How to Configure DKIM, SPF and DMARC on RHEL 7

How to Configure DKIM, SPF and DMARC on RHEL 7

Email authentication standards — SPF, DKIM, and DMARC — are essential for any mail server that sends outbound email. Without them, your messages are likely to be rejected or placed in spam folders by major providers such as Gmail, Microsoft 365, and Yahoo. SPF (Sender Policy Framework) tells receiving servers which IP addresses are authorized to send mail on behalf of your domain. DKIM (DomainKeys Identified Mail) cryptographically signs each outgoing message so receivers can verify the content has not been tampered with. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together by specifying what receiving servers should do with messages that fail both checks, and optionally sends you forensic reports. This guide covers all three standards on RHEL 7 with Postfix and OpenDKIM.

Prerequisites

• RHEL 7 with Postfix installed and sending mail (see the Postfix configuration guide).
• Control over the DNS records for your domain (ability to add TXT records).
• Root or sudo privileges on the mail server.
• The EPEL repository enabled for the opendkim package.
• Your server’s outbound IP address (needed for the SPF record).

Step 1: Create the SPF DNS TXT Record

SPF is implemented entirely in DNS. No software installation is required on the mail server. Log in to your domain registrar or DNS control panel and add a TXT record for your root domain (@ or example.com).

The SPF record syntax is:

v=spf1 [mechanisms] [qualifier]all

A practical example that authorizes your server’s IP address and uses a hard fail for everything else:

example.com.  IN  TXT  "v=spf1 ip4:192.168.1.22 include:_spf.google.com -all"

Mechanism breakdown:

• ip4:192.168.1.22 — authorizes the specific IPv4 address of your mail server.
• include:_spf.google.com — also authorizes Google’s sending infrastructure (e.g., if you use Google Workspace for some mail). Remove this if not applicable.
• -all — hard fail: reject mail from any sender not matched by the preceding mechanisms. Use ~all (soft fail) initially for safer testing.

Verify the record has propagated:

dig TXT example.com +short

Step 2: Enable EPEL and Install OpenDKIM

OpenDKIM is available in the EPEL (Extra Packages for Enterprise Linux) repository, which is not enabled by default on RHEL 7.

# Enable EPEL
yum install -y epel-release

# Install OpenDKIM
yum install -y opendkim opendkim-tools

The opendkim-tools package provides opendkim-genkey for generating the DKIM key pair.

Step 3: Generate the DKIM Key Pair

Create a directory to store keys, then generate a 2048-bit RSA key pair. The selector name (here mail) is a label that appears in the DNS record and allows you to rotate keys in future without disruption.

mkdir -p /etc/opendkim/keys/example.com
cd /etc/opendkim/keys/example.com

opendkim-genkey -b 2048 -d example.com -s mail

This produces two files:

• mail.private — the private key used by OpenDKIM to sign outgoing messages. Keep this secret.
• mail.txt — the DNS TXT record you must publish for the public key.

Set correct ownership and permissions on the private key:

chown -R opendkim:opendkim /etc/opendkim/keys/
chmod 600 /etc/opendkim/keys/example.com/mail.private

View the DNS record you need to publish:

cat /etc/opendkim/keys/example.com/mail.txt

mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..." ) ; ----- DKIM key mail for example.com

Step 4: Configure OpenDKIM

Edit the main OpenDKIM configuration file:

vim /etc/opendkim/opendkim.conf

Set or verify the following directives:

# Signing mode (Sign outgoing, Verify incoming)
Mode                    sv

# Log to syslog
Syslog                  yes
SyslogSuccess           yes

# Which hash algorithm to use
SignatureAlgorithm      rsa-sha256

# Domain to sign for
Domain                  example.com

# Selector name (must match the key directory name)
Selector                mail

# Path to private key
KeyFile                 /etc/opendkim/keys/example.com/mail.private

# Reject mail with invalid DKIM signatures
#RejectFailures         no   # Set to yes after testing

# Socket for Postfix milter communication
Socket                  inet:8891@localhost

# Trusted hosts — do not sign mail from these
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts

# Key table and signing table (for multi-domain setups)
KeyTable                /etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Step 5: Configure KeyTable and SigningTable

