Implementing DKIM and DMARC

Attending the Global Cyber Alliance’s DMARC Bootcamp has motivated me to move past just implementing SPF and so implementing DKIM and DMARC too. So far the bootcamp hasn’t talked about implementation details but searching the web turned up some useful tutorials on how to implement it on a Debian host using postfix and bind9. The first one was


I didn’t need the SPF instructions but the DKIM ones were very useful. At step 8 it sets the algorithm as “rsa-sha256” but I changed it to “sha256” instead. This means that the “txt” file generated can be simply cut’n’pasted into the DNS without modification. I use bind9 rather than Linode’s DNS manager so I didn’t bother joining the multiple parts of the public key as bind9 was happy with the record as it was (always handy when you plan to create a script to update it).

I chose to make the selector more specific, in case I needed more than one update a month while I was debugging it but maybe a single digit would have been sufficient and I used an inet socket rather than a local one (for no particular reason).

The section on DMARC in this tutorial only configured the DNS record so I had to search for another page to find out what to do with it and I found that at


opendmarc is in the standard repository so there is no need to play with backports. I added “IgnoreAuthenticatedClients true” to the opendmarc.conf file to take into account that users use an authenticated submission to send email. Without it there was an erroneous Authentication-Results indicating that dmarc had failed for mrp.net. This didn’t seem to have any impact on sending email to Google but I wanted to get rid of it.

Applying the mysql schema also turned up a problem when creating the domains table failed. It looked like it should have worked but it would seem that a character was larger than I expected. I added “DEFAULT CHARSET=utf8” to the domains and reporters commands to get around that problem.

When I first used the report_script I executed it in a directory that opendmarc couldn’t write in so the opendmarc-reports script failed. It seemed prudent to modify the script to “cd ${WORK_DIR}” even if it was only to be accessed via cron.

I haven’t modified spamassassin’s rules as I want to check the SPAM like email I receive to see if it would make a difference.

So far I’ve received aggregate reports from Google and Oath. It would seem that a number of sites in China are trying to send it email using my domain while the Oath report showed an attempt from Taiwan.

Updated the web site again

I’ve changed the theme again and gone through the web site updating the photography pages so that they use a common configuration (and should use the theme’s font rather than some random one). I have tried to implement a content security policy, centralised the CSS and cleaned up the javascript.


I finally decided that it was too much additional effort trying to make my regular web site display my photography in a way I liked and so I went out and tested some of the dedicated photography sites. These sites are aimed at people who want to sell prints but my main interest was in how they displayed the images. I finally settled on Zenfolio as they had a theme that I liked, one that included a full page slideshow, and so I’ve been slowly populating it with images. Shooting RAW affords me the “luxury” of  being able to play in a digital darkroom and that has allowed me to rescue some images that would have been discarded had they been JPEG. Hopefully my skills in Lightroom are improving, it’s certainly getting better although I’ve tried Capture One and I might migrate to it once Adobe want me to give them more money (especially if they decide to discontinue the non CC version of Lightroom).

You can visit the site at http://www.markpriorphotography.com and let it show you a sample of my work. Otherwise use the menu to visit the portfolio and a collection of trips. The slideshow feature seems to work best with the Chrome browser.

Updated the web site

I haven’t finished updating all my photo albums yet but I thought it was time to migrate to the new site anyway. I’m still working through the photos though so expect more photos to appear in due course.

Rebuilding the web site (again)

I discovered that the plugin I was using to display photos on my web site is no longer being developed or supported so I thought I better hunt down some new software that I was happy to use going forward.

Of course things like that don’t just stop there, after finding three different slideshows that might work, as I decided to try to make the web site iPhone/iPad/Android friendly and that took me down the Rapidweaver Theme rathole where I found that my original photo plugin didn’t play nice with newer themes.

So now I’ve rebuilt the web site using a new responsive theme, and found an app to build slideshows straight out of Adobe Lightroom. Only problem now is converting all those old slideshows into new (and improved) ones. Not helped by the lack of photo cataloging of the older photos.

It sounded so simple in the beginning…

Now have a StartCom certificate

Finally decided to get a StartCom certificate for my web site, just for WordPress really, and the iPad app now happily connects so I’ll be able to upgrade by blog while I’m travelling with just the iPad.

DNS problems

Discovered why some people (including me here in Longyearbyen) are getting my old web site rather than the new one. It seems that the Internode name servers haven’t updated. Looking closer it seems that Internode is using one to do the transfer and it’s being denied as it’s not one of the actual slaves. Fixed that but it seems that there is a race condition too. Had to update the SOA three times and get my server to send notifys to the Internode server to get it to a state where the rest of the data is up to date. Now need to wait for caches to refresh. Maybe tomorrow…

Moving www.mrp.net to a new server

OK I’ve finally bitten the bullet and changed the A and AAAA records and http://www.mrp.net should now use the new web server built using RapidWeaver. Still some work to be done to complete the rebuild (more photos to add, blog entries to fix) but hopefully it’s usable and I’ll fix the broken links as I discover them. It still leaves the mail system to migrate but at least there’s been obvious progress now 🙂

More changes

The iWeb template is 700 px wide but that’s just wasting space on a wide screen laptop so I’ve widened some of the pages to 900 px which looks better. Given iWeb’s uncertain future I’m not going to do them all (at this stage anyway) and might investigate RapidWeaver.
I’ve also started the process of migrating to the new server. If you’re seeing this page then you’re using the new one!

Updating the web site

It’s been a long time since I’ve done anything with this site, the plan was to wait until I had migrated to a new server but as that’s still a work in progress it’s time to at least add some photos!