Dhiraj Chatpar

Posted on May 18

Generate 2048-bit DKIM key pair

#email #smtp #mta

Why Email Authentication Matters More Than Ever in 2026

Email was designed in 1982 with no authentication. Anyone could send email claiming to be from any address — the "From" field was (and remains) trivially forgeable. This is why email spam, phishing, and spoofing became existential problems.

Authentication mechanisms solve this by cryptographically proving that:

The sending server is authorized to send for the claimed domain (SPF)
The message was not altered in transit (DKIM)
The domain's published policies are being followed (DMARC)

Without these, your sending domain is a forgery risk — and ISPs know it.

2024 Gmail/Yahoo requirements (mandatory for bulk senders):

SPF or DKIM must pass for your domain
DMARC alignment required (From domain matches DKIM domain)
One-click unsubscribe in headers (RFC 8058)
Valid TLS connection required

Failure to comply means your emails are classified as spam or rejected entirely, regardless of content quality.

SPF: Sender Policy Framework

How SPF Works

SPF allows domain owners to publish a list of IP addresses authorized to send email for their domain. Receiving mail servers check the SPF record and reject or flag mail from unauthorized IPs.

DNS lookup flow:

Receiving server sees From: sender@example.com
DNS query: example.com TXT record
SPF record specifies: v=spf1 ip4:203.0.113.0/24 include:_spf.example.com ~all
If sending IP is in the allowed range → SPF pass
If not → SPF fail (what happens next is determined by DMARC policy)

SPF Record Syntax

Basic SPF record:

v=spf1 ip4:203.0.113.0/24 ~all

Mechanism	Example	Meaning
`ip4`	`ip4:192.0.2.0/24`	Specific IPv4 or CIDR
`ip6`	`ip6:2001:db8::/32`	IPv6 range
`include`	`include:_spf.example.com`	Include another domain's SPF
`mx`	`mx`	Authorized MX servers
`a`	`a`	A record of the domain
`all`	`~all` (softfail), `-all` (fail)	Default result

Important: Avoid ~all for production. Use -all (fail) once you've confirmed all legitimate senders are included. -all tells receiving servers to reject unauthorized mail.

SPF for Multiple IP Ranges and Third-Party Senders

If you send through multiple services (KumoMTA, SendGrid, Mailgun), include them all:

v=spf1 ip4:203.0.113.0/24 include:sendgrid.net include:servers.mcsv.net -all

SPF Lookup Limit Issue

Critical: SPF has a 10 DNS lookup limit (RFC 7208). Each include: counts as a lookup. Exceeding 10 lookups causes permerror — the receiving server ignores your SPF record entirely.

Solution: Use include: sparingly. If you have many third-party senders, use dedicated subdomains for each (e.g., sendgrid._spf.example.com) with their own SPF records.

SPF in KumoMTA

KumoMTA respects SPF for relay and forwarding scenarios. Ensure your KumoMTA server's IP is in your domain's SPF record:

v=spf1 ip4:203.0.113.0/24 ip4:198.51.100.0/24 include:_spf.example.com -all

DKIM: DomainKeys Identified Mail

How DKIM Works

DKIM attaches a cryptographic signature to every outbound message. The receiving server verifies the signature using the public key published in DNS. If the signature is valid and the From domain matches the DKIM domain → DKIM pass.

Why DKIM matters more than SPF in 2026:

SPF fails for forwarded mail (the forwarding server's IP isn't in your SPF record)
DKIM survives forwarding because the signature is in the message headers
Gmail and Yahoo both require DKIM pass for bulk sender compliance

Generate DKIM Keys

# Generate 2048-bit DKIM key pair
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

# File naming convention: SELECTOR._domainkey.DOMAIN
# Example: mail._domainkey.example.com
mv dkim_private.pem mail._domainkey.example.com.pem

Selector convention: Use mail as your default selector. For multiple sending systems, use distinct selectors: kumo._domainkey, sendgrid._domainkey, etc.

DKIM DNS Record

Publish the public key as a TXT record:

mail._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."

