What the hell is DKIM and SPF • November 7, 2017
Tags: Mailserver | Configuration
DKIM (DomainKeys Identified Mail) is a technique for authenticating emails.

Since I have been dealing with mail servers for some time and my goal is to build a stable mail server cluster, it was time to deal with email security. So also with DKIM and SPF.

In the following my experiences on the topic and a factual explanation as possible :)

When sending mails from the mail server, a DKIM header signature is added, which must match the corresponding domain.

The receiving mail server checks whether the signature of the DKIM header of the mail matches the public key that is stored in the domain's DNS zone as a TXT entry. If these do not match, the mail is displayed to the user as spam or is not accepted at all.

DKIM as a digital signature can therefore be compared to a signature on a letter. The aim of the DKIM process is to filter dubious emails (spam, fishing emails) and thus prevent possible criminal projects.

The following command can be used to create a DKIM key pair for signing e-mails:

opendkim-genkey -d example.org -b 4096 -r -s mail

The options -r and -s stand for "restricted", which means that the key pair may only be used for signing mails, and "selector", which corresponds to the name of the corresponding subdomain.

Example of a DNS entry with the public key:

Name:         mail._domainkey.example.org
Type:         TXT
Content:      v=DKIM1; k=rsa;

SPF (Sender Policy Framework) is basically a little easier to explain.

It is a technique that helps to only receive emails that come from a system, approved for the domain of the sender address.

If SPF is activated on the receiving mail server, it checks the DNS zone of the sender's domain for an SPF TXT record.

SPF thus prevents the forgery of sender addresses and thus effectively combats the misuse of addresses for spam mails.

Example for an SPF DNS record:

Name:       @
Type:       TXT
Content:    v=spf1 mx ip4: a:test.example.org -all

In this case, all servers that are registered as mail servers (MX) of the domain are authorized to send mails for the corresponding domain.

Furthermore, the IPv4 address and the server named test.example.org are authorized to send.

All other senders are not authorized.

I hope that short explanation has helped someone who is also dealing with mail servers and cares about security.