====== Email Server Reputation ======


There are 2 methods to increase Mail server reputation

  - **Sender Policy Framework (SPF)**        
  - **DomainKeys Identified Mail (DKIM)**

===== Sender Policy Framework =====



==== OVERVIEW ====


Sender Policy Framework (SPF) is a method of fighting spam. As more time passes, this protocol will be used as one of the standard methods of fighting spam on the Internet. An SPF record is a TXT record that is part of a domain's DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name. Once this entry is placed within the DNS zone, no further configuration is necessary to take advantage of servers that incorporate SPF checking into their anti-spam systems. This SPF record is added the same way as a regular A, MX, or CNAME record.

 **Example SPF TXT record entry**
      learnexa.com.  IN TXT "v=spf1 mx a ip4:ip_address/CIDR ~all"


 **To learn about the syntax please visit;** 
      
      http://www.openspf.org/SPF_Record_Syntax
 
 **To create a Syntax of your own please visit;**
      http://www.spfwizard.net/

 **To Check the SPF entry in Domain Name Server**
     
     For linux boxes install dnsutils package first and then try the below command;

     [User]# dig @ns15.learnexa.com learnexa.com TXT
          
            Output should look something like this;
            
            ;; ANSWER SECTION:
            learnexa.com.		300	IN	TXT	"v=spf1 ~all"
          
     [User]# dig @ns16.learnexa.com learnexa.com TXT
            
            Output should look something like this;
            
            ;; ANSWER SECTION:
            learnexa.com.		300	IN	TXT	"v=spf1 ~all"
            
          

==== Challenges found ====

          Currently MX records of the learnexa.com points to;
          
             ;learnexa.com.			IN	MX

             ;; ANSWER SECTION:
             learnexa.com.		1837	IN	MX	0 aspmx.l.google.com.
             learnexa.com.		1837	IN	MX	10 alt1.aspmx.l.google.com.
             learnexa.com.		1837	IN	MX	15 alt2.aspmx.l.google.com.
             learnexa.com.		1837	IN	MX	20 aspmx2.googlemail.com.
             learnexa.com.		1837	IN	MX	25 aspmx3.googlemail.com.

             ;; ADDITIONAL SECTION:
             aspmx.l.google.com.	118	IN	A	74.125.68.27

           Domain is Authenticated by Google with TXT records;
             ;; ANSWER SECTION:
             learnexa.com.		3223	IN	TXT	"google-site-verification=8yLItmV1Vu7ihdFuFuIMyq3YQrGlv7b-oid7lNld_W0"
             learnexa.com.		3223	IN	TXT	"google-site-verification=5g2_0xq9DYZAv3i_-u29Teu_u_y-vlXW2bM8FTxMEm8"
             
            MX record makes sure that emails are sent and received by servers specified above. 
            However we should add IP of our prodapp01 and 02 servers on Mailservers mentioned above as authentic. 
            So we should add a SPF TXT entry on the Google DNS server ns.google.com with allowed IP using SPF "ipv4:" clause 
            (see SPF syntax for more information)
  
  
  
===   OpenDKIM installation ===

 ==  step 1 ==

  yum install epel-release (this most probably would be el5 as the production servers are centos5
  This needs to be first tested in QA /Stage first before attempting in production
  
  dev/QA -> centos 6.8 el6
  production -> centos 5.7 el5
  
  yum install opendkim will install 
  
  
Installing:\\
 opendkim                                 x86_64                          2.10.3-3.el6                            epel                          207 k\\
Installing for dependencies:\\
 libbsd                                   x86_64                          0.6.0-1.el6                             epel                           64 k\\
 libopendkim                              x86_64                          2.10.3-3.el6                            epel                           68 k\\
 opendbx                                  x86_64                          1.4.6-6.el6                             epel                           45 k\\
 sendmail-milter                          x86_64                          8.14.4-9.el6                            base                           57 k\\

once installed

== step 2 ==

new keys need to be generated for the domain learnexa.com\\
/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/learnexa.com -d learnexa.com -S default\\

Once that is done

== step 3 ==

yum install sendmail-cf

this is to modify sendmail.mc with mail filter -> milter \\

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@127.0.0.1')\\


Restart sendmail\\
Start opendkim\\

== step 4 ==

check /var/log/maillog to verify that opendkim filter entries are there in the maillog.\\

edit /etc/opendkim.conf\\
change the Mode to sv from v\\

The entries in\\ 
/etc/opendkim/KeyTable\\
/etc/opendkim/SigningTable\\
needs to be updated after the generation of the keys above in step 2\\

== step 5 ==
 
open\\
http://dkimvalidator.com/\\

it will generate a dynamic email to send email to it and\\

validate in the results page\\

The entry to be added in the DNS will be generated after the installation of dkim on the server after step 2.\\

The folder learnexa.com from /etc/opendkim/keys should be copied over to all the servers sending out emails.\\

Entries to add in DNS

create a text entry in the DNS

Host/domain field - default._domainkey.learnexa.com 

Text field -

v=DKIM1;k=rsa; t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5UNvSpl86z994jZ0rwZzi0DOBTAP2LGSEZRd1dDjUxec5Bg3Hytfro9WNb+5NS5+3gNgNr0I65bBJl8n7vdqbl6ZqgLH7Hgr8xDVkDEVcLvk3WFCGQsgGStSSbG9qwIHzG/JLyxamq4G/3m9vY4T+XSfBt7CYtHUusoa03dABhwIDAQAB