CONFIGURING A MAIL SERVER TO UTILIZE “DKIM” with respect to aspects of Signing, Verifying

 

ASSUMPTIONS : UNIX/Linux OS using Postfix and opendkim

ABSTRACT :

Create Private and Public keys
Create TXT records in your DNS server for verification
Verify DNS records are correct
Configure DKIM to sign emails
Configure Postfix to use DKIM to sign emails
Verify emails sent have a DKIM-Signature header added — Proves emails are getting signed
Verify emails pass verification from Authentication-Results header — Proves DNS records and keys are working

SECTION A :

1. Create Private and Public keys

Run opendkim-genkey with following options

A. -v to provide verbose output [Optional]
B. -D to tell command path to put files [Optional]
C. -d to provide name of the domain that will be using this key
D. -s to provide name of selector or key pair generated

EXAMPLE COMMAND :

opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s dkim1

OUTPUT: 2 files
/etc/opendkim/keys/uconn/dkim1.private
/etc/opendkim/keys/uconn/dkim1.txt

SECTION B :

2. Create TXT records in your DNS server for email verification

A. Verification is done with a record of type TXT that provides the verifier your Public key. Use whatever your current method is to make DNS changes, and add records for your domain.

SETTINGS :

 Typical DNS TXT record values

1. Typical verification record values

a. record name format = <selector>.domainkey.<domain name>

The selector comes from the “s=” tag of the DKIM-Signature header field.
The domain name comes from the “d=” tag of the DKIM-Signature header field.

b. record data format = v=DKIM1; k=rsa; p=<public key data>

These are the minimal data entries i would use, only “p” is required, details are in RFC 6376.

EXAMPLE Name and Values :

dkim1._domainkey.mta5.uits.uconn.edu “v=DKIM1; k=rsa; p=MIGfMA…0GCSqGSIb3DQ”

SECTION C :

3. Verify DNS records are correct

Run “dig” or “nslookup” to verify the DNS records you made look correct

EXAMPLE COMMANDS :  Domainkeys / Verification Record

dig -t txt dkim1._domainkey.mta5.uits.uconn.edu

nslookup -q=txt dkim1._domainkey.mta5.uits.uconn.edu

OUTPUT :
dkim1._domainkey.mta5.uits.uconn.edu. 14400 IN TXT “v=DKIM1\; k=rsa\; p=MIGfMA0GCSqG….xQIDAQAB”
dkim1._domainkey.mta5.uits.uconn.edu text = “v=DKIM1\; k=rsa\; p=MIGfMA0GCSqG….xQIDAQAB”

SECTION D :

4. DKIM aspects to be configured

A. sign emails server sends and verify emails server receives
B. send reports for failed verifications
C. define “selector” name
D. Specify header fields to be included in signature once more than number times actually present
E. define path to map DNS record to private key file
F. define which emails to sign based on the “From:” header field
G. define which emails to sign based on hostname or IP address

SETTINGS :

4.1 Typical values in a “/etc/opendkim.conf” file

A. Mode sv
B. SendReports yes
C. Selector dkim1
D. OversignHeaders From
E. KeyTable /etc/opendkim/KeyTable
F. SigningTable refile:/etc/opendkim/SigningTable
G. InternalHosts refile:/etc/opendkim/TrustedHosts

4.2 Typical values in  KeyTable file

dkim1._domainkey.mta5.uits.uconn.edu mta5.uits.uconn.edu:dkim1:/etc/opendkim/keys/uconn/dkim1.private

4.3 Typical values in SigningTable file

*@uconn.edu dkim1._domainkey.mta5.uits.uconn.edu
*@mta5.uits.uconn.edu dkim1._domainkey.mta5.uits.uconn.edu

4.4 Typical values in TrustedHosts file

127.0.0.1
appmail.uconn.edu
10.0.0.0/8

Note: Make sure “127.0.0.1” is always first entry in the file.

SECTION E :

5. Configure Postfix to use DKIM to sign emails

Edit the Postfix configuration file main.cf to allow signing of emails by adding the following parameters

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 6

Restart Postfix to use the new configuration [This command will vary based on version of your OS]

SECTION F :

6. Verify emails processed by server have a DKIM-Signature header added and can be verified

A. send an email through the newly configured server

echo "this will go into the body of the mail." | mail -s "Hello world" root@mta5.uits.uconn.edu

B. look at the Postfix log file typically “/var/log/maillog” to verify email was signed

Dec 14 10:33:27 mta5 opendkim[5416]: 0E41D3000391: DKIM-Signature field added (s=dkim1, d=mta5.uits.uconn.edu)

C. look at the emails headers to verify there is a “DKIM-Signature” header field added

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mta5.uits.uconn.edu;

s=dkim1; t=1544801607; r=y;
bh=SSBICVxwp3IzJb38XR6yHMNPITAkkJPS9XkP0HREH5g=;
h=Date:To:Subject:From:From;
b=mhGhO80xvbDloOKEW8ZnTv7lC+/Jh9ru3mqmDQnVt9z8wRpejRbjArqAqetl7Q6M3
HkoEs/y50QnZw1FGO21Vsts+6qDHsWXJcjJ109TTvB8cpv0gOlwtYv1zn3b0FxSWcr
rUY0JYPCi1mL+Fr2sbtYj6pm9wtVUAu7NeIHRgmQ=

SECTION G :

7. Verify emails pass verification

A. look at the emails headers and verify signed emails passed verification. Typically this is in the “Authentication-Results” header field

Authentication-Results: spf=none (sender IP is 137.99.25.249)
smtp.mailfrom=mta5.uits.uconn.edu; uconn.mail.onmicrosoft.com; dkim=pass
(signature was verified)
header.d=mta5.uits.uconn.edu;uconn.mail.onmicrosoft.com; dmarc=bestguesspass
action=none header.from=mta5.uits.uconn.edu;compauth=pass reason=109

B.  Look at Postfix log file typically “/var/log/maillog” to check emails not signed by server can be verified