The KeyTable maps a key identifier to the domain, selector, and key file path. The SigningTable maps sending domains or addresses to key identifiers.

vim /etc/opendkim/KeyTable

# Format: KeyID  domain:selector:keyfile
mail._domainkey.example.com    example.com:mail:/etc/opendkim/keys/example.com/mail.private

vim /etc/opendkim/SigningTable

# Format: sending-pattern  KeyID
*@example.com    mail._domainkey.example.com

Add your server’s own address to the TrustedHosts file so that locally generated mail is not rejected:

vim /etc/opendkim/TrustedHosts

127.0.0.1
localhost
192.168.1.22
example.com

Step 6: Integrate OpenDKIM with Postfix

OpenDKIM acts as a Postfix milter (mail filter). Add the milter configuration to /etc/postfix/main.cf:

vim /etc/postfix/main.cf

# OpenDKIM milter integration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

The milter_default_action = accept ensures that if OpenDKIM is temporarily unavailable, mail is accepted rather than rejected — important for availability during restarts.

Step 7: Start and Enable OpenDKIM

systemctl start opendkim
systemctl enable opendkim
systemctl status opendkim

Then reload Postfix to pick up the new milter configuration:

systemctl reload postfix

Step 8: Publish the DKIM DNS TXT Record

In your DNS control panel, add the TXT record from mail.txt. The record name is mail._domainkey (or mail._domainkey.example.com. as a FQDN):

mail._domainkey.example.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Strip the concatenated string format from the file (remove the parentheses and join the quoted strings) before entering it in your DNS panel. Verify after propagation:

dig TXT mail._domainkey.example.com +short

Step 9: Add the DMARC DNS TXT Record

DMARC is also a DNS TXT record. It must be placed at _dmarc.example.com. Start with a monitor-only policy (p=none) to collect reports without rejecting any mail:

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; adkim=r; aspf=r; pct=100"

DMARC policy values explained:

• p=none — take no action on failing messages; monitor only. Escalate to p=quarantine then p=reject once you have verified all legitimate mail is passing.
• rua — aggregate report destination. Receiving servers will send daily XML summaries of authentication results.
• ruf — forensic (failure) report destination. Receive reports for individual failing messages.
• adkim=r — relaxed DKIM alignment (the signing domain must be an organizational domain match, not necessarily identical).
• aspf=r — relaxed SPF alignment.
• pct=100 — apply the policy to 100% of messages. Reduce this during testing.

Once you have reviewed aggregate reports and confirmed all legitimate outbound mail is passing both SPF and DKIM, escalate the policy:

"v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=r; aspf=r; pct=100"

Step 10: Test Your Configuration

Send a test email to a free address and use an authentication checker to verify all three records are working correctly:

# Send a test message
echo "DKIM/SPF/DMARC test" | mail -s "Auth Test" [email protected]

# Check the mail log for DKIM signing activity
grep -i dkim /var/log/maillog | tail -20

In the received email, inspect the headers for the Authentication-Results header added by the receiving server. It should show:

Authentication-Results: mx.google.com;
   dkim=pass [email protected] header.s=mail;
   spf=pass (google.com: domain of [email protected] designates 192.168.1.22 as permitted sender);
   dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

You can also use online tools such as mail-tester.com by sending a test message to the unique address they provide, then viewing the detailed report which scores your SPF, DKIM, DMARC, blacklist status, and content quality.

Implementing SPF, DKIM, and DMARC on your RHEL 7 Postfix server is one of the highest-impact steps you can take to improve email deliverability and protect your domain from spoofing and phishing abuse. The three standards are complementary: SPF ensures only your designated servers can send mail for your domain, DKIM provides a tamper-evident signature that survives forwarding in most cases, and DMARC gives you policy control and reporting visibility over what receiving servers do with failures. Starting with a p=none DMARC policy and reviewing aggregate reports for two to four weeks before escalating to p=reject is the recommended path to a secure, spam-resistant mail deployment.