DKIM and ARC: Setup MTA: Using OpenDMARC

Requirements

• MTA: Postfix or Sendmail

• OpenDKIM

• OpenDMARC

• You have to choose authserv-id to determine the results of domain validation. In this document mx.example.org is used for example.

Note

• It is assumed here that OpenDMARC was built with internal SPF checking enabled. If not, you will need to install additional software for SPF, such as:

  • pypolicyd-spf (for Postfix only)
  • SPF Engine
  • SPF Milter
  • spfmilter

Configuration

Setting OpenDKIM / OpenDMARC

Sympa is responsible for the DKIM signing. That is, on OpenDKIM, the value of Mode parameter below may only include v, for verification.

The minimum configuration is as follows (Note: Replace mx.example.org in below).

opendkim.conf (see the manual of OpenDKIM for details):

AlwaysAddARHeader yes
AuthservID mx.example.org
Mode v
Socket inet:8891@localhost

opendmarc.conf (see the manual of OpenDMARC for details):

AuthservID mx.example.org
TrustedAuthservIDs mx.example.org
Socket inet:8893@localhost
SPFSelfValidate true

Setting MTA

• Postfix

  Add following settings to main.cf:

  smtpd_milters = (existing settings) inet:localhost:8891 inet:localhost:8893
  milter_default_action = accept
  

• Sendmail

  Edit sendmail.cf to add following settings:

  O InputMailFilters=opendkim, opendmarc
  Xopendkim, S=inet:8891@localhost
  Xopendmarc, S=inet:8893@localhost
  

  Or, if you are generating sendmail.cf from sendmail.mc, add following lines after FEATURE lines:

  define(`confINPUT_MAIL_FILTERS', `opendkim, opendmarc')
  MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
  MAIL_FILTER(`opendmarc', `S=inet:8893@localhost')
  

  Above is equivalent to below:

  INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
  INPUT_MAIL_FILTER(`opendmarc', `S=inet:8893@localhost')
  

After you finished setting up MTA, test it.