Add a new sender domain to an existing POSTFIX mail server – a step by step guide

by · November 24, 2019

Share this article:

In this guide we will add, step by step, a new domain sender to an existing POSTFIX mail server: say your existing server is sending emails on behalf of example.com domain [the manual to setup such a mail server is here], and you wanted to add a new sender server new-server.com :

Edit the signing table /etc/opendkim/signing.table with your favorite editor:

sudo nano /etc/opendkim/signing.table

And add to it the following line:

*@new-server.com sendonly._domainkey.new-server.com

Save the file and move on to editing the key.table file at /etc/opendkim/key.table :

sudo nano /etc/opendkim/key.table

and fill the contents with the following:

sendonly._domainkey.new-server.com new-server.com:sendonly:/etc/opendkim/keys/new-server.com/sendonly.private

Save and exit that file and finally open the trusted.hosts file at /etc/opendkim/trusted.hosts :

sudo nano /etc/opendkim/trusted.hosts

and add the following line in the end of it:

*.new-server.com

Since we got a list of domains on that server, it should look like this:

 

We now need to generate a private key to sign outgoing emails and a public key for receiving SMTP servers to verify the DKIM signature. The public key will be published in the DNS settings for your domain(s). Perform the following for each domain you wish to send on behalf of:

Create a separate folder for the domain you want to generate keys for (replacing example.com with your domain):

sudo mkdir /etc/opendkim/keys/new-server.com

Then generate the keys for the new domain using:

 

sudo opendkim-genkey -b 2048 -d new-server.com -D /etc/opendkim/keys/new-server.com -s sendonly -v 

sudo chown opendkim:opendkim /etc/opendkim/keys/new-server.com/sendonly.private

Note that sendonly is still the selector here. This will be the prefix of _domainkey in our DNS record. Now display the public key and make sure to add it to the DNS record:

sudo cat /etc/opendkim/keys/new-server.com/sendonly.txt

This will print an unholy amount of unnecessary information as our domain provider namecheap manages the formatting for us. It gives an output like the following:

sendonly._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " 
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwVVC8RGSynFIN18JekVJlstZif 
u1BZG85y8F4Ir/IJ5Uvmjk3kTG0fFpckCogWFUYKtWonnDpokdJ2RiH5xZGQ56/C6D6Ms3wkkuL4n47 
2DkJLXEHwOkv44acF7eA9sBm+lM+T4OHsKmopfmpTf2Kv20WmgCGZO46w+14eRmGWz7yr94OwF6a8Py 
xdz5mGheOItnywLHgM8OoT" 
"xkFqwruvVP0X/RKNh/ehDBZRk3fW0I5MD+iHT2+sReNH4jjQRiMp6weVvn3FDo3UdpwKAGZs 
eRCdP0ZZ1+W5KJ8usIuyLeVSiOUCH+COAo5sKVergj3UgN8279thgsiX+Wi86QOQIDAQAB" ) ; -- 
--- DKIM key sendonly for new-server.com

In the above example, we see that we need to set a TXT record in our DNS settings for the domain new-server.com with the host of sendonly._domainkey and the value then needs to be formatted like the following:

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwVVC8RGSynFIN18JekVJlstZifu1BZG85y8F4Ir/IJ5Uvmjk3kTG0fFpckCogWFUYKtWonnDpokdJ2RiH5xZGQ56/C6D6Ms3wkkuL4n472DkJLXEHwOkv44acF7eA9sBm+lM+T4OHsKmopfmpTf2Kv20WmgCGZO46w+14eRmGWz7yr94OwF6a8Pyxdz5mGheOItnywLHgM8OoTxkFqwruvVP0X/RKNh/ehDBZRk3fW0I5MD+iHT2+sReNH4jjQRiMp6weVvn3FDo3UdpwKAGZseRCdP0ZZ1+W5KJ8usIuyLeVSiOUCH+COAo5sKVergj3UgN8279thgsiX+Wi86QOQIDAQAB

 

To export the TXT record you can use:

sudo cat /etc/opendkim/keys/new-server.com/sendonly.txt >> new-server.txt

Notice how the value of the DNS record was the text between the brackets ( ) but with quotation marks removed and the line breaks removed as well. Once this has been set in the DNS record for the domain, you should be able to test that the key is properly set with the command:

sudo opendkim-testkey -d new-server.com -s sendonly -vvv

Note that you may have to wait for the DNS records to be propagated beforehand (set your TTL for the TXT record to 1min if you want it done quickly). If you see key not secure message, don’t panic. This is because DNSSEC isn’t enabled on the domain name.

Setting up DMARC record

To set the DMARC record, enter the following as the value for a TXT record into your DNS settings for your domain:

v=DMARC1; p=quarantine

With the host as _dmarc .

 

Setting up SPF record

If you want to send email as another domain or subdomain, say example.net or mail.example.com, you’ll need to let example.net know that you are going to be sending mail as example.net but from example.com. This is done using an SPF record for example.net that specifies the IP address and hostname that the host of example.com. In the case of mail.examople.com to be the sender for other domains:

Set TXT record with host @ and value:

v=spf1 ip4:111.222.333.444 ip4:555.666.777.888 a:mail.example.com include:mail.example.com include:_spf.google.com ~all

Restart

Now restart opendkim, Postfix and Dovecot with:

sudo systemctl restart opendkim postfix
sudo systemctl restart dovecot

Finally test an email using the swaks tool (it should be installed if you followed the setup guide), send an email to yourself using:

swaks --to yourself@uour-domain.com --from info@new-server.com --server localhost

Once you received the Email, view the source of the email to see the security level of the mail.

Note: if you plan to accept emails for this domain (inbound emails) – you need to add this domain to virtual_alias_domains in /etc/postfix/main.cf


Share this article:

Comments

comments

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *