How to stay out of SPAM folder? Setting up PTR, SPF, DKIM under Exim

Submitted by admin on Sat, 11/11/2017 - 23:39

In the previous article, we covered teaching your Drupal installation to send mail to users. But that is only half the battle, now we need to make sure the mail we send hits Inbox and not Spam folder. This article describes some options you have that offer relevant solutions. Unfortunately, no one can guarantee 100% inbox hits, but keeping the amount of mail filtered to Spam to a minimum is quite possible.

You have the following tools to make your mail more trustworthy and thus keep it out of Spam:

  • PTR record;
  • SPF record;
  • DKIM.

PTR

PTR record shows the association of the IP address and your site’s domain name. DNS servers keep A records, which is the association of a domain name and an IP of the server hosting the website going under that name. PTR is the opposite of A: it starts with the IP and returns the domain name. Some call PTR “Reverse DNS”.

To fight spam most mail services check PTR for servers that send incoming mail. Depending on the results of that check, they either put letters to Inbox or filter them out to Spam. Thus, when you have PTR for your server, and it matches the domain name standing after @ in the address occupying the From field, the receiving mail server has more confidence in your mail.

How to add a PTR record

PTR record can be added by the owner of IP of server that hosts your site. The record makes sense only in case you use a dedicated server or a VPS. If you occupy a simple virtual hosting account, you most likely don’t need it, since in most cases the record is already there and it points to the name of the hosting provider’s server.

How to check a PTR record

There is a number of commands you can run to check the PTR:

nslookup

nslookup -type=PTR ip-address

dig

dig -x ip-address

Use command prompt (terminal) to run any of them; replace “ip-address” in the examples above with the real IP.

SPF record

SPF means Sender Policy Framework. This is an extension for SMTP that allows adding a TXT type DNS records to a domain name and specify IP addresses from which you can send mail.

SPF is a factor that helps make your mail more trustworthy and less seen in Spam. Also important is the domain reputation that SPF helps protect: when sending spam or phishing letters, plotters can put any address into the From field, which may result in problems for owners of domain names that were used for this purpose. But mail server’s IP address cannot be forged like that, so when you have an SPF record, the receiving server checks it and acts accordingly.

How to add an SPF record

SPF record is a text cooked in a specific way. Here is an example:

"v=spf1 +a +mx -all"

This record tells that it is allowed to accept mail from IP addresses specified in A and MX records of the domain the SPF was added for. In case the addresses don’t match, it would be better to refuse receiving the mail. The record can be made shorter, "v=spf1 a mx -all", and still produce the same effect.

SPF record syntax

"v=spf1" — used SPF version.
"+" — accept mail. You can omit this sign.
"-" — refuse mail.
"~" — accept mail but filter it to Spam.
"?" — apply regular rules to mail.
"mx" — IP addresses of all servers specified in MX records of the domain.
"ip4" — this is where IPv4 addresses go.
"ip6" — and this is where you find IPv6 addresses.
"a" — IP addresses specified in A record of the domain.
"include" — allows applying SPF record from some other domain.
"all" — rules for all other domain that have no SPF record.

SPF record example

Let’s dig into the following SPF record:

"v=spf1 mx a ip4:154.56.125.94 a:example.com mx:example.com include:example.com ~all"

mx — accept mail from own mail servers.
a — accept mail from servers that are listed in the A records for own domain.
ip4:154.56.125.94 — accept mail sent from IP 154.56.125.94. Here, you can also specify subnets as follows: 154.56.125.0/24.
a:example.com — accept mail from servers specified in A records of example.com. Here, you can specify subnets as follows: example.com/24.
mx:example.com — accept mail from servers specified in MX records of example.com. Subnets can be specified the same way as for A records.
include:example.com — accept mail following the rules dictated by SPF of example.com.
~all — all mail from domains not explicitly specified in SPF will be filtered out into Spam. Replace tilde with a minus (-all) to refuse such mail outright.

DKIM

DKIM means DomainKeys Identified Mail. It is an authentication method that allows checking if the letter was really sent from the domain specified in the From field. DKIM is an efficient anti-spam and anti-phishing measure.

