{"id":854,"date":"2023-07-09T11:18:51","date_gmt":"2023-07-09T09:18:51","guid":{"rendered":"https:\/\/pcmacb.de\/?page_id=854"},"modified":"2025-06-16T16:36:20","modified_gmt":"2025-06-16T14:36:20","slug":"spf-und-oder-dkim","status":"publish","type":"page","link":"https:\/\/pcmacb.de\/?page_id=854","title":{"rendered":"SPF oder DKIM"},"content":{"rendered":"\n

Seit geraumer Zeit bekomme ich wiederholt Meldungen, dass E-Mails von Konten bei Suchmaschine<\/em> oder anderen IT Anbietern nicht mehr angenommen werden. Stattdessen kommen Meldungen wie diese zur\u00fcck:<\/p>\n\n\n\n

Remote-MTA: dns; suchmaschine-smtp-in.l.suchmaschine.com\nDiagnostic-Code: smtp; 550-5.7.26 This mail is unauthenticated, which poses a security risk to the 550-5.7.26 sender and xyz users, and has been blocked. The sender must 550-5.7.26 authenticate with at least one of SPF or DKIM.<\/pre>\n\n\n\n
\u00dcber Sinn oder Unsinn solcher Ma\u00dfnahmen, die angeblich Spam verhindern sollen, l\u00e4sst sich streiten, denn auch Spammer werden wissen, wie man einen „Sender Policy Framework Record“, also „SPF Eintrag“, vornimmt. Das hat mir zwar schon den einen oder anderen Auftrag beschert, aber als Trittbrettfahrer gro\u00dfer Konzerne sein Geld zu verdienen, f\u00fchlt sich unlauter an.<\/p>\n\n\n\n
Damit die Mails wieder ausgeliefert werden, muss bei dem Provider, dem die Homepage und der Mail Account obliegt, der erw\u00e4hnte SPF Record eingetragen werden. Die Vorgehensweise ist bei den Anbietern von Mail- oder Homepage Konten unterschiedlich. L\u00f6sungen lassen sich recht schnell \u00fcber die problemverursachende Suchmaschine oder den anbietenden Provider selbst finden. Sind am Ende alle Eintr\u00e4ge richtig gemacht worden, sollte der „dig domain.de txt<\/em>“ Befehl folgend Ausgabe bringen, wobei die Zeile mit „v=spf1 mx […]“ entscheidend ist:<\/p>\n\n\n\n
dig xyz.de txt\n\n; <<>> DiG 9.16.42 <<>> xyz.de txt\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49311\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 512\n;; QUESTION SECTION:\n;pcmacb.de.                     IN      TXT\n\n;; ANSWER SECTION:\nxyz.de.              39312   IN      TXT     \"v=spf1 mx a ip4:abc.def.ghi.jkl ip6:abcd:efgh:ijkl:unds:0wei:ter0:0000:0001 mx:xyz.de ~all\"<\/strong>\n\n;; Query time: 31 msec\n;; SERVER: abc.def.x.y#53(abc.def.x.y)\n;; WHEN: an einem Sonntag CEST 2023\n;; MSG SIZE  rcvd: 142<\/code><\/pre>\n\n\n\n

Create dkim keys and register at abcde.de<\/h1>\n\n\n\n
\n
v=spf1 mx a ip4:245.159.200.167\nip6:2a82:c209:3915:2925:0000:0000:0000:0001 mx:abcde.de<\/a> ~all<\/p>\n<\/div>\n\n\n\n
apt install opendkim opendkim-tools<\/code><\/pre>\n\n\n\n
nano \/etc\/opendkim.conf<\/code><\/pre>\n\n\n\n
Syslog                  yes \nSyslogSuccess           yes \n#LogWhy                 no \n\nCanonicalization        relaxed\/simple \n#Mode                   sv \n#SubDomains             no \nOversignHeaders         From \n\n# user (for example, Postfix). You may need to add user \"postfix\" to group \n# \"opendkim\" in that case. \nUserID                  opendkim \nUMask                   007 \n\n# Socket for the MTA connection (required). If the MTA is inside a chroot jail, \n# it must be ensured that the socket is accessible. In Debian, Postfix runs in \n# a chroot in \/var\/spool\/postfix, therefore a Unix socket would have to be \n# configured as shown on the last line below. \nSocket                  