[How-to] Enable SPF, DKIM, DMARC on FreePBX
This document explains how to enable SPF, DKIM and DMARC email validation on a FreePBX system.
Prerequisites
It is beyond the scope of this document to explain what SPF, DKIM and DMARC are. There are hundreds of online resources that do a far better job of this than the author possibly could.
Assumptions
You are running the FreePBX Distro
Your PBX has a routable IP
There are ways around this, you can totally send mail without one, but RDNS can get interesting this way. It also usually implies your behind someone else's NAT, and getting any of the big ISPs to publish RDNS can be fun
You are sending mail from FreePBX
not through another SMTP relay - particularly if you are just sending through a gmail account, they take care of most of this for you
You have set up DNS and RDNS (RDNS is critical for SPF)
SPF Setup
No on-system config is necessary, assuming you have set DNS and RDNS appropriately, add an a: record to your existing SPF. i.e.
Sample SPF Record
mydomain.com. TXT "v=spf1 a:freepbx.mydomain.com include:_spf.google.com ~all" |
In my case, I use google domain apps for most of my email.
Important Note: if you send email for this domain from other sources, you must set up SPF for them as well. If you publish an incomplete SPF record, mail from other sources can/will be marked as spam.
DKIM Setup
For this step, on-system config is necessary, and you will need command line access.
Â
1.) Install OpenDKIM:
# yum install opendkim |
2.) Generate the DKIM key. mydomain is your domain, myselector is an alpha-numeric string of your choice, I used "freepbx" for clarity with my configuration.
# cd /etc/opendkim/keys
Â
# opendkim-genkey -d mydomain.com -s myselector
Â
# chown opendkim:opendkim myselector.private |
3.) Edit the OpenDKIM configuration file (/etc/opendkim.conf)
Â
CHANGES to /etc/opendkim.conf
4.) Edit the Postfix configuration file (/etc/postfix/main.cf)
The socket configuration is a carry over from the above configuration file. If for some reason you made a change to it there, be sure to reflect that change here as well. These directives get added to the end of the existing file.
Â
ADDITIONS to /etc/postfix/main.cf
5.) Add the DKIM DNS record.
Your life will be better if you add the DNS TXT record before sending your first test, as most mail services cache their lookups for a good while, and having to wait for a re-read can be frustrating.
The full record can be found in:
It's an exercise for the reader to understand how to update their DNS records, reload and propagate them. You can check that it is in there with something like:
6.) Start and enable OpenDKIM, restart Postfix:
7.) Check that is works
To ensure that OpenDKIM has started correctly, look for a line like this in /var/log/maillog:
To ensure that OpenDKIM is signing messages, look for a line like this in /var/log/maillog:
If it works, and you have gmail, clicking on "show original" will give you the SPF / DKIM / DMARC results. A "good" result looks something like this, pardon the redactions.
Â
DMARC Setup
This document doesn't really touch on how this bit works - there are too many much better resources out there that do a far better job than I could, and it does not require anything done on the FreePBX system itself. The most useful bit of DMARC is the reporting feature - there are lots of services out there that can help out with this and make sure that you did all of the above correctly - and also find other places in your mail chain that you may have missed.