Skip to content

Feature: Sender Policy Framework (SPF)

Jump to bottom
kklepper edited this page Jun 19, 2020 · 6 revisions

An SPF (Sender policy framework) record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain.

docker-mailserver checks incoming mails for valid SPF records. See this page for a guide to set up your own domains for SPF.

Step by step

Suppose you want to serve a buch of domains with docker-mailserver, say domain-1.tld, domain-2.tld, domain-3.tld on your machine with IP address 123.234.123.234.

Once you have your spf string (e.g. v=spf1 mx a ip4:123.234.123.234/32 a:domain-1.tld a:domain-2.tld a:domain-3.tld -all), you insert this string as a TXT record like such if your nameserver provider has these 4 fields:

Subdomain Type Priority Target
TXT v=spf1 mx a ip4:123.234.123.234/32 a:domain-1.tld a:domain-2.tld a:domain-3.tld -all
2020._domainkey TXT v=DKIM1;h=sha256;t=s;p=MIIB...the whole public key as provided by roundcube...DAQAB
_dmarc TXT v=DMARC1;p=quarantine;pct=100;rua=mailto:[email protected];ruf=mailto:[email protected];adkim=s;aspf=r

  • Mind you: the subdomain field for SPF is empty.

  • Do this with all domains in webmail you want to protect, e.g. domain-2.tld, domain-3.tld

  • Check the validity of all entries and domains with https://www.appmaildev.com/de/dkim

For the record:

  • SPF:
    • ip4:123.234.123.234 is the IP of the machine the mail record points to
    • domain-1.tld is the domain handling roundcube on port 81
    • domain-2.tld and domain-3.tld etc. are the domains served by this mail domain -- as far as I see, this is not necessary
  • DKIM
    • Roundcube (i.e. domain-1.tld:81/webmail) provides for the code:
      • choose DKIM
      • first recreate private key for the domain in question, e.g. domain-2.tld
      • next edit
      • The public key is very long and presented in blocks.
      • You can just copy and paste that; maybe it works. Roundcube will insert backslashes; remove those.
      • Maybe that doesn't hurt, but you can also rectify the block without any spaces in the public-key.
      • The whole sequence was split by my nameservice provider with spaces anyway, each block surrounded by quotes.
    • In order to check DKIM, you have to provide a signature .
      • Some services understand only the first part, conventionally the current year (like https://dmarcian.com/dkim-inspector/), others want the whole sequence (i.e. 2020._domainkey) or don't care.
      • Roundcube gives you 2020._domainkey.domain-1.tld -- this will not work.
  • DMARC
    • Replace your e-mail addresses here.

TLS and docker-compose

In case you have a docker setup served by a (nginx-)proxy to handle TLS, this proxy will communicate with the docker containers through an external network.

In this case your main domain will not be accessible by port 81. Howto: Use The Web Service Behind nginx proxy looks promising, but doesn't serve TLS.

The most natural thing to do would be to merge both docker-compose.yml files or rather integrate docker-compose.yml of docker-mailserver into docker-compose-your-docker-set.yml of your-docker-set. That's okay, but produces a new problem or rather exposes a bug.

The proxy must be able to contact the container web, now being inside your-docker-set, through the external network, and to this end this container needs to have a network instruction.

If you add a network (i.e. your external network the proxy communicates with) to web, you will get enigmatic errors (see networks: - proxy), apparently because the filter container will then be replaced by the host IP for some reason, producing errors as a consequence (see Calling the host).

A workaround can be constructed as follows:

  • Use a FQDN running on port 80 or get yourself a new FQDN (e.g. via Freenom)
  • Point this domain (e.g. mymail.tk) to the same IP as your main domain
  • Put mymail.tk in .env
  • Add mymail.tk to your SPF records in all domains domain-x.tld like
    • v=spf1 mx a ip4:123.234.123.234/32 a:mymail.tk a:domain-1.tld a:domain-2.tld a:domain-3.tld -all
  • Start docker-mailserver normally
  • http://mymail.tk:81 will show the mailmanager
  • http://mymail.tk:81/webmail will show Roundcube

This way, the mail system is totally separate from your general TLS setup served by the proxy and the main docker collection your-docker-set.

  • http://mymail.tk will be served by your proxy
  • This proxy, serving TLS, will redirect to https://mymail.tk
  • This will generate a certificate error as you have none and never intend to have

Thunderbird

  • Put domain-x.tld in the appropriate Thunderbird settings, preferably IMAP
    • STARTTLS, Password normal
Clone this wiki locally