local:\/run\/opendkim\/opendkim.sock \n#Socket                 inet:8891@localhost \n#Socket                 inet:8891 \n#Socket                 local:\/var\/spool\/postfix\/opendkim\/opendkim.sock \n\nPidFile                 \/run\/opendkim\/opendkim.pid \n\n# Hosts for which to sign rather than verify, default is 127.0.0.1. See the \n# OPERATION section of opendkim(8) for more information. \n#InternalHosts          192.168.0.0\/16, 10.0.0.0\/8, 172.16.0.0\/12 \n\n# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided \n# by the package dns-root-data. \nTrustAnchorFile         \/usr\/share\/dns\/root.key \n#Nameservers            127.0.0.1 \n\n## added by myself \n# Required for signing \nKeyTable             \/etc\/opendkim\/key.table \nSigningTable         \/etc\/opendkim\/signing.table \nInternalHosts        \/etc\/opendkim\/trusted.hosts \n\n# Optional but recommended: \nCanonicalization     relaxed\/simple \nMode                 sv<\/code><\/pre>\n\n\n\n
nano \/etc\/postfix\/main.cf<\/code><\/pre>\n\n\n\n
# DKIM socket for local Unix socket \nsmtpd_milters = unix:\/run\/opendkim\/opendkim.sock \nnon_smtpd_milters = unix:\/run\/opendkim\/opendkim.sock \nmilter_default_action = accept \nmilter_protocol = 6<\/code><\/pre>\n\n\n\n
mkdir -p \/etc\/opendkim\/keys\/abcde.de<\/code><\/pre>\n\n\n\n
chown -R opendkim:opendkim \/etc\/opendkim<\/code><\/pre>\n\n\n\n
usermod -aG opendkim postfix<\/code><\/pre>\n\n\n\n
nano \/lib\/systemd\/system\/opendkim.service<\/code><\/pre>\n\n\n\n
[Unit] \nDescription=OpenDKIM Milter \nDocumentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-lua(3) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testkey(8) http:\/\/www.opendkim.org\/docs.html \nAfter=network-online.target nss-lookup.target \nWants=network-online.target \n\n[Service] \nType=forking \nPIDFile=\/run\/opendkim\/opendkim.pid \nExecStart=\/usr\/sbin\/opendkim \nExecReload=\/bin\/kill -USR1 $127.0.0.1\nlocalhost\nmail.abcde.de\nMAINPID \nRestart=on-failure \nUMask=007 \n\n[Install] \nWantedBy=multi-user.target\n<\/code><\/pre>\n\n\n\n
nano \/etc\/opendkim\/trusted.hosts<\/code><\/pre>\n\n\n\n
127.0.0.1\nlocalhost\nmail.abcde.de<\/code><\/pre>\n\n\n\n
nano \/etc\/opendkim\/signing.table<\/code><\/pre>\n\n\n\n
*@abcde.de default._domainkey.abcde.de<\/code><\/pre>\n\n\n\n
nano \/etc\/opendkim\/key.table<\/code><\/pre>\n\n\n\n
default._domainkey.abcde.de abcde.de:default:\/etc\/opendkim\/keys\/abcde.de\/default.private<\/code><\/pre>\n\n\n\n
Generate the keys<\/h3>\n\n\n\n
cd \/etc\/opendkim\/keys\/abcde.de<\/code><\/pre>\n\n\n\n
opendkim-genkey -s default -d abcde.de<\/code><\/pre>\n\n\n\n
Make sure files are owned\nby opendkim<\/h3>\n\n\n\n
chown -R opendkim:opendkim \/etc\/opendkim<\/code><\/pre>\n\n\n\n
chmod go-r \/etc\/opendkim\/keys\/abcde.de\/default.private<\/code><\/pre>\n\n\n\n
Entries in DNS TXT Record:<\/h3>\n\n\n\n
default._domainkey.abcde.de  86400   TXT     0<\/code><\/pre>\n\n\n\n
this is one line in \u201cdata\u201d:<\/p>\n\n\n\n
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy8fiSlKdHX0U3b2EM4SWjU1aTAjcshJhyZt8iv5XtLv\/Bf00ZJ11PqzSTtlCmsKCYYuO9BEAKVf3\/nX+zmUH9KJWWnF1yU4+MYwnIpxACbrMh0BX1PlITGdDSdLnmhObiDlWqEeABBmnaUfrv+e4GKhxwPf2NjaeTObceiofz13hIOeHPFc7\/5xaIkPOEjL\/6ftCTRQSg2P\/GqL1ePqbdzii8Cwn9EQ61g0xWFaqBug9vCFRWX+\/Es1LtmIenjvSmMAn0j184o5yLzEv71uR7l0bwuRn85t6tMvocxGdeNcHuacHHZG4GZFrE\/qdJCbYPBrYbMTcX0kIK5lNKNjucQIDAQAB<\/code><\/pre>\n\n\n\n
