#hacking #freesoftware #gnulinux – as always check the wiki for the latest tutorial
This tutorial is a bit simpler than the last one. I finally got tired of my email triggering recipients SPAM filters, and worse, I was sometimes flagged by other tech colleagues’ services because of my domains lacking these records. After a bit of searching online, I found that for spf records, you need to specify your MX handler and any servers you use to send from on behalf of that domain. In my case, I use a GSuite for my email and a Digital Ocean VPS for one of my external servers. I went to my DNS host at afraid.org and entered a TXT record parsed as follows:
v=spf1 a mx include:_spf.google.com mx:smtp.haacksnetworking.com ~all
The ”~all” flag informs recipients that they should reject emails from any sender besides those whose TXT record this was entered on behalf of, specifically, ”haacksnetworking.com”. As for DKIM, since I use Google, I had to first generate an DKIM key on the GSuite side of things. To get there, navigate to:
Apps > GSuite > Settings for Gmail > Authenticate email
Once you found it, simply generate a record. After that, return to your DNS host and enter the TXT record. I use afraid.org so it looks something like the image below. Afraid.org barfed at the string length, but was nice enough to parse the string length to a size that Josh finds preferable (despite the spec permitting the length Google uses):
Of course, all of this is simply an exercise at shooting at the dark unless you validate it all. Of course, sending emails to your friends and asking them if it got tagged as SPAM is pretty ineffective, so I hunted online and found the DKIM Validator which validates both exchanges.
[Update: Added DMARC]
Okay, now that you have both an SPF record and DKIM record you can optionally set up another TXT record for DMARC. This will tell the recipient that there is an SPF/DKIM record in place and who to contact in cases of violation. The destination was parsed as follows:
"v=DMARC1; p=quarantine; pct=100; rua=mailto:user@domain.com"
On afraid .org, this looks like:
Later: I will include how to create your own DKIM key/record pair for your own self-hosted mail server.
— //[[oemb1905@jonathanhaack.com|oemb1905]] 2019/08/12 17:34//
Nice one, Jonathan. If you haven’t tried it, https://mail-tester.com is a very handy way of checking whether you’ve got it right… managed to get a 10/10 for my recent mailcow implementation…
I’ll check that too! Dkim validator gave me flying colors – curious to see what this gives. Stuck at ER getting son some stitches for now! ;0
Just tried from phone in room at hospital – 9/10 but the only thing flagged was SORBS flagged Google’s IP! LOL