Do not be considered as a spam (SPF, DKIM...)

Some servers could consider your mails as spams. There are a few proofs of good faith you can setup if possible. They are not mandatory. Keep in mind that most spams comes from most well known servers (gmail, I'm looking at you) so don't be too hard on yourselves.

Reverse DNS

Your ISP might let you configure a reverse DNS. As it suggests, a reverse DNS links your IP to your domain name.

Look in your ISP panel for reverse DNS, or ask them directly. They are responsible for this 😉.

If you can't and reaaaallly want a rDNS, you could rent a VPN and get a dedicated IP with a rDNS configured by the VPN provider. But in most cases, following next steps should be sufficient.

SPF

SPF records show that only YOUR server is allowed to send mails for YOUR domain name. Since it's usually the server's admin who also deals with DNS record, it's a proof of good faith.

Add a DNS record of type SPF in your zone such as :

athome.tld.   SPF "v=spf1 a mx ~all"

Or use a TXT field if SPF is not available :

athome.tld. TXT "v=spf1 a mx ~all"

Above is a very simple example that works for most cases. Consider reading about SPF records if you want to fine-tune this record.

DKIM signing

With a private key, your server will sign outgoing emails. In DNS records, you will publish a public key to let recipient check if it matches the signature from your server.

Ahem... Say that again?

Here we go. We will generate a private and a public key.

Private key is used to sign mails. It is "private" because you must be the only ont able to add a signature to outgoind mails.

Public key displayed in DNS record -- viewable by all -- let one check signature authenticity. You can see it as a unique puzzle piece, the only one that can fit the puzzle.

We'll see two ways to sing outgoing messages : one with an smtpd extension, the other with dkimproxy. You also could to the same with rspamd, it is described later, following the same method to generate keys. Choose the one you prefer 😉.

Create DKIM keys

Following commands below, you will create a directory for keys, set permissions on this folder and go inside before generating keys with openssl and set permissions on the private part :

# mkdir -p /etc/dkim/
# chmod 770 /etc/dkim/
# cd /etc/dkim/
# openssl genrsa -out private.key 2048               
# openssl rsa -in private.key -pubout -out public.key
# chmod 400 private.key

DNS records

Add a DKIM or TXT field so anyone can check signature on your messages match what is published in DNS records.

Mails will receive a flag "dkimpubkey" when signed, it is used to identify the signature in DNS record.

Replace "..." the content of the file "public.key" :

# cat /etc/dkim/public.key

The record will look like this :

dkimpubkey._domainkey    IN TXT    ( "v=DKIM1; k=rsa; t=s;p=v+Fb...vhP/oB")

Sign using opensmtpd-filter-dkimsign

Since smtpd has filters support, you can sign your messages with port opensmtpd-filter-dkimsign :

# pkg_add opensmtpd-filter-dkimsign

Make sure the script can read keys generated as seen before :

# chown -R _dkimsign:_dkimsign /etc/dkim/

In "/etc/mail/smtpd.conf", you add now a new filter with instructions on how to sign messages :

filter "dkimsign" proc-exec "filter-dkimsign \
    -d <domain> \
    -s <selector> \
    -k /etc/dkim/private.key" \
    user _dkimsign group _dkimsign

Replace "<domain>" with your domain name and "<selector>" by "dkimpubkey" : that's what we defined in the DNS field earlier.

Now, make sure outgoing mails are processed by this new filter. In "/etc/mail/smtpd.conf", the line for outgoing messages now look like this :

Enfin, il vous suffit de faire passer les mails sortants par ce filtre. On modifie la ligne correspondant à l'envoi des messages dans "/etc/mail/smtpd.conf":

listen on all port submission tls-require auth <passwd> filter "dkimsign"

Sign with dkimproxy

As an alternative, you can use dkimproxy if you prefer to sign mails.

As usual :

# pkg_add dkimproxy

Make sure dkimproxy can read keys :

# chown -R _dkimproxy:_dkimproxy /etc/dkim/

Now configure dkimproxy to match you configuration (domain and DNS selector) :

In "/etc/dkimproxy_out.conf" :

listen    127.0.0.1:10027
relay     127.0.0.1:10028
domain    athome.tld
signature dkim(c=relaxed)
signature domainkeys(c=nofws)
keyfile   /etc/dkim/private.key
selector  dkimpubkey

Of course, edit domain and selector according to your DNS record.

Now, tell smtpd to listen for incoming signed and to-send messages on port 10028. They will be tagged "DKIM". Then we can send mails with this tag. On the contrary, they are forwarded to dkimproxy on port 10027.

In /etc/mail/smtpd.conf :

listen on lo0 port 10028 tag DKIM   
...
match tag DKIM for any action "sendthismail"
match auth tag DKIM from any for any action "sendthismail"
...
action dkimproxy relay host smtp://127.0.0.1:10027 
...
match auth from any for any action dkimproxy
match for any action dkimproxy

Finally enable dkimproxy and restart smtpd :

# rcctl enable dkimproxy_out
# rcctl start dkimproxy_out
# rcctl restart smtpd

Check it works

Follow instructions on mail-tester.com. You'll send a mail to a randomized recipient and get a score :

../../../img/mail-tester-fr.png

You may read about dmarc and other advices if you want to fin tune your configuration. Remember your score is already better than most "big" provider. Last time I checked with a gmail address, I got 6.1/10... 😜