Email security/verifications - SPF, DKIM, DMARC

Discussion in 'ISPConfig 3 Priority Support' started by smokinjo, Jun 28, 2020.

  1. smokinjo

    smokinjo Member HowtoForge Supporter

    I have some one help me a year ago or so make my email more secure with SPF and DKIM settings.
    It turns out that ISPConfig can do these and DMarc.

    I want to set this up on my server in order to get all three done right, and get them all done.
    I read over a variety of documentation and forum threads, and I even tried it on one of my rarely visited domains.

    To start off them, when I created a new DNS zone, I chose the DKIM option (was not uncheckable, so it was done). I also aded the DNSSEC option, which seems ot add an extra layer of protection.

    SPF was automatically added. Nothing to do for that. Great.
    The second step was to work on DKIM.
    According to what I ready, when creating the DNS zone and selctign DKIM< the punblic and private keys are both automatically created. I am not sure how to verify this.
    Not knowing much more, I just clicked on the DKIM option in the DNSrecords section. It asks for the public key, and a DKIM selector.
    Do I need to bother adding a DKIM record? Is it already set up(since it was selected?)?

    I read that DMarc can be done after SPF and DKIM is set up. I will ask this question once I know that I doing the SPF and DKIM right.

  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If you have as maildomain and as DNS zone, go to the mail domain and enable DKIM. The records will be added to the zone. If you enable DNSSEC, you have to enter your keys at your registrar, otherwise, your zone will become unresolveable. What is the data of your current SPF record?
  3. smokinjo

    smokinjo Member HowtoForge Supporter

    I found the DKIM under the email/domain sec6tion, and generating the keys was pretty easy.
    It even populatation the info under the DNS zone record.

    As for the SPF record, it is entered under a TXT entry, and says:
    v=spf1 mx a ~all
    Does this look right?

    Also, I have my name servers with cloudflare, where my records are entered for now. (A, MX, etc...). I should remove them, I presume, so I do not have 2 places with the same DNS info?


  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can not have dns at cloudflare and in ispconfig. You must either remove the DNS records in ISPConfig when you use Cloudflare DNS and add the SPF and DKIM record in Cloudflare instead or remove the cloudflare dns, but then you should have two ISPConfig servers, one as primary and one as secondary dns. So using cloudflare dns and removing the records in ISPConfig is probably easier for you.
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This is good, it tells the receiver that your mailserver and your webserver can send mail for your domain. If a rogue server tries to send with your domain, the ~ tells the receiving server that it should go in the spambox. I would suggest changing ~ to -, this tells the receiving server that all email that's not from the adresses you designated should be rejected.

    If you have your name servers with Cloudflare, and you remove the records, DNS requests still go to Cloudflare. If you want to use ISPConfig for DNS, you need a secondary nameserver. And, as said before, if you enable DNSSEC, the DNSSEC keys have to be entered at your registry, otherwise your zone will be unresolveable.

    If you don't have a secondary nameserver, I would suggest to keep Cloudflare for your nameservers and add your DKIM and SPF record there.

    EDIT: Till's answer states this aswell. I was already writing this so I didn't see his reply :)

Share This Page