Project

General

Profile

SPF DKIM and DMARC Configuration in viapps HowTo

Introduction

In this HowTo we'll see how to configure a smtpgw flavour in viapps to be able to digitally sign outgoing emails.
You'll need to deploy at least a viapps smtp gw version 1.3.1-6 to create the smtp outgoing email.
It is also recommended to install viapps dns to configure the related dns records and access to the mailbox of a
user in the domain we are configuring for testing porpouses.

Creating a SPF dns record in viapps DNS

From openSPF Introduction :

The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender 
address forgery. More precisely, the current version of SPF — called SPFv1 or SPF Classic — protects
the envelope sender address, which is used for the delivery of messages. See the box on the right for a
quick explanation of the different types of sender addresses in e-mails.

To create a SPF record you can use a public Spf wizard or do it manually.
You can skip this section if you already have it configured for your domain.

The SPF record for our example domain:

Now go to the dns flavour and add a new register in your zone:

Apply changes and let the record replicate.

Configure the smtp as a gateway

'''You can skip this section if you already configured your smtp'''

After you deploy your smtp appliance go tho the menu Setup to configure it for the first time:

Configure the outgoing domain that will be used by your smtpgw by default. Also let's configure this appliance to send
emails directly and listen only to the service ip.

Just clic on save and next for the next screens or configure them to suit your needs:

save and next:

save and next:

save and next:

All should be done. Apply changes and test .

At this point is very important to test that your smtp is working correctly and that you can send mails through it. Don't try to
sign the emails with dkim until the smtp is working properly.

Create DKIM keys in the CMI

DKIM keys must be created in the cmi cmdb where it will be stored and accessible from all your smtpgw viapps appliances.

Go to the menu >CMDB>CMDB DKIM:

Clic on add new to configure the dkim keys for your domain:

Insert the domain you are sending mails with and a selector keyword that will be used to identify both the private key
used to sign your mail and the register in the dns containing the public key for your domain. The 2048bits key length
is a good default value and the recommended.

After the keys creation they are available in the cmdb. Click on Public key to view the key and the dkim record that we will
create in the dns:

Copy the content between the parenthesis and save it for later:

No you should create a TXT record in your dns publishing your public dkim key. Go to viapps dns and add a new TXT record
in your domain zone:

Again, it could take time for this changes to spread across internet. They won't be used until you start signing mails with dkim.

Configuring DKIM in viapps smtpgw.

Go to the menu >Configuration>Configuration smtp:

and then click on the DKIM button to configure dkim for this gateway. The enable button will allow you to select the
keys from the cmdb for your domain and will configure the smtp to sign your mails.

Select the desired key and clic on accept. From this moment all the mails sent from this server with the domain
@viappsenterprise.com will be signed.

Testing SPF and DKIM.

You can verify dkim in many ways.

Just send a mail to an known address. If you review your mail logs you'll want to see something like this:

Sep  1 13:30:27 dkim-7.viappslabs.org opendkim[3605]: BD5B860378: DKIM-Signature field added (s=mail, d=viappsenterprise.com)

This indicates that our mail was signed with the correct key. Now review the inbox where the mail was address and check the headers.
You want to see something like this:

smtp.mailfrom=
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=viappsenterprise.com; s=mail; t=1472729427; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=Date:From:To:Subject; b=ZHpDqjZWon0J7vq9lvJ+wZ2wdHsIIwdjrW3gZ4IJp9qAO2tk7Fk5K/SUfHnYDs3/h iCgpCaEhVChtcx0ldp5GSizSbiIj4cuRacBI7RDMSFwl7KFTiRuKk5t7Z15UKlOSxO BajpbHyhg9lwu7cz2/VF+1WVftZvpYp5RlflvsCp3Pd/uCNV5uxdL9uaLVIj3aP5uB AIhXVoIfzE2oSq01R1GIxg/2tQ0me1LQfH1xmgO3d48KCXiP/23RXmQFaq35c/D0Wv rELxGYgYiX+QuVPx8qv6qZ7njpuA0X8+gYH4+IyOZ2T2KyA7CJPRCMnuowyMokoVkz EKg4ZjnK5P7NA==
Return-Path: <>

Another way is to send a mail to and check your inbox to receive a report of your mail:

The Port25 Solutions, Inc. team
 ==========================================================
Summary of Results ==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

Creating a DMARC record in viapps DNS

When all of the last test worked you can move to configure DMARC to let know the receivers
what to do with emails from your@domain that do not comply with either spf or dkim.

Use a online service to create your dmarc record. Test for a while with policy=none until you are confortable to ensure
you are not loosing emails because of a misconfiguration.

We used in this example: DMARC Record Assistant

And publish the _dmarc.viappsenterprise.com TXT record in your dns:

Again use publish services to test your dmarc record is visible: tester:https://www.unlocktheinbox.com/dnstools/spf/_dmarc.unlocktheinbox.com/
when is the record is spread across main dns in internet test the whole solution.

Testing the whole installation

Use a service like the one in the next image to test the healt of your emails (3 free tests a day)