DKIM, SPF & DMARC or Transactional Emails with SMTP Services?

frm · Dec 14, 2018

I've been pulling my hair out trying to configure just DKIM to let my emails through and not bounce back as spam for hours last night. I just can't seem to get it to work, no matter which tutorial I use.

Who uses which? And would one be more beneficial over the other?

eva2000 · Dec 14, 2018

For Xenforo sent emails, I use Amazon SES SMTP and it has it's own instructions for proper DKIM + SPF setup. Then I setup DMARC separately myself.

For server system sent emails, I just setup DKIM + SPF + DMARC myself as I use my own Centmin Mod LEMP stack so I have instructions for my Centmin Mod LEMP stack users and myself to follow at https://community.centminmod.com/th...ver-email-doesnt-end-up-in-spam-inboxes.6999/

frm · Dec 14, 2018

eva2000 said:
For Xenforo sent emails, I use Amazon SES SMTP and it has it's own instructions for proper DKIM + SPF setup. Then I setup DMARC separately myself.

Thanks. I have now chosen SES, but it appears as if I'm sandboxed for the time being. Hopefully, they open it up soon as I had Sendinblue working. Though, Amazon appears to be much more trusted to reduce bounce, etc.

eva2000 said:
For server system sent emails, I just setup DKIM + SPF + DMARC myself as I use my own Centmin Mod LEMP stack so I have instructions for my Centmin Mod LEMP stack users and myself to follow at https://community.centminmod.com/th...ver-email-doesnt-end-up-in-spam-inboxes.6999/

I played a lot with your stack over the month and was disappointed that I couldn't build Naxsi into it, I believe that a WAF should be available.

I settled on a LA(x)P stack (MySQL on another server) with Apache 2.4/modsecurity & PHP72 instead because I couldn't even get Naxsi to build myself (edit: with ngx_pagespeed), on a fresh install, and adding it to your build.

I would love to benchmark Centminmod with Naxsi and rules implemented for security and will be on the lookout for that (in the near future, hopefully).

Sim · Dec 14, 2018

I use Sparkpost and my Ubuntu 18.04 boxes use Postfix in send-only mode to send emails via SMTP using Sparkpost.

I set aliases for root and various other system emails to my email address so any locally delivered emails get forwarded to me via Sparkpost.

It's all configured as part of my automated server build script - I know the server setup has been successful when I receive a test email from the server - I have it as the last step in the configuration process.

DKIM + SPF is taken care of via a couple of DNS entries supplied by Sparkpost. I haven't gone so far as to configure DMARC yet.

eva2000 · Dec 14, 2018

frm said:
I played a lot with your stack over the month and was disappointed that I couldn't build Naxsi into it, I believe that a WAF should be available.

I settled on a LA(x)P stack (MySQL on another server) with Apache 2.4/modsecurity & PHP72 instead because I couldn't even get Naxsi to build myself (edit: with ngx_pagespeed), on a fresh install, and adding it to your build.

I would love to benchmark Centminmod with Naxsi and rules implemented for security and will be on the lookout for that (in the near future, hopefully).

Which version of Centmin Mod did you try 123.08stable or 123.09beta01. 123.09beta01 is where all the development work is right now feature wise. But naxsi i don't have much experience with so not something I can test and support. But as you're using modsecurity, then Centmin Mod 123.09beta01 with modsecurity for nginx is an option as it's in development and working for folks that have tried it - not 100% automated but if you know how to configure modsecurity for nginx after modsecurity nginx module is compiled/installed, you should be fine. See these 2 links

frm · Dec 14, 2018

eva2000 said:
Which version of Centmin Mod did you try 123.08stable or 123.09beta01. 123.09beta01 is where all the development work is right now feature wise. But naxsi i don't have much experience with so not something I can test and support. But as you're using modsecurity, then Centmin Mod 123.09beta01 with modsecurity for nginx is an option as it's in development and working for folks that have tried it - not 100% automated but if you know how to configure modsecurity for nginx after modsecurity nginx module is compiled/installed, you should be fine. See these 2 links

https://community.centminmod.com/threads/centmin-mod-security-related-developments.12555/

https://community.centminmod.com/threads/update-prep-for-modsecurity-v3-0.12453/ and some manual work needed

Don't quote me on this, but while doing research into the two (modsecurity vs Naxsi) on nginx, modsecurity lacked features over ones provided with Apache. That was the main reason why I reverted back to Apache to use modsecurity.

