Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > General Support > Topic : Guide - How to setup DKIM and SPF with Exim

1


Threaded Mode | Print  

 Guide - How to setup DKIM and SPF with Exim (34 Replies, Read 9546091 times)
myleene
Group: Member
Post Group: Newbie
Posts: 4
Status:
Applies to:
- Webuzo 2.3.4
- Centos 6.5 64bit
- Exim 4.72
- A dedicated server having its own IP
(*) It should work for different setups with minor adjustments.


Detail: I couldn't find a guide detailing steps to do it and had to spend 2-3 hours on how to do it. I didn't even know what "DKIM" or "SPF" meant before my email started being rejected by GMail and I stopped receiving emails from my WordPress without me changing anything.

Please note that I'm a novice in linux and that there may surely be an easier method to do this. I'm sharing as I really like Webuzo and I believe it may help others.


Steps:

1) Start an ssh session and go to /etc/exim/
(*) It's not required, but it'll help in the next few steps.

2) Generate a private and public key to sign your messages with openssl:
#openssl genrsa -out dkim.private.key 1024
(*) It works well if you get "Returned error code 0" and you see a file named "dkim.private.key" in that directory.

3) Extract the public key from the private key
#openssl rsa -in dkim.private.key -out dkim.public.key -pubout -outform PEM
(*) A new file named "dkim.private.key" will be created in this directory.

4) Open exim.conf to modify it:
Replace:
remote_smtp:
    driver = smtp
With:
remote_smtp:
    driver = smtp
    dkim_domain = ${lc:${domain:$h_from:}}
    dkim_selector = x
    dkim_private_key = /etc/exim/dkim.private.key
    dkim_canon = relaxed
(*) It allows all domains linked to this server to use DKIM and use the private key you just created. if you opt to change "dkim_selector" it'll need to be adjusted in later steps.

5) Restart Exim
(*) I go to "services" in Webuzo, but there are other options.

6) Adjust your DNS settings

6.1) If you don't have a mx record, create one:
Priority: 1
Host: @
Points to: @

6.2) Create a TXT setting specifying your SPF settings:
Host: @
txt value: v=spf1 a mx ip4:999.999.9.99 ip6:9999:9999:99:3a32:: ~all
(*) Adjust to your IPs. It's the only thing required for SPF to work.

6.3) Create a TXT setting specifying your DKIM:
Host: x._domainkey
txt value: v=DKIM1; p=<your public key>
(*) If you changed "dkim_selector" under "Host", "x" will need to be adjusted accordingly.


How to test:
- https://www.dnswatch.info/dkim/create-dns-record
- https://www.mail-tester.com/spf-dkim-check

Then: send an email from this address to an external email and check if both SPF and DKIM are specified correctly in the header. You should see "spf=pass" and "dkim=pass" as well as other configurations depending on which email provider you send to. Hotmail and GMail are both good to confirm these settings.
IP: --   

Guide - How to setup DKIM and SPF with Exim
myleene
Group: Member
Post Group: Newbie
Posts: 4
Status:
I forgot step 7:
7) In Webuzo, go to "Advance DNS Setting" and for the domain you wish to send email from add a txt record exactly as you did in step 6.3.
IP: --   

Guide - How to setup DKIM and SPF with Exim
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
@myleene thanks for this post.

Some question:
When you told to put the public key in point 6.3 to do that i have to download the public key file, open it and copy and paste in DNS the code between
-----BEGIN PUBLIC KEY-----
and
-----END PUBLIC KEY-----
or i should decode base 64 and than paste into DNS record?

And in DNS record should pasted into <> or without <>?

Also if I'M not using Webuzo for DNS record will work if i use CloudFlare? The point 6.3 i can do in Cloudflare where my DNS is used and the step 7 i should do in webuzo also if I'M not using DNS of Webuzo?

Thanks.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Guide - How to setup DKIM and SPF with Exim
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
All solved, all works fine.
Yes the public key should be copied as is in the file between..

and should not edited or encoded, decoded. Pasted as is.
Step 7 is better not skip
And no issue with Cloudflare.

Solved.
Works THANKS


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Guide - How to setup DKIM and SPF with Exim
awan89
Group: Member
Post Group: Newbie
Posts: 11
Status:
Quote From : myleene April 26, 2015, 8:12 pm
Applies to:
- Webuzo 2.3.4
- Centos 6.5 64bit
- Exim 4.72
- A dedicated server having its own IP
(*) It should work for different setups with minor adjustments.


Detail: I couldn't find a guide detailing steps to do it and had to spend 2-3 hours on how to do it. I didn't even know what "DKIM" or "SPF" meant before my email started being rejected by GMail and I stopped receiving emails from my WordPress without me changing anything.

Please note that I'm a novice in linux and that there may surely be an easier method to do this. I'm sharing as I really like Webuzo and I believe it may help others.


Steps:

1) Start an ssh session and go to /etc/exim/
(*) It's not required, but it'll help in the next few steps.

