snork.ca ... making kittens cry since 2001
homeabouttoscanaryrssmansvalidatecontact

Update: Setup SPF And DKIM On hMailServer 2017-08-01


I am still using hMailServer today (even though there was a break in between), so I figured I would try out my own instructions to see if they hold up. As it turns out, I made some changes... hopefully for the better.

Setup SPF And DKIM On hMailServer 2015-04-04


SPF and DKIM are both attempts at curbing spam. Sadly, because many mail administrators didn't bother to read about how SPF works, they didn't implement it correctly and it isn't terribly useful. Also sadly, DKIM is [sort of] complicated to setup (more complicated than SPF) and as a result is not seen very often. Unfortunately, some large email providers actually use these mechanisms anyways, so it can at least be useful to set them up. The good news is that they are both free.

1. In my old instructions I had a link to a web site that would help you generate some keys. While this works and is easy, it isn't so good for security. So here's how to generate your own keys with openssl:

openssl genrsa -out domainname.com.key 1024
openssl rsa -in domainname.com.key -out domainname.com.pem -pubout -outform PEM

I found some instructions in the hMailServer forums explaining how to setup DKIM. They refer to installing some garbage like Visual Studio runtime libraries... I really hope openssl on Windows doesn't need that junk. Anyways, your key files should look generally like this:

fake-rsa-key Seriously, do not use this key.

2. Save the .key and .pem files on your hMailServer box, probably inside your hMailServer directory makes sense. Be sure to take note of the fact that the .key is private while the .pem is public.

3. Add these files to your backup strategy. This may not be entirely necessary since you can easily create new keys and setup DKIM again but you may as well save them in case you reinstall or relocate your server.

4. Now go to your DNS management interface and create a TXT record entry for DKIM. The name should be yourkey._domainkey.yourdomain.com and you can change "yourkey" to be anything you wish. The content of the TXT record should be k=rsa; p=XXXXXXXXX where the portion masked with X's is actually the content of your public key from step 1, without the dashed lines indicating that this is the public key, and without any spaces or carriage returns. So for example, if you were dumb enough to use the key above, it would be like this:

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC09e8hhgsV2F03w3zxMuvCBCC7JH69FVyXY32jPlo7ymo0InLSTvEtbfMLYW5zp6dSwe8Q9UUEGxyfnB9+W7IwRvwOJqfG/of4U2bc8h4nJAvDQutzU8FIlUm+vC2c9/o/Bn/9a1YM5endVMcey8VeTSM1anjan4QZpUjRK1T6DQIDAQAB"

5. Now open your hMailServer management app and highlight the domain you are configuring in the left pane.

6. In the right pane select the DKIM Signing tab.

7. Enable DKIM and browse to the private .key text file you saved earlier.

8. In the box marked "Selector" put in "yourkey" from step 4.

That's it for DKIM... SPF is a little easier. The first thing you should do is go to the Wikipedia page for SPF and read it. Seriously, read it. To set it up properly you have to determine where your domain's mail may come from and then make a record in your DNS to indicate who (like which IP addresses) can send mail for your domain. If you have one mail server this is quite easy, if you have multiple mail servers you will want to authorize the ones that send outbound mail. If you have something else you may need a more complex SPF record. My simple setup has only one mail server and so I can use this for my SPF record:

v=spf1 a mx -all

The first part basically explains that it is an SPF record, the a and mx say who can send mail and the -all means "do not allow mail from other places". Your SPF record will need to be customized to fit your needs, which is why you need to read the wiki page first. Now that you have these setup, the easiest way to test them is to send yourself an email at a crappy throwaway gmail account or something and go look at the headers.

Made using Notepad++ & FastStone. Hosted on Debian with nginx & php. Powered by North Korean mushrooms.