If I'm wrong, I'll definitely fire up another box with Centminmod again and use the stack (hopefully removing MariaDB as it's not necessary with MySQL 8 on its own instance).

eva2000 · Dec 14, 2018

frm said:
Don't quote me on this, but while doing research into the two (modsecurity vs Naxsi) on nginx, modsecurity lacked features over ones provided with Apache. That was the main reason why I reverted back to Apache to use modsecurity.

wouldn't know the specifics as modsecurity for nginx started as a rewrite via libmodsecurity https://github.com/SpiderLabs/ModSecurity-nginx so at points in time it would of had to play catch up to apache version.. this was ages ago though - probably years don't recall.

What is the difference between this project and the old ModSecurity add-on for nginx?
The old version uses ModSecurity standalone, which is a wrapper for Apache internals to link ModSecurity to nginx. This current version is closer to nginx, consuming the new libmodsecurity which is no longer dependent on Apache. As a result, this current version has less dependencies, fewer bugs, and is faster. In addition, some new functionality is also provided - such as the possibility of use of global rules configuration with per directory/location customizations (e.g. SecRuleRemoveById).

doesn't seem to lack features compared to apache, instead it has new features/functionality

Centmin Mod 123.09beta01 uses the newer Modsecurity connector via libmodsecurity for Nginx installs.

fly · Dec 14, 2018

frm said:
Thanks. I have now chosen SES, but it appears as if I'm sandboxed for the time being. Hopefully, they open it up soon as I had Sendinblue working.

If you haven't, you need to open a request to be unsandboxed...

eva2000 · Dec 14, 2018

fly said:
If you haven't, you need to open a request to be unsandboxed...

yup

frm · Dec 14, 2018

eva2000 said:
Centmin Mod 123.09beta01 uses the newer Modsecurity connector via libmodsecurity for Nginx installs.

Going to fire it up and see if I can get the servers to act as I want again (it didn't before and made me give up as well).
I'll move on over to your forum to see if anyone can give advice on force https and www along with redirecting the IP (dedicated) in both http and https as I have on Apache now (much easier config).
Thank you.

fly said:
If you haven't, you need to open a request to be unsandboxed...

Yeah, luckily I did it after hours and requested a mail increase. Noticed that you had to be unsandboxed as well, so replied again. Woke up to a 50k limit without being sandboxed. The service is incredibly fast to deliver!

frm · Dec 15, 2018

eva2000 said:
Centmin Mod 123.09beta01 uses the newer Modsecurity connector via libmodsecurity for Nginx installs.

Re-building nginx now. The first install did not have the modsecurity module. I found that you need to set the variable to y in centmin.sh. It looks like it's compiling now, so we'll see if the module loads or I have to add it to conf first.

dknife · Dec 15, 2018

I use SendGrid with SKIM and SPF setup to send everything from XenForo

frm · Dec 15, 2018

dknife said:
I use SendGrid with SKIM and SPF setup to send everything from XenForo

While comparing prices, I noticed this about SES: "$0 for the first 62,000 emails you send each month, and $0.10 for every 1,000 emails you send after that." However, it's only for EC2 instances, which is what I am running. This saves me approximately $12 (next package on SendGrid would be $15).

Something to consider if you're with Amazon EC2 for some extra savings (SendGrid Essential is $14.95 for 100,000 whereas 100,000 on SES would be $3.80).

eva2000 · Dec 15, 2018

frm said:
Re-building nginx now. The first install did not have the modsecurity module. I found that you need to set the variable to y in centmin.sh. It looks like it's compiling now, so we'll see if the module loads or I have to add it to conf first.

yes this is outlined at https://community.centminmod.com/threads/update-prep-for-modsecurity-v3-0.12453/

dknife · Dec 15, 2018

frm said:
While comparing prices, I noticed this about SES: "$0 for the first 62,000 emails you send each month, and $0.10 for every 1,000 emails you send after that." However, it's only for EC2 instances, which is what I am running. This saves me approximately $12 (next package on SendGrid would be $15).

Something to consider if you're with Amazon EC2 for some extra savings (SendGrid Essential is $14.95 for 100,000 whereas 100,000 on SES would be $3.80).

Thanks for the suggestion. I prefer running my instances on DO though.

DKIM, SPF & DMARC or Transactional Emails with SMTP Services?

frm

Well-known member

eva2000

Well-known member

frm

Well-known member

Sim

Well-known member

eva2000

Well-known member

frm

Well-known member

eva2000

Well-known member

fly

Well-known member

eva2000

Well-known member

frm

Well-known member

frm

Well-known member

dknife

Well-known member

frm

Well-known member

eva2000

Well-known member

dknife

Well-known member

Similar threads

We value your privacy