2) Generate a private and public key to sign your messages with openssl:
#openssl genrsa -out dkim.private.key 1024
(*) It works well if you get "Returned error code 0" and you see a file named "dkim.private.key" in that directory.

3) Extract the public key from the private key
#openssl rsa -in dkim.private.key -out dkim.public.key -pubout -outform PEM
(*) A new file named "dkim.private.key" will be created in this directory.

4) Open exim.conf to modify it:
Replace:
remote_smtp:
    driver = smtp
With:
remote_smtp:
    driver = smtp
    dkim_domain = ${lc:${domain:$h_from:}}
    dkim_selector = x
    dkim_private_key = /etc/exim/dkim.private.key
    dkim_canon = relaxed
(*) It allows all domains linked to this server to use DKIM and use the private key you just created. if you opt to change "dkim_selector" it'll need to be adjusted in later steps.

5) Restart Exim
(*) I go to "services" in Webuzo, but there are other options.

6) Adjust your DNS settings

6.1) If you don't have a mx record, create one:
Priority: 1
Host: @
Points to: @

6.2) Create a TXT setting specifying your SPF settings:
Host: @
txt value: v=spf1 a mx ip4:999.999.9.99 ip6:9999:9999:99:3a32:: ~all
(*) Adjust to your IPs. It's the only thing required for SPF to work.

6.3) Create a TXT setting specifying your DKIM:
Host: x._domainkey
txt value: v=DKIM1; p=<your public key>
(*) If you changed "dkim_selector" under "Host", "x" will need to be adjusted accordingly.


How to test:
- https://www.dnswatch.info/dkim/create-dns-record
- https://www.mail-tester.com/spf-dkim-check

Then: send an email from this address to an external email and check if both SPF and DKIM are specified correctly in the header. You should see "spf=pass" and "dkim=pass" as well as other configurations depending on which email provider you send to. Hotmail and GMail are both good to confirm these settings.


---------------------------

Hai myleene,

what do you mean "Host: @ " on the step 6.1 & 6.2?
it's that just a symbol?? or it's a simbolic for a domain??

And for step 7 that you forget, can you more specify the steps? what is the format of the domain on input name in webuzo??

example: domain.com or info@domain.com?

I Has been attach my webuzo setting at the moment, it's that correct?? hope some one can review & help.

Thank you hope also someone else can help, i'm very frustating with DKIM & SPF settings on my webuzo account.  :cry:   :P

many thanks


IP: --   

Guide - How to setup DKIM and SPF with Exim
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Hi awan89,
in the DNS you need to have an MX records for use email.
Do you use email?

Well so you have to decide if use mail.yourserver.ext for example.
So you need to create an MX record called mail.yourdomain.ext mail handeled by if you manage the email in the same server where point your domain you can put yourserver.ext TTL maybe 10 is good.

This on reply how to do point 6.1
For 6.2 suggest to use a wizard for create SPF record.
This one:
http://www.spfwizard.net/
or
google winzard spf.

For check after some minutes if is ok use this website:
http://www.kitterman.com/spf/validate.html

also this website https://www.mail-tester.com/spf-dkim-check also for test DKIM

/ is same of 6.3 so don't worry about point 7 skip it if you have already done
Quote
I forgot step 7:

7) In Webuzo, go to "Advance DNS Setting" and for the domain you
wish to send email from add a txt record exactly as you did in step 6.3.


I can imagine your frustration, is very hard in Webuzo set DKIM and SPF as they are not supported by the panel.

Once you finished all test your settings here:
https://www.mail-tester.com/

No need I look into your screen for tell if is correct or not, you have to test.
Remember, are your domain using DNS on your server?

If your nameserver points to the VPS where is installed webuzo is ok if not maybe you have to set up DNS where you have the domain name registered.

From a first check i can't find records in your DNS of SPF on ballavata.com



-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Guide - How to setup DKIM and SPF with Exim
awan89
Group: Member
Post Group: Newbie
Posts: 11
Status:
Hi People Inside,

Thank you very much for your suggestion & tutorial. I will try is this one not work.

I tell my case : My email from my wordpress site that instaled by webuzo always going to the spam at my gmail. I looking on the net and found if SPF & DKIM can resolve this problem.

Answer your question :

1. Yes I use email, i has been set the mx record on my DNS setting in Digital Ocean. Also in the webuzo DNS setting panel i set MX record to. My question is which one place i have to set MX record? in DNS manage Digital ocean or DNS setting webuzo panel?? or Both (like i do now).


2. I set SPF record on VPS ( record txt section ) like this : "v=spf1 include:baliavata.com ~all".  is it need to be set in VPS & webuzo dns setting to?