systemctl daemon-reexec<\/code><\/pre>\n\n\n\n
systemctl restart opendkim postfix<\/code><\/pre>\n\n\n\n
If there\u2019s more domains:<\/h1>\n\n\n\n
\/etc\/opendkim\/keys\/\n\u251c\u2500\u2500 example.com\/\n\u2502   \u251c\u2500\u2500 default.private\n\u2502   \u2514\u2500\u2500 default.txt\n\u251c\u2500\u2500 example.org\/\n\u2502   \u251c\u2500\u2500 default.private\n\u2502   \u2514\u2500\u2500 default.txt<\/code><\/pre>\n\n\n\n
mkdir -p \/etc\/opendkim\/keys\/abc.de\nmkdir -p \/etc\/opendkim\/keys\/xyz.de\nmkdir -p \/etc\/opendkim\/keys\/cde-berlin.com<\/code><\/pre>\n\n\n\n
cd \/etc\/opendkim\/keys\/abc.de\nopendkim-genkey -s default -d abc.de\nchown opendkim:opendkim default.private\nchmod 600 default.private<\/code><\/pre>\n\n\n\n
cd \/etc\/opendkim\/keys\/xyz.de\nopendkim-genkey -s default -d xyz.de\nchown opendkim:opendkim default.private\nchmod 600 default.private<\/code><\/pre>\n\n\n\n
cd \/etc\/opendkim\/keys\/cde-berlin.com\nopendkim-genkey -s default -d cde-berlin.com\nchown opendkim:opendkim default.private\nchmod 600 default.private<\/code><\/pre>\n\n\n\n
nano \/etc\/opendkim\/key.table<\/code><\/pre>\n\n\n\n
default._domainkey.abc.de abc.de:default:\/etc\/opendkim\/keys\/abc.de\/default.private\ndefault._domainkey.xyz.de xyz.de:default:\/etc\/opendkim\/keys\/xyz.de\/default.private\ndefault._domainkey.cde-berlin.com cde-berlin.com:default:\/etc\/opendkim\/keys\/cde-berlin.com\/default.private<\/code><\/pre>\n\n\n\n
nano \/etc\/opendkim\/signing.table<\/code><\/pre>\n\n\n\n
*@abc.de default._domainkey.abc.de\n*@xyz.de default._domainkey.xyz.de\n*@cde-berlin.com default._domainkey.cde-berlin.com<\/code><\/pre>\n\n\n\n
nano \/etc\/opendkim\/trusted.hosts<\/code><\/pre>\n\n\n\n
127.0.0.1\nlocalhost\n\n*.abc.de\n*.xyz.de\n*.cde-berlin.com<\/code><\/pre>\n\n\n\n
Generate the keys<\/h3>\n\n\n\n
cd \/etc\/opendkim\/keys\/abc.de<\/code><\/pre>\n\n\n\n
opendkim-genkey -s default -d abc.de<\/code><\/pre>\n\n\n\n
usw\u2026\u2026.<\/p>\n\n\n\n
chown -R opendkim:opendkim \/etc\/opendkim<\/code><\/pre>\n\n\n\n
chmod -R go-rwx \/etc\/opendkim\/keys<\/code><\/pre>\n\n\n\n
systemctl daemon-reexec<\/code><\/pre>\n\n\n\n
systemctl restart opendkim postfix<\/code><\/pre>\n\n\n\n
\/<\/p>\n","protected":false},"excerpt":{"rendered":"
Seit geraumer Zeit bekomme ich wiederholt Meldungen, dass E-Mails von Konten bei Suchmaschine oder anderen IT Anbietern nicht mehr angenommen werden. Stattdessen kommen Meldungen wie diese zur\u00fcck: Remote-MTA: dns; suchmaschine-smtp-in.l.suchmaschine.com Diagnostic-Code: smtp; 550-5.7.26 This mail is unauthenticated, which poses a weiterlesen…<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"class_list":["post-854","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/pcmacb.de\/index.php?rest_route=\/wp\/v2\/pages\/854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pcmacb.de\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/pcmacb.de\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/pcmacb.de\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pcmacb.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=854"}],"version-history":[{"count":17,"href":"https:\/\/pcmacb.de\/index.php?rest_route=\/wp\/v2\/pages\/854\/revisions"}],"predecessor-version":[{"id":1070,"href":"https:\/\/pcmacb.de\/index.php?rest_route=\/wp\/v2\/pages\/854\/revisions\/1070"}],"wp:attachment":[{"href":"https:\/\/pcmacb.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}