How to not be marked as spam¶
There’s a number of things to do so the subscription and notification emails don’t go in the client’s spam folder. The following assumes the application server handles mail.
In most cases, the mail domain name and the application domain name will be identical; but we will distinguish them below.
Important: The reverse DNS of the server (both IPv4 and IPv6) must point back to the mail domain name.
See the Setting up Dovecot and VMM documentation for further postfix configuration, even if you don’t install vmm.
DNS records¶
You should set MX, SPF and DMARC:
MX mail_domain_name 10 mail_domain_name TXT mail_domain_name v=spf1 mx -all SPF mail_domain_name v=spf1 mx -all TXT _dmarc.mail_domain_name v=DMARC1;p=reject;rua=mailto:postmaster@mail_domain_name
and, if domains are different:
MX application_domain_name 10 mail_domain_name
TXT application_domain_name v=spf1 mx -all
SPF application_domain_name v=spf1 mx -all
DKIM procedure¶
Mostly following
https://help.ubuntu.com/community/Postfix/DKIM
sudo apt-get install opendkim opendkim-tools
sudo mkdir -p /etc/opendkim/keys # if necessary
sudo chown opendkim:opendkim /etc/opendkim /etc/opendkim/keys
cd !$
sudo -u opendkim opendkim-genkey -t -s mail -d mail_domain_name
# They should be in -rw------- mode.
sudo cat mail.txt
You’ll see something like:
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; "
"p=MIGfMA0GCS......" ) ; ----- DKIM key mail for mail_domain_name
The quoted value (make sure to collapse quotes) needs to be a TXT record in the DNS for
mail._domainkey.mail_domain_name
While you’re there, there should be another TXT record for
_dmarc.mail_domain_name containing v=DMARC1; p=reject; rua=postmaster@myorganization.com
(Use a postmaster address that exists; it can be on the same domain on your organization’s domain)
sudo mv mail.private mail_domain_name.private
sudo mv mail.txt mail_domain_name.txt
# IF THERE IS A SINGLE ASSEMBL SERVER ON YOUR MACHINE
Edit /etc/opendkim.conf to add or set:
AutoRestart Yes
AutoRestartRate 10/1h
Domain mail_domain_name
KeyFile /etc/opendkim/keys/mail_domain_name.private
Selector mail
Canonicalization relaxed/simple
Socket inet:12345@localhost
# ELSE, IF THERE ARE MULTIPLE ASSEMBL SERVERS ON YOUR MACHINE, EACH WITH ITS DOMAIN NAME:
Edit /etc/opendkim.conf to add or set:
AutoRestart Yes
AutoRestartRate 10/1h
Selector mail
Canonicalization relaxed/simple
Socket inet:12345@localhost
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Edit /etc/opendkim/TrustedHosts:
localhost
127.0.0.1
mail_domain_name_1
mail_domain_name_2
...
Edit /etc/opendkim/KeyTable:
mail._domainkey.mail_domain_name_1 mail_domain_name_1:mail:/etc/opendkim/keys/mail_domain_name_1.private
mail._domainkey.mail_domain_name_2 mail_domain_name_2:mail:/etc/opendkim/keys/mail_domain_name_2.private
...
Edit /etc/opendkim/SigningTable:
*@mail_domain_name_1 mail._domainkey.mail_domain_name_1
*@mail_domain_name_2 mail._domainkey.mail_domain_name_2
...
# ENDIF
Edit /etc/default/opendkim
Uncomment:
SOCKET="inet:12345@localhost"
And comment out (if necessary):
SOCKET="local:/var/run/opendkim/opendkim.sock"
sudo /etc/init.d/opendkim start
If it fails, try removing the Socket line from /etc/opendkim.conf, it works on some servers and not others.
tail /var/log/mail.log
and make sure you see:
OpenDKIM Filter v2.10.3 starting (args: -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p inet:12345@localhost)
vs:
OpenDKIM Filter v2.10.3 starting (args: -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)
When DNS is propagated, edit /etc/postfix/main.cfg and append:
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
sudo /etc/init.d/postfix restart