Setup SPF and DKIM for Your Domain with Cloudflare

Outgoing email from your mail server is going to Gmail Spam folder when using Cloudflare. Here is the hint

A. Important Notes

  1. By using CloudFlare, your server (ex: cPanel) doesn't manage the DNS for your domain.
    You must setup into the DNS zone of the CloudFlare
  2. You need to add SPF and DKIM records for your mail sending domains

B. Setup SPF and DKIM

  1. Add SPF record

    Introduction

    Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.

    Step by Step

    At DNS zone of the CloudFlare choose "TXT". The SPF format has been deprecated due to the DNS RFC.

    Add your SPF record string under the "value" section and click "Add"

    TXT @ v=spf1 ip4:your.email.server.ipv4 include:another-domain-send-mail-for-you.com -all
    

    Example

    TXT @ v=spf1 ip4:1.2.3.4 include:example.com -all
    

    Include useful if you will be sending mail though another service

    Read more about SPF Record Syntax

    Read more about add a SPF record from Cloudflare

  2. Add DKIM record

    Introduction

    DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

    Step by Step

    Step 1. Create a private and public key

    openssl genrsa -out yourdomain.com.private 1024 -outform PEM
    openssl rsa -in yourdomain.com.private -out yourdomain.com.public -pubout -outform PEM
    

    Example

    cat yourdomain.com.private
    -----BEGIN RSA PRIVATE KEY-----
    MIICXQIBAAKBgQDRYAsLsHhX+kU5mEGev1I4a7zNb/d7djJB4cbKlc9VwbeJnReE
    T7uT1rGwC5hPVpNhwRjJ8PGRiY897+ANIlxBYGqyFheRAC4BfvYxDDIFkTQ7Gy4q
    2zC62VfsG0/d1mkPiF0ejyM3pua57ougxOre1TVgc5V4dSyuU6DcHLVopQIDAQAB
    AoGBAKwI52qGaIuZVzH4ucpPV6aGV87Rdh7awnbBpc6lg4PqNP18t2r+/Jh/6uZE
    0LQ35ceHmu+q60JzLeBtbcI8/mE48VRZ+xrmh/odwyo4UjPkJsTEkjwSDP0yhEvO
    WS2lJLc4x1exKtOKC6b3NF6VEcY/IlfC/JuUwUVvalCxlNbBAkEA6sOFks6iT9Ng
    Isf6MVGO+by1G86JgH53WNYKh1ZjoURhHCiFo2qXHrLAHB3VzZSRrhKhhqczDcu+
    1xpuWEWW9QJBAORQl42eNMA1lXPUnD3xshPEejS389NvLG7ZOIMRukzJw3FSp6V3
    5vzJCd9OU69zHTRBCfxCwJpXtP6I7ctBnPECQGZQRByRNaf4hUNjSCTKWLd6iKvP
    vZlkhHsQ/ZGyEsWr2W6+Mk/gGnBkktkuH4nzH/JvaDoZEGUI0OlKOaD64ykCQQC7
    Pq1MY9d3W3q6iD+rPbGCLLzcx5CccqzKLDQAqmVT3JUBN3xuZCt4XZhPH3nahloJ
    JN3/mO9EpXG23q3G6ITBAkBUo7p6tgoWFK1erJtJwp+pyoOQWpIqYWVUuhZR8iJF
    ktXO45rFyrf5G1fNlmls0/kz5yWZ/OwggZkt/NziQucm
    -----END RSA PRIVATE KEY-----
    
    cat yourdomain.com.public
    -----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRYAsLsHhX+kU5mEGev1I4a7zN
    b/d7djJB4cbKlc9VwbeJnReET7uT1rGwC5hPVpNhwRjJ8PGRiY897+ANIlxBYGqy
    FheRAC4BfvYxDDIFkTQ7Gy4q2zC62VfsG0/d1mkPiF0ejyM3pua57ougxOre1TVg
    c5V4dSyuU6DcHLVopQIDAQAB
    -----END PUBLIC KEY-----
    

    Step 2. Add DKIM record to DNS

    Using any editor to create 2 string:

    <selector>._domainkey.<your-domain>
    k=rsa;p=<PUBLIC KEY HERE>
    

    Example

    mailer._domainkey.yourdomain.com
    k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRYAsLsHhX+kU5mEGev1I4a7zNb/d7djJB4cbKlc9VwbeJnReET7uT1rGwC5hPVpNhwRjJ8PGRiY897+ANIlxBYGqyFheRAC4BfvYxDDIFkTQ7Gy4q2zC62VfsG0/d1mkPiF0ejyM3pua57ougxOre1TVgc5V4dSyuU6DcHLVopQIDAQAB
    

    Note: remove all line breaks in public key

    At DNS zone of the CloudFlare, select the TXT record and add your DKIM values.

    TXT <selector>._domainkey.<your-domain> k=rsa;p=<PUBLIC KEY HERE>
    

    Example

    TXT mailer._domainkey.yourdomain.com k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRYAsLsHhX+kU5mEGev1I4a7zNb/d7djJB4cbKlc9VwbeJnReET7uT1rGwC5hPVpNhwRjJ8PGRiY897+ANIlxBYGqyFheRAC4BfvYxDDIFkTQ7Gy4q2zC62VfsG0/d1mkPiF0ejyM3pua57ougxOre1TVgc5V4dSyuU6DcHLVopQIDAQAB
    

    DNS changes are made, you can expect a propagation time in an hour or up to 48 hours

    Read more about add a DKIM record from Cloudflare

    Step 3. Signing mail messages with the domain key. Depends on your programming language, here is example with PHPMailer

    // this should be the same as the domain of your From address
    $mail->DKIM_domain = 'yourdomain.com';
    // path to your private key file
    $mail->DKIM_private = __DIR__.'/../path/to/your/keys/folder/'.'yourdomain.com.private';
    // set this to your own selector mailer._domainkey.yourdomain.com, mailer is selector
    $mail->DKIM_selector = 'mailer';
    // if your private key has a passphrase, set it here
    $mail->DKIM_passphrase = '';
    // the identity you're signing as - usually your From address
    $mail->DKIM_identity = $mail->From;
    

    Original examples DKIM from PHPMailer

  3. Add DMARC record

    What is DMARC?

    DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

    Step by Step

    At DNS zone of the CloudFlare, select the TXT record and add your DMARC values.

    The TXT record name should be "_dmarc.your_domain.com." where "your_domain.com" is replaced with your actual domain name.

    TXT _dmarc.your_domain.com. v=<protocol version>; p=<policy for domain>
    

    Example

    TXT _dmarc.coloza.com. v=DMARC1; p=none
    

    Read more about add a DMARC record from Google

Comments

Popular posts from this blog

Reduce TIME_WAIT Socket Connections