Verify your DKIM:

# Using dig
dig TXT mail._domainkey.example.com +short

# Using a DKIM checker
# https://dkimcore.org/tools/

DKIM Setup in KumoMTA

-- /etc/kumomta/kumomta.conf

-- DKIM signing configuration
kumo.configure_dkim_signing {
    domain = "example.com",
    selector = "mail",
    key_file = "/etc/kumomta/keys/mail._domainkey.example.com.pem",
    -- Sign these headers for best compatibility
    headers = {
        "From",
        "To",
        "Subject",
        "Date",
        "Message-ID",
        "Content-Type",
        "MIME-Version",
    },
}

-- Multi-tenant DKIM (different selectors per customer)
kumo.on("smtp_message_received", function(domain, meta)
    local tenant = meta.tenant or "default"
    local tenant_config = get_tenant_dkim_config(tenant)

    if tenant_config then
        kumo.sign_dkim(tenant_config.domain, tenant_config.selector, tenant_config.key_file)
    end
end)

DKIM in PowerMTA

# /etc/pmta/config
domain-key example.com,mail,/etc/pmta/dkim/example.com.pem

# Sign all outbound mail
dkim-sign yes

DKIM in Postfix (via OpenDKIM)

# /etc/opendkim.conf
KeyTable /etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table

# /etc/opendkim/key.table
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

# /etc/opendkim/signing.table
*@example.com mail._domainkey.example.com

DMARC: Domain-based Message Authentication, Reporting & Conformance

How DMARC Works

DMARC ties SPF and DKIM together with domain alignment policy. It tells receiving servers what to do when SPF or DKIM fails, and sends you reports about authentication results.

DMARC record format:

_dmarc.example.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

Parameters:

v=DMARC1 — Version (must be first)
p= — Policy: none (monitor only), quarantine (mark as spam), reject (block)
rua= — Aggregate report destination (email)
ruf= — Forensic report destination (detailed failures)
pct= — Percentage of mail subject to DMARC (start with 1-10%, increase gradually)
sp= — Subdomain policy (same as p, or different)
adkim= — Alignment mode: r (relaxed) or s (strict)
aspf= — Alignment mode: r (relaxed) or s (strict)

DMARC Alignment Modes

Relaxed alignment (r): The organizational domain must match. Subdomains are acceptable.

From: newsletter@example.com matches DKIM: example.com ✓

Strict alignment (s): The domains must match exactly.

From: newsletter@example.com requires DKIM: example.com ✓
From: newsletter@mail.example.com requires DKIM: mail.example.com ✓

DMARC Reporting

DMARC aggregate reports (sent to rua=) tell you:

Which sources are sending mail for your domain
SPF pass/fail rates
DKIM pass/fail rates
Which messages pass or fail alignment

Free DMARC analyzers:

dmarcian.com (free tier)
mxtoolbox.com (DMARC lookup + reports)
postmarkapp.com (DMARC report parsing)

DMARC for Multi-Tenant Senders

If you send for multiple brands (SaaS platform), use subdomains for each customer:

_dmarc.customer1.example.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

This isolates each customer's DMARC policy while you aggregate reports.

BIMI: Brand Indicators for Message Identification

BIMI displays your brand logo next to your emails in supporting mail clients (Apple Mail, FastMail, Google Workspace). Not required for deliverability, but improves open rates and brand trust.

BIMI requirements:

DMARC policy must be p=quarantine or p=reject
You need a BIMI Record published in DNS
You need a Verified Mark Certificate (VMC) — issued by Brand Indicators for Message Identification (Bimi) approved issuers

BIMI DNS record:

default._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/bimi.pem"

VMC Issuers:

DigiCert
Entrust Datacard
Google (for Google Workspace domains)

MTA-STS: SMTP MTA Strict Transport Security

MTA-STS forces TLS encryption for email delivery between mail servers, preventing downgrade attacks. Unlike STARTTLS (which is opportunistic), MTA-STS requires a valid certificate.

MTA-STS policy file (host at https://mta-sts.example.com/.well-known/mta-sts.txt):

version: STSv1
mode: enforce
mx: mail.example.com
mx: mail2.example.com
max_age: 86400

MTA-STS DNS record:

mta-sts.example.com IN TXT "v=1; id=1"

MTA-STS in KumoMTA:

kumo.configure_tls {
    min_tls_version = "1.3",
    -- MTA-STS is enforced by the receiving server,
    -- but KumoMTA's TLS 1.3 config satisfies requirements
}

DANE: DNS-based Authentication of Named Entities

DANE uses TLSA records in DNS to bind your TLS certificate to your domain, preventing MITM attacks on SMTP connections.

DANE TLSA record:

_25._tcp.mail.example.com IN TLSA 3 1 1 <certificate_hash>

Not widely deployed yet, but important for high-security environments.

Authentication Checklist by Platform

Requirement	KumoMTA	PowerMTA	Postfix	SendGrid	Amazon SES
SPF	✓ Config in DNS	✓ Config in DNS	✓ Config in DNS	✓ Built-in	✓ Built-in
DKIM	✓ Lua config	✓ Built-in	✗ OpenDKIM needed	✓ Built-in	✓ Built-in
DMARC	✓ DNS	✓ DNS	✓ DNS	✓ DNS	✓ DNS
TLS 1.3	✓ Native	✓ Config	✓ Config	✓	✓
MTA-STS	✓ (receiving)	✓ (receiving)	✓ (receiving)	✓	✓
1-click unsubscribe	✓ Lua	✓ Config	✗	✓	✗

Common Authentication Failures

SPF Failures

Symptom: SPF fails for some recipients
Common causes:

Sending from new IP not in SPF record → Add IP to record
Using third-party sender not in SPF → Add their include
Forwarding breaks SPF → Use DKIM as primary, SPF as secondary

DKIM Failures

Symptom: DKIM fail for valid signed mail
Common causes:

Selector mismatch → Check selector matches DNS record
Message altered after signing (e.g., adding headers) → Sign after all modifications
Key corruption → Regenerate key pair
Wrong domain in DKIM signature → Must align with From domain

DMARC Failures

Symptom: DMARC fails even with SPF and DKIM passing
Common causes:

Alignment issue → DKIM domain must match From domain (or subdomain)
Relaxed vs strict alignment → Use adkim=r initially
Subdomain mismatch → Add sp= record for subdomains

FAQ

Q: Can I have both SPF and DKIM fail and still pass DMARC?
A: No. DMARC requires AT LEAST one of SPF or DKIM to pass AND alignment. Both failing = DMARC fail.

Q: Should I start with DMARC policy p=none or go straight to p=quarantine?
A: Start with p=none for 2-4 weeks to collect aggregate reports and see your authentication baseline. Then move to p=quarantine, then p=reject.

Q: Does DMARC override SPF or DKIM?
A: No. DMARC is a reporting and policy layer on top of SPF and DKIM. You still need both SPF and DKIM configured correctly.

Q: How do I handle SPF for email forwarded by recipients?
A: This is a known limitation of SPF. Use DKIM as your primary authentication — it survives forwarding because the signature is in the message headers.

Q: What's the DMARC 10% pct limit for?
A: It lets you gradually enforce DMARC. Set pct=10 initially so 10% of failing mail is subject to policy. Increase to 100% once you've resolved all legitimate sending sources.

Get Help With Email Authentication

PostMTA audits and implements full email authentication for enterprise senders:

SPF, DKIM, DMARC audit and configuration
Multi-tenant DKIM setup for SaaS platforms
DMARC report analysis and policy optimization
Gmail/Yahoo 2024 compliance implementation
BIMI and MTA-STS deployment

👉 Schedule authentication audit →

For related guides, see KumoMTA Setup Guide, IP Warmup Strategies, and Bounce Rate Reduction Guide.

References: RFC 7208 (SPF) | RFC 6376 (DKIM) | RFC 7489 (DMARC) | Google Postmaster Tools

DEV Community