EDIT 17-February-2016: Please DO NOT use these instructions to configure your server for SPF and DKIM. Bytemark Symbiosis now supports this out of the box - please see the following documentation for more information:
I’ve been setting up a new phpBB forum for my homebrew club (LAB) over the last week or so and one of the main problems I found was that all the emails from the forum were going straight to spam in email services such as Gmail. Not very useful when that’s one of the first forms of interaction with the user (activating their account via email).
Thankfully there are ways to make your emails less spammy, (that I never knew about until earlier this week) - SPF (Sender Policy Framework) for letting email recipients know which servers/domains are valid sources of email for your domains; and DKIM (DocumentKeys Indentified Mail) for signing emails sent from your servers using public/private key pairs. These to techniques combined should stop emails being sent to spam automatically (It worked for me, but YMMV).
I run the LAB site on a Bytemark VM using their Symbiosis server set-up. This is basically Debian Linux with a bunch of (automatic) scripts to make setting up new domains, DNS and email as simple as possible - I really like this as it lets me not have to care too much about this stuff. But, out of the box, the emails are not setup with SPF or signed via DKIM - this is in their feature backlog, but it’s not in place yet. So… here are the quick pitted notes of how I set this up for the domains on my server and the sites that I got the information from.
NOTE: This is for a single Bytemark Symbiosis VM running multiple sites handling everything - DNS, email, web server etc. using the stock Symbiosis setup (I’ve not modified any of the base system).
The first (and most simple) thing to set-up was SPF as this is achieved by adding a DNS entry that verifies where emails for this domain name can be sent from.
All this involved was adding the following line to the bottom of the tinydns
configuration file for my domain
This says that email is only allowed to be sent from the
mx. subdomain - exactly
what I want. This line was generated by the SPF tool on http://anders.com/projects/sysadmin/djbdnsRecordBuilder/#SPF
by simply entering the following information:
- SPF Rules:
v=spf1 mx -all
- Time to Live:
I then forced the DNS entry to be propagated to Bytemark’s DNS servers with the following command (or you could just wait 15 minutes for it to happen automatically):
Finally, I used http://tools.bevhost.com/spf/, to verify that SPF was set-up correctly for the domain.
Next up was the slightly more complicated DKIM. This involves DNS additions and signing outgoing emails with public/private key pairs. I take no credit whatsoever for solving this one - I knocked together the information from the various different sources in the references section below.
So, first up, we need to generate the keys using openssl, move them to the right location, and ensure they have the right permissions:
Now we have to copy the public key info into DNS. This involves inserting the following
line into the tinydns configuration file, (below the SPF entry), and pasting in YOUR
public key just after the
Again, I then forced a DNS update to take place:
Finally, we have to tell Exim (the mail transport agent on Symbiosis servers) to sign emails with this key…
First, create a file called
/etc/exim4/dkim_senders and add in the following content (one
line for each domain you wish to send singned emails):
Now to edit
/etc/exim4/symbiosis.d/20-routers/10-dnslookup to look like this:
dnslookup: debug_print = “R: dnslookup for $local_part@$domain” driver = dnslookup domains = ! +local_domains transport = remote_smtp same_domain_copy_routing = yes # ignore private rfc1918 and APIPA addresses ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ 255.255.255.255 no_more
/etc/exim4/symbiosis.d/30-transports/10-remote-smtp to look like this:
Now run the following commands to copy these config changes across and restart Exim:
That’s should be about it, now all you have to do is test it out using this tool.
- Bytemark Symbiosis docs: http://symbiosis.bytemark.co.uk/docs/symbiosis.html
- SPF Website: http://www.openspf.org/
- TinyDNS SPF Record Builder: http://anders.com/projects/sysadmin/djbdnsRecordBuilder/#SPF
- SPF Test: http://tools.bevhost.com/spf/
- DKIM Proposal: http://www.ietf.org/rfc/rfc4871.txt
- Using DKIM in Exim: http://subhrajitnandy.wordpress.com/using-dkim-in-exim/
- Using DKIM in Exim: http://www.debian-administration.org/users/lee/weblog/41
- DKIM Test: http://www.appmaildev.com/en/dkim/