E-mail security

emailsec.jpg How to use e-mail security features in EXIM SMTP with BIND DNS.


Sender policy framework uses a DNS text entry within a domain detailing the authorised IP addresses and hosts that can send email for that domain.


Using the “a” directive, a receiving server will look up the IP4 or IPV6 address of the hostname and match it to the origin for validation.


1H IN TXT "v=spf1 a:HOSTNAME -all"


dig in txt DOMAIN

If more than one source needs to be authorised the “include” directive can be used (refer to RFC 7208).


DomainKeys Identified Mail is a signing process used when sending email to determine authenticity and detect tampering on the receiving server.


Openssl can be used to generate the private signing key and public key published in DNS.

#! /bin/bash

rm -f private.pem public.pem public.der

# PEM printable encoding, RFC 7468
openssl genrsa -out private.pem 2048 1>/dev/null 2>&1
openssl rsa -in private.pem -pubout -out public.pem 1>/dev/null 2>&1

# Distinguished Encoding Rules, OPENSSL-FORMAT-OPTIONS(1SSL)
openssl rsa -in private.pem -pubout -outform der -out public.der 1>/dev/null 2>&1

base64 -w 0 public.der | awk '
        print "dkim._domainkey IN TXT (\"v=DKIM1; k=rsa; p=\""
        do {
                printf "\t\"" substr($0, 1, 64) "\""
                $0 = substr($0, 65)
                if (length)
                        printf "\n"
                        print ")"
        while (length)

The sub-domain “_domainkey” is used to provide a “selector” to use with DKIM. In this example the selector is simply “dkim”.


dkim._domainkey IN TXT ("v=DKIM1; k=rsa; p="
        "use output from above")

The “p” directive contains a base64 encoded public key which can be created by openssl in the previous section.


dig in txt dkim._domainkey.DOMAIN

The text record format for BIND is explained in RFC 6376.


Exim can provide transports which support DKIM selectively. This example will use DKIM signing for a specific domain.


 driver          = dnslookup
 domains         = !+local_domains
 condition       = ${if eq{$sender_address_domain}{DOMAIN}}
 transport       = remote_smtp_dkim_DOMAIN
 ignore_target_hosts =


This transport signs the message using the private key and indicates which selector should be examined on delivery in DNS.

 driver           = smtp
 helo_data        = HOSTNAME
 interface        = <;IPV4;IPV6
 dkim_domain      = DOMAIN
 dkim_selector    = dkim
 dkim_private_key = /etc/exim4/private.pem

For SPF the HOSTNAME must resolve to the specified IP address(es).

The DKIM domain needn't be the same as the sender domain.


DMARC defines a policy and reporting facility for e-mails.

E-mails that fail SPF and DKIM tests may be processed according to this table.

noneMail delivered normally
quarantineMail delivered to spam folder
rejectMail rejected and not delivered

For reporting, providers such as google send details of e-mails that pass and fail. For google the reports originate from noreply-dmarc-support@google.com.


The simplest policy is to do nothing with failed e-mails, this can be used to determine if the feature is working before applying stricter rules which can tell a receiver to reject or quarantine.


_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN"

Once you are confident that you are sending e-mail from the correct server(s) in with the correct signature(s) then the policy can be made more strict.


dig in txt _dmarc.DOMAIN

See RFC 7489 for more information.




This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies