Community
Is there any comprehensible and uptodate guide how to implement DKIM, dmarc and spf security on a windows axigen server?
Important that it’s assuming I’m dumb as a bag of bricks about it.
(as in, I have no clue what they are, just that they seems to be needed)
I followed some sort of guide last year, and it ended up blocking all mail from going out.
/P
Hello Peter,
I agree that usually this process is not an easy one but if you will have patience I’ll try to guide step-by-step through this it.
Before starting please:
1/ let’s clarify for what domain we’ll have to follow the procedure (if you could not share here we could give it a code name like my.domain.tld but this will definitely interfere with the process, like checking some specific DNS records from my side)
2/ let’s clarify the public IP address / addresses used to send message for that domain
3/ please have at hand access to openssl (for example via Windows Subsystem for Linux or on a Linux virtual instance of your choice)
4/ please have at hand the procedure and credentials for managing the domain DNS
5/ in case you didn’t already find our relevant documentation (from here) please read it so we’ll have a common base of the steps to be followed
After confirming all of the above we could start “our journey”.
HTH,
Ioan
Oh, sorry for late reply, I’d be awfully interested in this although I’m not entirely sure when I can get the time to sit down with it though, hopefully the coming week. I have a faint memory of running some openssl in windows for somereason, would that work, or does it need to be via linux?
/Peter
Finally had some time to sit down and read up /install open SSH on windows,
I checked the documentation about spf/dkim/dmarc, but didnt really understand how it would be implemented on a windows machine. the spf guide I had tried once earlier, but that made it so no mail at all was recieved(or send, it was a while ago now)
Anyhows.
I’m not comfortable sharing out my domain or public IP (self hosting, only using mail for private use)
lets call it testdomain.com
and say 10.11.12.13 as public IP.
The windows/mailserver is behind a pfsense firewall, only using webmail, and is setup to require being on the local network to use webmail (after seeing how horrendously many attemps to login every second when it was exposed to allow logins from internet)
/Peter
Hello Peter,
So let’s start first with the SPF setup. As you said that 10.11.12.13 is you public IP address than you should add a DNS TXT record for your testdomain.com zone that should look similar with:
testdomain.com. IN TXT "v=spf1 a mx ip4:10.11.12.13 -all"
The above configuration informs remote parties that they should accept messages sent only from the IP addresses of the A and MX DNS records of testdomain.com domain as well as from the WAN public IP address of the mail server.
After setting this DNS record please double check that all is fine with:
1/ from a Windows command line terminal:
nslookup -type=TXT testdomain.com
2/ using an online tool like Kitterman’s SPF Record Testing Tools
Looking forward for your confirmation that this task have been passed.
BR,
Ioan
Hi!
Here’s the first snag in my knowledge and why I think I could not follow the guides, where is that DNS TXT record supposed to go?
/Peter
Hello Peter,
One of the requirement (see my initial answer - specifically requirement #4) was that you have access and credentials to manage the DNS entries for your domain. In case this is not checked than you should start process to identify where your DNS is hosted and how to made any change there.
Definitely this is not something we could help with (especially that you choose to not share the domain name).
Nevertheless you may have a hint where your DNS is hosted by running the following command lines:
nslookup -type=NS testdomain.com
nslookup -type=SOA testdomain.com
Also you may try the online report provided by intoDNS interface.
HTH,
Ioan
Hello again.
Thanks for the info 
this was one of the parts that was unclear in the guides, and I had no idea if it was in axigen config, the webadmin or something else,
I have access to my DNS provider and now added a txt record,
host = @ (None)
Timetolive = 7200
text = v=spf1 a mx ip4:10.11.12.13 -all
(hosted via register.com, takes up to 48 hours to take effect now)
/Peter
Now it seems the spf settings gone through on the dns side, that kittermans tool reports
“The result of the test (this should be the default result of your record) was, pass . The explanation returned was, sender SPF authorized !”, getting the reply when using nslookup " v=spf1 a mx ip4:10.11.12.13 -all"
/Peter
Hello Peter,
Excellent news - as we have the passed the SPF setup let’s continue our journey with DKIM, which means that we’ll sign all authenticated messages sent via our mail server.
Let’s generate the private and public RSA key pair to be used for signing (on Axigen side) / verifying the signature (on receiving side).
For this, please open a command line terminal and check if you have access to openssl binary (as mentioned in prerequisite #3), with a command like:
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
If this passed let’s generate the private key which will be used by Axigen to sign messages sent from your domain:
$ openssl genrsa -out dkim.privkey.testdomain_com.pem 2048
Generating RSA private key, 2048 bit long modulus
..+++
................................................................................................................................+++
e is 65537 (0x010001)
From the private key, let’s extract the public key to be publish into DNS (we’ll talk about this latter) so the remote parties could check the message signature:
$ openssl rsa -in dkim.privkey.testdomain_com.pem -outform PEM -pubout -out dkim.pubkey.testdomain_com.pem
writing RSA key
At this point we should have two local text files: dkim.privkey.testdomain_com.pem and dkim.pubkey.testdomain_com.pem and in order to check that all is fine please check their contents.