3. I Set DKIM recond also both on VPS dns setting & webuzo panel setting. its that corect setting in two of them?

The point is, do i have to set in webuzo DNS setting, or just in VPS record setting section?? :??:   :P  

my site is baliavata.com not ballavata.com

I have learn about vps & installing them etc a weeks ago, start day by day with very very hard frustating mode. Blood presure is low, no stamina,  is hard. :cry:

Looking forwards to your response

Best regards
Awan

IP: --   

Guide - How to setup DKIM and SPF with Exim
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Hi awan89,
yes your emails goes into SPAM for SPF and DKIM also please use this link to test:
https://www.mail-tester.com/

IT'S easy and safe, just send an email from your domain email address to the temp address generated in this page than press the button in the webpage and check issues.

From your domain record I can see you are using DigitalOcean so your DNS record will be not readed in Webuzo.

You have to work in DNS on the DigitalOcean.
I tried to to the test at this page:

https://www.mail-tester.com/spf-dkim-check

by putting your domain baliavata.com and seems to be good.
Let me check now here:
http://www.kitterman.com/spf/validate.html

Your SPF pass is OK so please do the test here:
https://www.mail-tester.com/

I cannot do this for you and let me know your point if is 5/6 or 10/10
you will see all errors and what to fix.

Emails go also into Gmail antispam if you have only redirection but not account email created in Webuzo, maybe.

Let me know :)



-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Guide - How to setup DKIM and SPF with Exim
awan89
Group: Member
Post Group: Newbie
Posts: 11
Status:
Hi Master - PeopleInside

The result is on the attachment , total score 8.1/10 & got -1,9 from spam assasins. its that ok?

Anyway how about DNS settings on webuzo panel? should i delete it??

Thank you for your help
Awan
IP: --   

Guide - How to setup DKIM and SPF with Exim
awan89
Group: Member
Post Group: Newbie
Posts: 11
Status:
Sory attachment not allowed by the forum.


IP: --   

Guide - How to setup DKIM and SPF with Exim
awan89
Group: Member
Post Group: Newbie
Posts: 11
Status:
The result

-0.001            BODY_SINGLE_WORD            BODY_SINGLE_WORD                -0.1            DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See immediately below.                0.1            DKIM_VALID            Message has at least one valid DKIM or DK signature
Great! Your signature is valid                0.1                DKIM_VALID_AU            Message has a valid DKIM or DK signature from author's domain
Great! Your signature is valid and it's coming from your domain name                -1.985            PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)                0.001            SPF_HELO_PASS            SPF: HELO matches SPF record                0.001            SPF_PASS            SPF: sender matches SPF record
Great! Your SPF is valid                0.01                T_RP_MATCHES_RCVD            Envelope sender domain matches handover relay domain
IP: --   

Guide - How to setup DKIM and SPF with Exim
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Sorry awan89 this not help me to understand.
Please consider to post a screenshot or better if you can open a ticket with screenshot and link in that test page at the bottom. You will find the link to share results.
You can write privately to me at https://supporto.peopleinside.it
or you can try to find me in chat.

The test page give you a genaral vote, what vote you get? on the top?


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Guide - How to setup DKIM and SPF with Exim
awan89
Group: Member
Post Group: Newbie
Posts: 11
Status:
Hi PeopleInside,
The score is 9/10 from the email tester
So, should I delete the  all DNS setting zone in webuzo?? because i has been set it on VPS DNS record setting? it's that right

Looking forward to hearing from you





IP: --   

Guide - How to setup DKIM and SPF with Exim
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Hi awan89,
thank you for your reply.

9/10 is a great vote, your email is almost perfect.
Maybe you miss 1 point of what? Maybe can be issue with DKIM?
If you want to have 10/10 you shoud try the test again and maybe share the link of the test, maybe privately as in the top of the test will be visible your email address.

9/10 is good enough.
I have 10/10 but 9/10 is good.

You can keep DNS on Webuzo, will be not affect anything. No need to be deleted, just know is not read from the web, the DNS read is on Oceano



-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Guide - How to setup DKIM and SPF with Exim
awan89
Group: Member
Post Group: Newbie
Posts: 11
Status:
Hi PepopleInside,

Ahh yes you are right, my DKIM setting is not detected. It say like this :

DomainKeys Identified Mail (DKIM) is a method for associating a domain
name to an email message, thereby allowing a person, role, or
organization to claim some responsibility for the message.

I set DKIM using this method above :

4) Open exim.conf to modify it:

Replace:

remote_smtp:

    driver = smtp

With:

remote_smtp:

    driver = smtp

    dkim_domain = ${lc:${domain:$h_from:}}

    dkim_selector = x

    dkim_private_key = /etc/exim/dkim.private.key

    dkim_canon = relaxed


Question :

1. dkim_domain = ${lc:${domain:$h_from:}}
  is the domain (red) inside that code must change to my domain?

2.  dkim_selector = x
do I have to change x to "mail" or something? same with my email?

Looking forward to get 10/10  :D
IP: --   

« Previous    Next »

Threaded Mode | Print  

1


Jump To :


Users viewing this topic
4 guests, 0 users.


All times are GMT. The time now is March 19, 2024, 9:35 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.025