This is an old revision of the document!
- spfdkim
- Jonathan Haack
- Haack's Networking
- netcmnd@jonathanhaack.com
#hacking #freesoftware #gnulinux
I finally got tired of my email triggering recipients SPAM filters, and worse, I was sometimes flagged by other tech colleagues' services because of my domains lacking these records. After a bit of searching online, I found that for spf records, you need to specify your MX handler and any servers you use to send from on behalf of that domain. In my case, I use a GSuite for my email and a Digital Ocean VPS for one of my external servers. I went to my DNS host at afraid.org and entered a TXT record parsed as follows:
v=spf1 a mx include:_spf.google.com mx:smtp.haacksnetworking.com ~all
The ~all flag informs recipients that they should reject emails from any sender besides those whose TXT record this was entered on behalf of, specifically, haacksnetworking.com. As for DKIM, since I use Google, I had to first generate an DKIM key on the GSuite side of things. To get there, navigate to:
Apps > GSuite > Settings for Gmail > Authenticate email
Once you found it, simply generate a record. After that, return to your DNS host and enter the TXT record. I use afraid.org so it looks something like the image below. Afraid.org barfed at the string length, but was nice enough to parse the string length to a size that Josh finds preferable (despite the spec permitting the length Google uses):
Of course, all of this is simply an exercise at shooting at the dark unless you validate it all. Of course, sending emails to your friends and asking them if it got tagged as SPAM is pretty ineffective, so I hunted online and found the DKIM Validator which validates both exchanges.
[Update: Added DMARC]
Okay, now that you have both an SPF record and DKIM record you can optionally set up another TXT record for DMARC. This will tell the recipient that there is an SPF/DKIM record in place and who to contact in cases of violation. The destination was parsed as follows:
v=DMARC1; p=none; pct=100; rua=mailto:user@domain.com
On afraid .org, this looks like:
A big thanks to this hacker for finally providing a sensible tutorial to riff off of: Stavros' Stuff. Also, thanks to this hacker Linuxbabe for her tutorial.
— oemb1905 2019/12/30 02:13
