Check and improve the quality of your mail server with mail-tester.com

Marc! Why does my emails end up in peoples spam folder? – Mette Stender (My girlfriend)

Actually I couldn’t answer her, I am not a Linux specialist, and do only know the basics. But because I administrate her webpages server (and webmail) on my own VPS, I decided to figure out, how to improve the mail system and escape the evil “spam folders”.

I started Googling how to check spam score of a email, and found this wonderful tool mail-tester.com

Its a pretty easy and nice tool. The only thing you have to do to test the quality of your email, is to send a email to the email shown on the homepage and check your score!

The score page, will show you on which points you can improve.

I my case, it were the authentication part which needed improvements. My Sender Policy Framework (SPF) were not set, and DomainKeys Identified Mail (DKIM) were missing. But what is this, and how do I fix it?

Mail-tester.com tells you the basics and how to fix it, here is a short description:

• Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.
• DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

 Set the Sender Policy Framework

To set the SPF, it is required that you have access to manage your DNS records. You have to add a “TXT” record. A “TXT” record, requires a NAME and a VALUE, the NAME should be your domain name eg, example.com, and the VALUE should look like this:

"v=spf1 a mx ip4:37.139.12.47 ~all"

And that’s it! Actually this little TXT-record also fixed your Sender ID. If you like me, have a domain with a PTR pointing to another domain, you can fix it with this entry instead:

"v=spf1 a mx ip4:37.139.12.47 ptr:other.domain.com ~all"

There are a lot of other settings which you can add to your SPF string, and Microsoft have this tool to help you create it, check it out here.

Create a valid DKIM signature

The last thing I will walk through, is you to create and set a valid DKIM signature with postfix (the mail server which I am using).

Configuration

First of all, you have to install DKIM, this is how its done on Ubuntu:

sudo apt-get install opendkim opendkim-tools

When everything is installed, you have to edit some configuration files, both for DKIM and postfix:

/etc/opendkim.conf
/etc/default/opendkim
/etc/postfix/main.cf

Use your favorite editor to open the configuration files, we start with /etc/opendkim.conf 

Add the following lines at the end, remember to replace example.com with your own domain name.

Domain                  example.com
KeyFile                 /etc/postfix/dkim.key
Selector                mail

Save it, and open the dkim default configuration file /etc/default/opendkim

Change the default socket by adding the following line:

SOCKET="inet:8891@localhost"

Save it, open the postfix main configuration file /etc/postfix/main.cf

Once again, we need to add the following lines to the end:

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

DKIM Key Generation

Enter and run the following command:

opendkim-genkey -t -s mail -d example.com

It is important that “mail” matches the “Selector” value entered earlier in opendkim.conf and of course replace example.com with your own domain name.

This command will generate two files, mail.private and mail.txt. mail.private is the private key, which will be used for signing outgoing emails. It is important that mail.private is located in the same location specified in opendkim.conf, so we have to move it:

cp mail.private /etc/postfix/dkim.key

Creating the DNS record the DKIM signature

We need to create an other DNS record, and just like with SPF, this should be a “TXT” record. The content of this record is to be found in the mail.txt which also were created before. It should look like this:

cat mail.txt
mail._domainkey	IN	TXT	( "v=DKIM1; k=rsa; t=y; "
	  "p=MIGfMA0GCSqGSIb3DQEBAQASDF4GNADCBiQKBgQDUoa+FBatrwEuv7co4QCs2SYHt89rgBuQd0Q11971bubHBtNJH+1JsNVq/4gmG7HBgb6ljo0LMlMUOJm4muNa9Ytfxl5vu2ZSQOPnZd8geFG4cpsj8c3958mlpAqyfCitM6OC2KYhkkGsBobBn1DncNlP/PHU9HoWM/paB8ZheHQIDAFAB" )  ; ----- DKIM key mail for example.com

Remember from the SPF record, a “TXT” record requires a NAME and a VALUE. This time the NAME should be “mail._domainkey.example.com” (or just “mail._domainkey” if your DNS provider enters .example.com automatic).

The VALUE should be the content of mail.txt. Which should end up like this (showing both SPF and DKIM “TXT” records):

Finally, we need to restart the opendkim and postfix services:

service opendkim restart
service postfix restart

Verify DNS records

When your DNS records are updated (depends on your DNS provider, can take up to 12 hours), you can verify it using the dig command (Notice the “ANSWER SECTION”, which includes our public key):

dig mail._domainkey.marcz.dk TXT

; <<>> DiG 9.9.2-P1 <<>> mail._domainkey.marcz.dk TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59540
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail._domainkey.marcz.dk.	IN	TXT

;; ANSWER SECTION:
mail._domainkey.marcz.dk. 21599	IN	TXT	"v=DKIM1\; k=rsa\; g=*\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlkC4lUnzd4dF/uDUQKTOz2gNeEQNC0NHR0lvtOXHC+nbjZiLhmU3ExgKt/Dq5FFUWEZ6wsqfua/kbUSp24v10b6OEItE7WJ+1uUZjm/oL6rneb3nphgaptDrPjvkCUJ+V5KjR8sTikZDYN47s3vAgS8uzv2BcHgVVA03EhJRIMQIDAQAB"

;; Query time: 83 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Mar  2 21:51:09 2014
;; MSG SIZE  rcvd: 305

Finally test your score!

You are not ready to test your score at mail-tester.com, and hopefully you are getting a 10/10! Happy emailing!