Technology, Tutorial, yunohost

How to set up Successful Email for Yunohost with Digital Ocean Droplet

To help making your Yunohost email server have more successful deliverability rates, I knew I had to set up DKIM, SPF and DMARC. I had done this elsewhere and for other email servers, but not Yunohost. Here is a log of my journey and how to do it.

Optional Section: Set up DKIM for Email Signing

Some say DKIM is ‘optional’. However, since gmail values it, probably it’s ‘more than optional’ these days. But do what you think is best.

Setting Up DKIM Records in Yunohost (the Public key)

Setting up DKIM for Yunohost environment turns out to be very easy and was basically working right out of the gates at install. The hard part was figuring that fact out. Prior to that I was using a popular tool but after every configuration under the sun, I realized that YH had created everything I was trying to configureā€¦ I had run the YH diagnosis time and time again and because I was putting in my own keys into the DO DNS records instead of taking the ones from YH and putting those in, I was getting endless errors in diagnosis results.

Good news for you is that I figured it out and this section is for you if you want DKIM working. To get the DKIM records set up you have to copy them from the YH-generated DKIM keys and put those in Digital Ocean networking!

All I did was this to remove the DKIM error from the Yunohost error report during diagnosis:

  1. go to Domains in maindomain.tld if that is where your emails are coming to and from
  2. Go to DNS configuration button. This will open a bunch of text records in a kind of plain-text looking page
  3. If you have a bunch of DKIM records, find the one that matches the domain in #1 above and copy it. It will look something like this:

mail._domainkey 3600 IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIGf...more long key stuff here....tbd1mFXA4dJwIDAQAB"

  1. Copy the stuff in quotes to clipboard ("v=DKIM1; h=sha256; k=rsa; p=MIGf...more long key stuff here....tbd1mFXA4dJwIDAQAB")
  2. In Digital Ocean networking DNS record section create a new TXT record
  3. In the VALUE field paste this part you just copied "v=DKIM1; h=sha256; k=rsa; p=MIGf...more long key stuff here....tbd1mFXA4dJwIDAQAB"
  4. In the HOSTNAME field type mail._domainkey
  5. To help propagate the changes sooner change 3600 TTL to 300 (change it back after everything is recognized and working)
  6. Wait probably 10 to 20 minutes (may take longer) and run diagnosis. You should no longer see DKIM errors and should be working.

Part 2 – Testing your DKIM

So, it turns out that the Roundcube ‘digitally sign this message’ radio dial was not a DKIM private key signing thing which I thought it was. It turns out that DKIM signing was already magically working in the background in Yunohost. And to test this, all I did was:

  1. Send a message from Yunohost Roundcube email to a gmail account (I kept a gmail account just for this kind of purpose)
  2. In Gmail, find your email you just sent yourself and click it
  3. Now in the view where you can read the mail, over on the right you’ll see 3 vertical ‘hamburger dots’ by the reply button. Click that.
  4. Click ‘show original’. You will now see SPF, DKIM and DMARC and be able to see if you pass or fail

For me, it was an exciting ‘all pass’ even from Roundcube webmail running on Yunohost.

Next, I did the same test from a YH email configured in Thunderbird. Also a pass-fest! Yay.

Set up DMARC for Yunohost in Digital Ocean for email security

For DMARC, thinking ahead to BIMI support working I would expect the DMARC entry to look like this, which worked well for me elsewhere from this tool

v=DMARC1; p=reject; rua=mailto:admin@mydomain.com; ruf=mailto:admin@mydomain.com; sp=quarantine; ri=86400

However, later after trying to use these kind of settings, I was getting continual warnings from YH that my DNS settings were not correct so it looks like you have to strictly follow the Yunohost text records and probably reduce your DMARC options by a lot, specifically.

I ended up changing the DMARC from what’s above to a simple v=DMARC1; p=none (same ones generated from YH automatically)

So, until I hear otherwise, I would advise the following steps for setting up your DMARC record:

  1. Go to Domains in maindomain.tld if that is where your emails are coming to and from
  2. Go to DNS configuration button. This will open a bunch of text records in a kind of plain-text looking page
  3. If you have a bunch of DMARC records in this page, find the one that matches the domain in above and copy it. It will look something like this:

_dmarc 3600 IN TXT "v=DMARC1; p=none"

  1. Copy the stuff in quotes to clipboard ("v=DMARC1; p=none")
  2. In Digital Ocean networking DNS record section create a new TXT record
  3. In the VALUE field paste this part you just copied "v=DMARC1; p=none"
  4. In the HOSTNAME field type _dmarc
  5. To help propagate the changes sooner change 3600 TTL to 300 (change it back after everything is recognized and working)
  6. Wait probably 10 to 20 minutes (may take longer) and run diagnosis. You should no longer see DMARC errors (if you had them) when you run your YH diagnosis and DMARC should now be working.

Set up SPF for Yunohost on Digital Ocean for more email security

1.Go to Domains in maindomain.tld if that is where your emails are coming to and from

  1. Go to DNS configuration button. This will open a bunch of text records in a kind of plain-text looking page
  2. If you have a bunch of SPF records, find the one that matches the domain in #1 above and copy it. It will look something like this:

@ 3600 IN TXT "v=spf1 a mx -all"

  1. Copy the stuff in quotes to clipboard ("v=spf1 a mx -all")
  2. In Digital Ocean networking DNS record section create a new TXT record
  3. In the VALUE field paste this part you just copied "v=spf1 a mx -all"
  4. In the HOSTNAME field type @ (which will be your TLD). If it’s a subdomain enter that.
  5. To help propagate the changes sooner change 3600 TTL to 300 (change it back after everything is recognized and working)
  6. Wait probably 10 to 20 minutes (may take longer) and run diagnosis. You should no longer see SPF errors (if you had them) when you run your YH diagnosis and SPF should now be working.

Hope that helps.

You may also want to check out my tutorial for setting up Roundcube. I’m writing it now and hopefully I’ll remember to come back here and update the link.

Tagged , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *