hello Chris, Neal & Michael
It's a while ago, I had this problem Chris mentioned — providers, e.g. gmail,
tagged e-mails coming from my servers as spam and users complained that their
mails weren't delivered anymore or landed in the Junk folder... So tried to
find a remedy, asked the list in July and Michael installed then OpenDKIM.
Chris, your guide to install DKIM would have been very helpful at that time, I
had to figure it all out the hard way... First generating the key and then
inserting the TXT record into the DNS. And I wanted to do this for each domain.
Then it occurred to me that the SPF *and* the DMARC TXT records must also be
entered into the DNS. Whether DKIM, SPF and DMARK are charlatan products is an
open question, but installing all three «authentication techniques»
significantly reduced spam tagging and undelivered mail on my servers.
So my message:
if you have a bunch of domains without those implementations, then do the
following (as I did):
• create all DKIM keys
• prepare the DMARC TXT record for each domain (see NOTE 1)
• prepare the SPF TXT record for each domain (see NOTE 2)
Then you can switch to your DNS server and insert the three TXT records. It's
some kind of a «/Das tapfere Schneiderlein/» (The Valiant Little Tailor) but
with only tree flies:-)
You'll have to do this one by one, unfortunately (I created a shell script
that does this partially, see NOTE3)
• generate all DKIM keys for each domain into /etc/opendkim/keys → Steps 1 to 4
in Chris' guide
• Step 5 is important: chown -R opendkim:opendkim /etc/opendkim (that was a
tough one to find out:-)
• Step 6 and 7
Then you can switch to your DNS server for Step 8.
Browse thru each domain in [Select Domain... v] and add the three TXT records
• _dmarc . yourdomain.tld TXT v=DMARC1; p=quarantine;
rua=mailto:rep...@yourdomain.tld; ruf=mailto:rep...@yourdomain.tld
• yourdomain.tld. TXT v=spf1 ip4:ip.ip.ip.ip1/32 ip4:ip.ip.ip.ip2/32
include:_spf.google.com include:_spf.bluewin.ch ~all
• default._domainkey . yourdomain.tld TXT v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeQBM3pni6EN9A3+N47x10tiRHe3KUM4ciXUMBD9gABcv/dnpRQfdOXZOG1A8WrvwoKXywYIDv4MCyuBXgCHMppjkQ703lc8eKjuTZxGLheiQGQ/ISmTndbM2y+SG9tv+YvD9YwpVNLTuUJung3XpHeoiOXLr0HX8TfQPzG04hDQIDAQAB
Save the record, then save again for the domain, and when you went through all
domains, restart the DNS server.
Goto Step 9 and test the DNS record using
https://www.dmarcanalyzer.com/dkim/dkim-checker/ I noted it might take a while
to get an ok, probably because of the DNS propagation.
Best regards
で⊃ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660
I'm on *Wire* as @meaulnes — https://get.wire.com/
/no more Whatzap and so on!/
NOTE1 I'm not sure which arguments are the best, these rua= and ruf=
addresses create errors, but they don't harm..
NOTE2 Also here I'm not sure: a? mx? ip4? Intuitively, I included
_spf.google.com and _spf.bluewin.ch, a major telecom provider
NOTE3 My shell script checks OpenDKIM and Postfix configuration and lists all
virtual servers, the ones with already installed DKIM keyfiles and and the ones
without:
# ~/dkim_addDomain.sh
OpenDKIM and Postfix configuration ok.
ERROR: no domain specified to DKIM!
dkim_addDomain.sh version 3 (9.2022) - Install DKIM record for a virtual
domain.
usage: /root/dkim_addDomain.sh domain.tld or sub.domain.tld
List of 32 available domains on this server:
...
List of 17 already installed domains with keyfiles:
...
List of 15 domains that can be installed:
...
If someone wants it, write me directly @ i...@waveweb.ch. As Chris points it
out: Keep in mind all the usual disclaimers, it's made available as a courtesy,
not guaranteed to work for your production use, etc etc blah blah:-)
On 29.12.22 05:05, Chris Gebhardt - VIRTBIZ Internet wrote:
Hi Michael,
On 12/28/22 7:50 PM, Michael Stauber wrote:
All that out of the way, here's the guide for adding DKIM to a BlueOnyx VSITE:
https://www.virtbiz.com/client/index.php?rp=/knowledgebase/4996/Add-DKIM-for-BlueOnyx-VSITE.html
Ah, you know what? I guess it's not *that* much work, so I think I'll build it
into the DNS GUI. I'll throw OpenDKIM in as mandatory RPM and provide the GUI
to create/manage the keys and TXT DNS records.
And instantly make my guide obsolete? Waaaah! LOL, not really. I think
that's a great solution if it's easy enough to integrate, much like the SPF
generator but a step beyond since it will have to handle the key integration.
I presume that will be something for 5211R and possibly backported to 5210R.
If that's the case, I'll keep the guide active for those who want to run
OpenDKIM for VSITEs on a 5209R, since those will still be knocking around for a
while. When the feature is released, I'll update my KB entry noting the
obsolescence.
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
