Dmarc, dkim, dnssec

Virtualmin doesn’t set up dmarc, dkim and dnssec by default. The ‘internet’ assures my they are vital. :wink: So, should I enable them and hunt down the appropriate settings for default virtual server installs?

Virtualmin doesn’t do a lot of things by default, everybody has different needs, and some things can’t be enabled by default without inconveniencing or confusing people who won’t use them…like the large percentage of Virtualmin users that don’t host mail locally. I encourage you to explore the many options available in Virtualmin rather than expecting defaults to be right for your exact needs. Virtualmin is the most flexible control panel out there…but, you gotta poke around, if you want it to fit your deployment perfectly. :man_shrugging:

But, generally, you’re just turning these features on rather than hunting down appropriate settings, for DKIM and DMARC. We have docs for DKIM (though I don’t know why, since it’s just “turn it on”, the opendkim package is installed by default, unless you chose a minimal install or configured apt/dnf to install only required packages): DomainKeys Identified Mail – Virtualmin

I don’t recommend expending effort/time on implementing DNSSEC (Webmin supports it, of course, I just don’t think you should use it). DNSSEC has no direct relation to mail deliverability, and doesn’t really do the things it set out to do (and introduces new vulnerabilities, though they’re unlikely to be exploited, since it requires pretty high-level actors to exploit DNSSEC). DNSSEC is also much more complicated than DKIM and DMARC, but again, isn’t related to mail and I don’t consider it “vital”. (I don’t know enough to make pronouncements like this about DNSSEC, I’m just passing on what I’ve found security researchers I trust saying about it. e.g. Against DNSSEC — Quarrelsome)

OK. Still just trying to figure out the software. I remembered you saying you didn’t recommend something but search didn’t turn up what. DNSSEC was probably it. It sure made for and ugly zone record file. So, trash bin for that.

Current host uses the spf, DMARC and DKIM so I’ll stick with that. (I did follow and read the link. Thanks.)

I pretty sure I didn’t do minimal install though so not sure what went wrong with DKIM. I did do a minimal on the secondary dns server cuz I didn’t want to set up zone transfers myself and the cost to install virtualmin was reasonable. :wink:

If you followed the DKIM docs before today, it referenced an old package name (dkim-milter) that doesn’t exist anymore (replaced by opendkim, which is installed by default). If you just turn it on, rather than reading the docs, it should Just Work. But I’ve also updated the docs to reference the right package (but that package will already be installed, unless you used minimal mode or otherwise limited packages to install).


I recommend a “post-install” optimization, something I offer all my clients to “tweak” Virtualmin to meet your needs. As @Joe has stated, not everything that is “possible” IS turned on (or off for that matter) by default.

The thing about a product that meets the needs of the many, is that not EVERY configuration works best for all, so in the world of Virtualmin, they attempt to turn on features that are frequently requested and assumed to be needed by MOST people, while leaving some things turned off which MAY only be needed by a few.

Feel free to request a consultation and optimization session with me, my rates are very affordable exclusively for Virtuamin users –

On subject - but nothing to do with Virtualmin - I have just come through a week of complaints from a user on another system that I do not have full control of the server. The issue involved Google bouncing emails from “my” server to a gmail account. they had been going through perfectly for years without a problem then suddenly started bouncing. A support ticket to google got the reply that SPF DKIM and DNSEC were not enabled (I then used the internet a mailchecker (provided by***** which confirmed it. I passed that info back to the service provider support desk who implemented everything and the user is now a happy bunny again as her email is arriving.

I was left wondering if I should do similar on the VPS I host - I’m still not sure but I at least know that if I do decide to there is solutions available. Or is this just Google being there usual cussy selves? ie why bother?

SPF and DKIM are certainly recommended if you need to send mail. They’re easy to setup in Virtualmin.

One of the first things I did when I set up the server was to email a test account I have at google as a backup and testing account. ONLY SPF was setup at that point and it went through.

@tpnsolutions Thanks but this is a matter of my wading through all the choices and getting back up to speed. The main point of the thread was I remembered seeing Joe say he didn’t recommend something that seemed like a standard security protocol and I couldn’t find the post. Not sure why DKIM didn’t install and I didn’t want to just go enabling things when I knew in the back of my mind I’d seen that post by Joe.

Tx @Joe I will look into doing that on the Virtualmin servers I have responsibility for. My post was really a side comment on a server that is not Virtualmin and one that I do not have direct control of. Also that it may be a warning that @gmail may have tightened up their requirements for some reason. This morning the support team have sent me a warning that they will be doing something with TLS that will make email access difficult. Reason unexplained well. Request to do things differently unjustified. I’m just a customer.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.