went through all domains, restart the DNS server.

Goto Step 9 and test the DNS record using https://www.dmarcanalyzer.com/dkim/dkim-checker/ I noted it might take a while to get an ok, probably because of the DNS propagation.

Best regards

で⊃ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660
I'm on *Wire* as @meaulnes — https://get.wire.com/
/no more Whatzap and so on!/

NOTE1	I'm not sure which arguments are the best, these rua= and ruf= addresses create errors, but they don't harm..

NOTE2	Also here I'm not sure: a? mx? ip4? Intuitively, I included _spf.google.com and _spf.bluewin.ch, a major telecom provider

NOTE3	My shell script checks OpenDKIM and Postfix configuration and lists all virtual servers, the ones with already installed DKIM keyfiles and and the ones without:

# ~/dkim_addDomain.sh
    OpenDKIM and Postfix configuration ok.
    ERROR: no domain specified to DKIM!
    dkim_addDomain.sh version 3 (9.2022) - Install DKIM record for a virtual domain.
    usage: /root/dkim_addDomain.sh domain.tld or sub.domain.tld
    List of 32 available domains on this server:
    ...
    List of 17 already installed domains with keyfiles:
    ...
    List of 15 domains that can be installed:
    ...

If someone wants it, write me directly @ info at waveweb.ch. As Chris points it out: Keep in mind all the usual disclaimers, it's made available as a courtesy, not guaranteed to work for your production use, etc etc blah blah:-)


On 29.12.22 05:05, Chris Gebhardt - VIRTBIZ Internet wrote:
> Hi Michael,
> 
> On 12/28/22 7:50 PM, Michael Stauber wrote:
>>> All that out of the way, here's the guide for adding DKIM to a BlueOnyx VSITE:
>>>
>>> https://www.virtbiz.com/client/index.php?rp=/knowledgebase/4996/Add-DKIM-for-BlueOnyx-VSITE.html
>>
>> Ah, you know what? I guess it's not *that* much work, so I think I'll build it into the DNS GUI. I'll throw OpenDKIM in as mandatory RPM and provide the GUI to create/manage the keys and TXT DNS records.
> 
> And instantly make my guide obsolete?   Waaaah!   LOL, not really.   I think that's a great solution if it's easy enough to integrate, much like the SPF generator but a step beyond since it will have to handle the key integration.
> 
> I presume that will be something for 5211R and possibly backported to 5210R.   If that's the case, I'll keep the guide active for those who want to run OpenDKIM for VSITEs on a 5209R, since those will still be knocking around for a while.    When the feature is released, I'll update my KB entry noting the obsolescence.
>