Note: please do not made any modifications to them, just “look” at their contents
You should see something similar with:
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAqrg9fKp/lvlT4GyaJIZqL69Plz6klotzRKF5k7MWlDznKFqJ
d6WvlVlXDp9T423covNm4wJFbIF61VZrI+n/jC4UXmjuJr5PB2pyNh+R6FROhRrp
...
u6Wpk5JSFZFzYsoTOlEkGrtJ+YJFddZRmoakUEMMB3OfwxQ+rac=
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1AHYx6g+IYNWA6VcJxm
...
RwIDAQAB
-----END PUBLIC KEY-----
As an extra verification step, just in case you like to have a confirmation that these files are paired, we could check that both of them have the same “modulus” (actually we’ll compare their MD5 hash).
For this please use the following commands and check that their output is similar (in our case we have an MD5 hash of 9e756d472eba0c25b37d92dc8c4a596d:
$ openssl rsa -modulus -pubin -noout -in dkim.pubkey.testdomain_com.pem | openssl md5
(stdin)= 9e756d472eba0c25b37d92dc8c4a596d
$ openssl rsa -modulus -noout -in dkim.privkey.testdomain_com.pem | openssl md5
(stdin)= 9e756d472eba0c25b37d92dc8c4a596d
I’ll wait for your confirmation that you’ve managed to generate these two files so we could advance to the next step.
BR,
Ioan
Hello again, everything is going splendid sofar!
both files are generated and they seemed to be paired correctly!
/Peter
Hello Peter,
Now, that you have both public and private keys let’s continue with the needed Axigen configuration:
Configure Axigen to use the private key to add a message signature
dkim.privkey.testdomain_com.pem in your Axigen working directory (in Windows the default location is in C:\Program Files\Axigen Mail Server\)dkim-for-testdomain
testdomain.com
ALL of the conditions below
mail
dkim.privkey.testdomain_com.pem
If all of the above have been set correctly, when sending a message from WebMail interface (for example from a test account to itself) you should see that into the received message a new header is added like:
DKIM-Signature: v=1; a=rsa-sha256; d=testdomain.com; s=mail;
c=relaxed/relaxed; q=dns/txt; h=from:date:to:cc:message-id:subject;
bh=...;
b=...;
where d= is the domain for which you choose to sign the messages and s= is the selector to be used for remote recipient when extracting the public key from DNS for validating the signature saved into the message header.
After you successfully configure Axigen (by checking the presence of above header) will continue with the needed steps to configure the corresponding DNS record.
Looking forward for your feedback.
BR,
Ioan
Hello again!
Copied the file and added all the settings, sending and recieving mail works, and the DKIM header is present !
(Maybe this thread could be stickied or linked to on the DKIM/SPF page, I would never have figured this out by myself)
/Peter
Hello Peter,
Now, that all is set on the Axigen side let’s set the public key content into a dedicated DNS TXT record so any receiving email servers may validated the message(s) signature.
For this, please open the public key file (which in our example is dkim.pubkey.testdomain_com.pem) and copy all data between between the first and the last line (without including them).
Paste that data into your preferred text editor (for Windows you may use Notepad or Notepad++) and made needed changes so the data are only on a single line.
For example, if your public key content is something similar with:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1AHYx6g+IYNWA6VcJxm
...
RwIDAQAB
-----END PUBLIC KEY-----
than you have to concatenate it into the text editor on a single line like:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1AHYx6g+IYNWA6VcJxm...RwIDAQAB
Now if you managed to prepare this long line than you should log into the DNS administration interface for your domain (like you’ve done when creating the SPF TXT record) and create a new TXT record for mail._domainkey.testdomain.com with the following content:
"k=rsa; p=<the_content_of_the_public_key_on_a_single_line>"
Note: if your DNS administration interface does not allow you to add a very long text record you may split it like:
"k=rsa; p=<the_first_part_of_the_public_key_on_a_single_line>" "<the_second_part_of_the_public_key_on_a_single_line>"
If all goes fine you may check the content of the DNS record with the following command:
nslookup -type=TXT mail._domainkey.testdomain.com
After validating the content of the DNS TXT record than you may send a new mail to an account hosted on Gmail and double check that the received message contain a header like:
Authentication-Results: mx.google.com; dkim=pass; ...
where you have to check the dkim=pass content validated by external service mx.google.com
Please let us know if you manage to follow the above steps so we could continue with DMARC setup.
HTH,
Ioan
Allright, Finally able to get it working!
If anyone else reads this guide, I had some confusion about the " create a new TXT record for mail._domainkey.testdomain.com" in hindsight it’s pretty clear, but anyhows, in the UI for register.com it’s the ‘other host’ option that should be used.
/Peter
Hello Peter,
Thank you for confirming that you managed to finalize the DKIM part.
Now, if you like, you could close the loop by setting the DMARC specifci TXT DNS record for: _dmarc.testdomain.com like: "v=DMARC1; p=reject" as explained here.
Best regards,
Ioan
I followed everything but no luck for me
Finally back from vacation, managed to add the DMARC record, and now it seems that it’s working! \o/
Again, so many many many thanks, I would never have figured this all out.
/Regards Peter