How to setup DMARC for you domain.

The Domain-based Message Authentication, Reporting and Conformance (DMARC) DNS record allows an email sender (which is already using DKIM, SPF or both) to indicate to a mail receiver one or more of the following:

Indicate the mechanisms the sender uses to authenticate its email (DKIM, SPF or both). Some of this functionality is already provided for separately within DKIM (the ADSP capability) and SPF (the pre field) but DMARC enables a comprehensive definition covering both systems.

Indicate comprehensively for DKIM, SPF or both how to handle mail that fails validity checks.

Optionally requests the receiver to send a feedback report (defined by the Abuse Report Format – RFC 5965 or the Incident Object Description Exchange Format – RFC 5070) which allows the mail sender to monitor and change its policies based on receiver feedback. Both individual and aggregate report formats are allowed. This capability is uniquely triggered by the DMARC RR.

DMARC can be viewed as a meta RR that describes the sender’s email policy, comprising DKIM or SPF or both, for any domain. While the draft RFC does not explicitly say anything about the ADSP feature of DKIM it does go out of its way to identify ADSP shortcomings. On balance it would probably be confusing, if not a serious mistake, to have both ADSP and DMARC RRs for any domain.

DMARC is defined by RFC 7489. The web site claims that more than 2 billion email accounts are covered by DMARC. RFC 7960 describes various methods by which, what it charmingly calls ‘indirect email flows’, can be prevented from wreaking untold havoc on email delivery to DMARC enabled recipients.

1. Single Domain Name using DKIM and SPF – Aggressive
just add to you DNS zone line:

_dmarc TXT ( “v=DMARC1;p=reject;sp=reject;pct=100; adkim=r;aspf=r;fo=1;ri=86400;”)

If you want do not be aggresive change policy p=reject; with p=none;


How to install DKIM with OpenDKIM and Postfix on a CentOS 7

Hello, today we install DKIM in Centos 7 with Postfix.

# yum install opendkim

Next step to do is to configure OpenDKIM.

# cp /etc/opendkim.conf /etc/opendkim.conf.orig
# vim /etc/opendkim.conf

Options should be like this:

PidFile    /var/run/opendkim/
Mode    sv
Syslog    yes
SyslogSuccess    yes
LogWhy    yes
UserID    opendkim:opendkim
Socket    inet:8891@localhost
Umask    002
Canonicalization    relaxed/relaxed
Selector    default
MinimumKeyBits 1024
KeyTable    refile:/etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList    refile:/etc/opendkim/TrustedHosts
InternalHosts    refile:/etc/opendkim/TrustedHosts

Next step we have to edit /etc/opendkim/TrustedHosts

# vim /etc/opendkim/TrustedHosts

Now we edit /etc/opendkim/KeyTable

vim /etc/opendkim/KeyTable

Now opendkim needs to know relation between mail adress and domains whe should configure SigningTable file.

vim /etc/opendkim/SigningTable


Now we generate one keypair for each domain

cd /etc/opendkim/keys
opendkim-genkey -D /etc/opendkim/keys/ -d -s

You will get:

[root@mail keys]# ls -l
total 8
-rw------- 1 root root 891 apr 25 22:02
-rw------- 1 root root 344 apr 25 22:02

We have to change private keys owner.

[root@mail keys]# chown -R opendkim. /etc/opendkim/keys/

Restart opendkim and enable

 systemctl restart opendkim.service
 systemctl enable opendkim.service

Integrate opendkim with postfix:

 vim /etc/postfix/

and append these lines

milter_default_action = accept
smtpd_milters = inet:

Finally the most important step is publish your public keys in DNS.


default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh1hbzE5Ae83qLXL/DKAhTmOYXzLG3+RfdjG9nbv+zH/STABdYpU7kQKAs0M9X1bdIe8We8Bs//vKqqtgOB/j/jwcH+VMou3wBEULshzQK6qoBSb413qdGEnXIHUP3e9p4VttlebSp5w/3dLaOpNFNUMKz6Xb2Pa8xlxn5DgNrYQIDAQAB” ) ; —– DKIM key for

Restart Postfix:

 systemctl restart postfix.service

How we test if works ?

 dig TXT +short

P.S. in dns we start with default._domainkey IN TXT ……

Amavisd + SpamAssassin not working? No mail header X-Spam.

If you want Amavisd to insert X-Spam-* headers in each email, please decrease Amavisd setting $sa_tag_level_deflt (in Amavisd config file )to a very low score, e.g. -999, then restart Amavisd service:

$sa_tag_level_deflt  = -999;

That means Amavisd will insert X-Spam-Flag and other X-Spam-* headers when email score >= -999.

Do not forget to restart services Amavisd.


How to adjust inotify instances limit?

Q: I get new error in logs.

Apr 10 08:50:26 imap( Warning: Inotify instance limit for user 5000 (UID vmail) exceeded, disabling. Increase /proc/sys/fs/inotify/max_user_instances

How we get solutions on this ?

A: Now we have:

[root@mail ~]# cat /proc/sys/fs/inotify/max_user_instances

Imap connections are:

[root@mail ~]# ss -tnp state established src \*:993 ‘||’ src \*:143 | wc -l

We have to increase the maximum number of instances:

echo "fs.inotify.max_user_instances = 1024" >>/etc/sysctl.conf
sysctl -p

Enjoy, that it is!


Centos 7 update php from 5.4.16 to 5.6.3


Update for today on php.

  1. rpm -Uvh
    rpm -Uvh
  2. Secons, uninstall your php ( rpm -qa |grep php )
    yum erase php-5.4.16 php-tidy php-cli php-process php-odbc php-soap php-imap php-pear php-xmlrpc php-mcrypt php-common php-pdo php-devel php-xml php-gd php-mysql php-mbstring php-mssql php-ldap php-snmp
  3. Install new php
    yum install php56w php56w-opcache
    yum install php56w-mbstring php56w-cli php56w-common php56w-gd php56w-intl php56w-mcrypt php56w-pdo php56w-pear php56w-mysql php56w-process php56w-snmp php56w-soap php56w-tidy php56w-xmlphp56w-ldap php56w-pecl-geoip

End, use : systemctl restart httpd   or  /etc/init.d/httpd restart.