Making DKIM keys with opendkim-tool

1. First off, you need to install opendkim-tools. Do that by running the following command:

apt-get install opendkim-tools

2. Next, create a dkim directory. This is where the keys will be stored:

mkdir /etc/exim4/dkim

3. Change permissions on that directory from root to Debian-exim:

chown -R Debian-exim:Debian-exim /etc/exim4/dkim

4. Next command generates open and private keys for example.com:

opendkim-genkey -D /etc/exim4/dkim/ -d mydomain.com -s mymail

Here:
D - directory for the generated keys;
d - domain the keys will be used for;
s - mymail — name of selector, line identifier, which can be anything.

As a result, you get a couple of files, etc/exim4/dkim/mymail.private and /etc/exim4/dkim/mymail.txt , private and public keys, accordingly.

5. Now you need to go to /etc/exim4/dkim/ and rename mail.private to example.com.key:

cd /etc/exim4/dkim/
mv  mymail .private mydomain.com.key

6. Change permissions on example.com.private (private key file) from root to Debian-exim:

chown -R Debian-exim:Debian-exim /etc/exim4/dkim/mydomain.com.key
chmod 640 /etc/exim4/dkim/mydomain.com.key

Done!

Setting up DNS

mail.txt (cat /etc/exim4/dkim/mymail.txt) should have the following:

mymail._domainkey       IN      TXT     ( "v=DKIM1; k=rsa; "     "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC57fv+meeGTF2gtQ/FO1WAT7hYrPTnKir06k3YR6ZBCLhAVbfEOAZ9OkVTAEf67T61eRY8w8hojnN9dxd07XIZ8KyatNXajWfYo3g0YDWopTfVfoaI4XFXqQH8V6iXyobArpSe3MSTSTqNFuS+w498JoHAkeXXhcl6kmjdSGkPtwIDAQAB" )  ;

—--- DKIM key mymail for mydomain.com

This info should be added to the TXT record of DNS zone. Name field receives:

mymail._domainkey

Content field receives:

v=DKIM1; k=rsa; "     "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC57fv+meeGTF2gtQ/FO1WAT7hYrPTnKir06k3YR6ZBCLhAVbfEOAZ9OkVTAEf67T61eRY8w8hojnN9dxd07XIZ8KyatNXajWfYo3g0YDWopTfVfoaI4XFXqQH8V6iXyobArpSe3MSTSTqNFuS+w498JoHAkeXXhcl6kmjdSGkPtwIDAQAB

Now, you can simply delete mymail.txt.

To check if everything is fine, run the following command:

dig txt mymail._domainkey.mydomain.com | grep DKIM

The reply should look like this:

mymail._domainkey.mydomain.com. 2214 IN TXT "v=DKIM1\; k=rsa\...

Setting up DKIM Author Domain Signing Practices (DKIM ADSP)

To specify DKIM Author Domain Signing Practices (DKIM ADSP), you need to add one more record to TXT DNS:

_adsp._domainkey.mydomain.com IN TXT "dkim=all"

where:

all — no unsigned letters can be sent;
discardable — all unsigned letters should be locked at the receiver’s side;
unknown — domain can sign all or some letters.

Setting up Dkim in Exim

Setting up Exim starts with adding the following lines to /etc/exim4/exim4.conf.template (above the remote_smtp section):

# DKIM:

DKIM_DOMAIN = ${lc:${domain:$h_from:}}

DKIM_KEY_FILE = /etc/exim4/dkim/DKIM_DOMAIN.key

DKIM_PRIVATE_KEY = ${if exists{DKIM_KEY_FILE}{DKIM_KEY_FILE}{0}}

DKIM_SELECTOR = mymail

The config can be broken into smaller files when installing exim4. If that is the case, you need to add those lines to /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp .

Another option is to create the config /etc/exim4/exim4.conf manually. In such a case, the lines mentioned above should be added to this file.

You need to repeat the actions for each domain and then restart exim:

/etc/init.d/exim4 restart

Checking records in Exim config

To check records in the Exim config, you need to run the following command:

exim -bP transports | grep dkim

The reply should look something like this:

dkim_domain = ${lc:${domain:$h_from:}}

dkim_private_key = ${if exists{/etc/exim4/dkim/${lc:${domain:$h_from:}}.key}{/etc/exim4/dkim/${lc:${domain:$h_from:}}.key}{0}}

dkim_selector = mymail

where dkim_selector is the first word before ._domainkey in public key.

So, we have added SPF and PTR records and prepared the server for DKIM. The result of these actions is more letters in Inbox and less of them filtered to Spam.

 

Add new comment

Filtered HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.