Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

DKIM: Difference between revisions

← Older edit
Content deleted Content added
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,629 edits
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,629 edits
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
<indicator name="Faults">[[File:Menu-email.svg|link=:Category:Email|30px|Back up to the Email Category]]</indicator>
<indicator name="Faults">[[File:Menu-email.svg|link=:Category:Email|30px|Back up to the Email Category]]</indicator>


Support staff can help in adding DKIM signing for domains that we host DNS and email services for.
'''WORK IN PROGRESS
'''
'''Currently being trialled by staff, not available to customers'''


'''Examples and confg is likely to change before customers are able to use DKIM
'''
== Important: ==
== Important: ==
As with SPF, if you use DKIM/DMARC then you will also want to make sure that all email that you send from your domain is sent through email servers that will sign
As with SPF, if you use DKIM/DMARC then you will also want to make sure that all email that you send from your domain is sent through email servers that will sign
Line 19: Line 15:
Also see [[SPF Record]]
Also see [[SPF Record]]


DKIM is one of many methods which tries to protect email senders and recipients from spoofing/spam.
DKIM is one of many methods which tries to protect email senders and recipients from spoofing/spam and to proove that an email hasn't been tampered with.


A domain owner can add DNS records which will publish a public key in a specially formatted
A domain owner can add DNS records which will publish a public key in a specially formatted
Line 30: Line 26:
This gives some level of confidence that the email was actually sent by the owner of the domain and not spoofed.
This gives some level of confidence that the email was actually sent by the owner of the domain and not spoofed.


Optionally, further DNS records (DMARC) can be added which declare to these other email servers what should be done with messages that fail the DKIM test - eg, do noting, block or quarantine.
Optionally, further DNS records (DMARC) can be added which declare to email servers receiving the message what should be done it it fails the DKIM test - eg, do nothing, block or quarantine.


Even if messages are just signed, then this can help them not to be marked as spam by the recipient.
Even if messages are just signed, then this can help them not to be marked as spam by the recipient. This can help prevent messages that our customers send to gmail/outlook being put in to spam folders.

====Long txt records?====
If you are adding your own txt records and they are over 256 characters long, see [[Domains:DNS_Types]] for details on how to 'split' the record in to separate chunks.


== Signing by smtp.aa.net.uk ==
== Signing by smtp.aa.net.uk ==


Customers who meet the following criteria can have their messages signed by our email server:
Customers who meet the following criteria can have their messages signed by our smtp.aa.net.uk email relay:
* We provide DNS services for the Domain
* We provide DNS services for the Domain
* The txt record below is added (via the control pages)
* The three CNAME records below are added (via the control pages)
* You use smtp.aa.net.uk to send out email
* You use smtp.aa.net.uk to send out email


The DNS records required on the customer domain are as follows;
The A&A email relays, smtp.aa.net.uk, can optionally DKIM sign email that is sent through it.


aaisp1._domainkey CNAME aaisp1.dkim.aa.net.uk
We use a single public key, and aaisp as the Selector.
aaisp2._domainkey CNAME aaisp2.dkim.aa.net.uk
aaisp3._domainkey CNAME aaisp3.dkim.aa.net.uk


We have three selectors which enable us to roll over the keys easily.
Here is an example of what DNS record to add:

Host/name: aaisp._domainkey
Type: TXT
Value: "v=DKIM1; t=y; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuloXhiatbx0YnrKgS+UL4tZrxcm1rdIxYqWDrs4aMrsFLM4IiSov0McwnFKFCXmo2zqh06OwcRwyMHe4pM+izxUnsMWCRs8BcaAuBhUM+Vbo6qwp5fWjtswaIgwVgJKwY610wg+qfuKM6o2qKc/Hy9Tj" "H5W8D64cSQ7jPCS5xu8CM4Ty/WG1Q7+cLKD1Y3stusqFEX0RFVkcSsvzHNggbDBlWAQCnGeG2+pOoAnfDqSvFvqASCOdjE9HbOZLcFnQRBDiPhegN3BYNWe6leC3SpjI67JNlhcOXAN2sT9m6bTpVFgQHLCnIY4L6TZx/mbpM0xF59kS9VPpYOtl6nQZCQIDAQAB"

If this record exists then messages will then be signed by the AAISP key.


== What if I send email via other mail servers ==
== What if I send email via other mail servers ==
Line 60: Line 55:
dig +short aaisp1._domainkey.YOURDOMAIN TXT
dig +short aaisp1._domainkey.YOURDOMAIN TXT
dig +short aaisp2._domainkey.YOURDOMAIN TXT
dig +short aaisp2._domainkey.YOURDOMAIN TXT
dig +short aaisp3._domainkey.YOURDOMAIN TXT


eg,:
eg,:
dig +short aaisp1._domainkey.testing.me.uk TXT
dig +short aaisp1._domainkey.testing.me.uk TXT

It should give an answer starting v=DKIM1; if no answer, then it isn't working...

Also try an online tool such as https://mxtoolbox.com/dkim.aspx (there are many others!)


== Testing if signing is working ==
== Testing if signing is working ==
Line 69: Line 69:


'''Send yourself an email'''
'''Send yourself an email'''
If you send yourself an email, look at the header and you should see a DKIM-Signature: header which will include the signature along with s=aaisp which is the 'Selector we use'.
If you send yourself an email, look at the header and you should see a DKIM-Signature: header which will include the signature along with s=aaisp1 which is the 'Selector we use'.


'''Send to a gmail account and check the DKIM report'''
'''Send to a gmail account and check the DKIM report'''
If you have access to a gmail account then send an email there, then in the little 3-dot menu in the email click 'Show Original'. You will then see the raw message but also information about SPF/DKIM/DMARC.
If you have access to a gmail account then send an email there, then in the little 3-dot menu in the email click 'Show Original'. You will then see the raw message but also information about SPF/DKIM/DMARC.

== DKIM and t=y ==
Until 2024-10-09 we were running our DKIM record with t=y - which tells other servers that signing is in ''testing'' mode. This was set when we originally set up the DKIM feature and wasn't removed ones it was all working! In practice many email servers would ignore this flag anyway. This was an oversight and has removed.


=DMARC=
=DMARC=


This is just a brief overview of DKIM, you can read more about DKIM on other place or RFC7489
This is just a brief overview of DMARC, you can read more about DKIM on other place or RFC7489


Adding a DMARC DNS record is optional, but can be beneficial.
Adding a DMARC DNS record is optional, but can be beneficial.
Line 82: Line 85:
If you add DMARC records then you also need to make sure that
If you add DMARC records then you also need to make sure that
all the email you send is being sent through smtp relays which will sign your messages. ie, '''all your email for your domain would want to be
all the email you send is being sent through smtp relays which will sign your messages. ie, '''all your email for your domain would want to be
sent through smtp.net.uk'''
sent through smtp.aa.net.uk'''


There are various online generators for creating a dmarc record, but the contents of the record will cover the following basic settings:
There are various online generators for creating a dmarc record, but the contents of the record will cover the following basic settings:
Retrieved from "http://support.aa.net.uk/DKIM"