Back up to the Email Category

Difference between revisions of "DKIM"

From AAISP Support Site
Jump to: navigation, search
[quality revision][quality revision]
m (Testing if signing is working)
m (Testing the domainkey DNS record)
Line 56: Line 56:
 
If you use smtp.aa.net.uk and other email relays, then you will need to set up domainkey records for those mail servers too. They will use a different Selector and a different Key.
 
If you use smtp.aa.net.uk and other email relays, then you will need to set up domainkey records for those mail servers too. They will use a different Selector and a different Key.
   
== Testing the domainkey DNS record==
+
== Testing the _domainkey DNS records==
   
 
dig +short aaisp1._domainkey.YOURDOMAIN TXT
 
dig +short aaisp1._domainkey.YOURDOMAIN TXT
Line 63: Line 63:
 
eg,:
 
eg,:
 
dig +short aaisp1._domainkey.testing.me.uk TXT
 
dig +short aaisp1._domainkey.testing.me.uk TXT
 
   
 
== Testing if signing is working ==
 
== Testing if signing is working ==

Revision as of 22:25, 14 December 2019


WORK IN PROGRESS Currently being trialled by staff, not available to customers

Examples and confg is likely to change before customers are able to use DKIM

Important:

As with SPF, if you use DKIM/DMARC then you will also want to make sure that all email that you send from your domain is sent through email servers that will sign your messages - ie, all your outbound email should be sent out through smtp.aa.net.uk.

When using DKIM or SPF, you need to be careful that all you other devices, servers or services that send email from your domain all send through a server that will sign your messages.

What is DKIM?

This is just a brief overview of DKIM, you can read more about DKIM on other place or RFC6376

Also see SPF Record

DKIM is one of many methods which tries to protect email senders and recipients from spoofing/spam.

A domain owner can add DNS records which will publish a public key in a specially formatted TXT record. The email server they use for sending email (eg smtp.aa.net.uk) holds the matching private key, will sign messages and add this signature to the headers of the email. The record can either be a TXT record or a CNAME pointing to a KEY in you email provider's DNS.

Other mail servers which receive the email can then inspect the DNS record and the headers to check if it all matches up. If it does match up, then that means that the email has been sent through a server that is controlled by the domain owner. This gives some level of confidence that the email was actually sent by the owner of the domain and not spoofed.

Optionally, further DNS records (DMARC) can be added which declare to these other email servers what should be done with messages that fail the DKIM test - eg, do noting, block or quarantine.

Even if messages are just signed, then this can help them not to be marked as spam by the recipient.

Signing by smtp.aa.net.uk

Customers who meet the following criteria can have their messages signed by our email server:

  • We provide DNS services for the Domain
  • The txt record below is added (via the control pages)
  • You use smtp.aa.net.uk to send out email

The A&A email relays, smtp.aa.net.uk, can optionally DKIM sign email that is sent through it.

We use a single public key, and aaisp as the Selector.

Here is an example of what DNS record to add:

Host/name: aaisp._domainkey
Type: TXT
Value: "v=DKIM1; t=y; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuloXhiatbx0YnrKgS+UL4tZrxcm1rdIxYqWDrs4aMrsFLM4IiSov0McwnFKFCXmo2zqh06OwcRwyMHe4pM+izxUnsMWCRs8BcaAuBhUM+Vbo6qwp5fWjtswaIgwVgJKwY610wg+qfuKM6o2qKc/Hy9Tj" "H5W8D64cSQ7jPCS5xu8CM4Ty/WG1Q7+cLKD1Y3stusqFEX0RFVkcSsvzHNggbDBlWAQCnGeG2+pOoAnfDqSvFvqASCOdjE9HbOZLcFnQRBDiPhegN3BYNWe6leC3SpjI67JNlhcOXAN2sT9m6bTpVFgQHLCnIY4L6TZx/mbpM0xF59kS9VPpYOtl6nQZCQIDAQAB"

If this record exists then messages will then be signed by the AAISP key.

What if I send email via other mail servers

If you use smtp.aa.net.uk and other email relays, then you will need to set up domainkey records for those mail servers too. They will use a different Selector and a different Key.

Testing the _domainkey DNS records

dig +short aaisp1._domainkey.YOURDOMAIN TXT
dig +short aaisp2._domainkey.YOURDOMAIN TXT

eg,:

dig +short aaisp1._domainkey.testing.me.uk TXT

Testing if signing is working

There are various ways to test if signing is happening.

Send yourself an email If you send yourself an email, look at the header and you should see a DKIM-Signature: header which will include the signature along with s=aaisp which is the 'Selector we use'.

Send to a gmail account and check the DKIM report If you have access to a gmail account then send an email there, then in the little 3-dot menu in the email click 'Show Original'. You will then see the raw message but also information about SPF/DKIM/DMARC.

DMARC

This is just a brief overview of DKIM, you can read more about DKIM on other place or RFC7489

Adding a DMARC DNS record is optional, but can be beneficial.

If you add DMARC records then you also need to make sure that all the email you send is being sent through smtp relays which will sign your messages. ie, all your email for your domain would want to be sent through smtp.net.uk

There are various online generators for creating a dmarc record, but the contents of the record will cover the following basic settings:

  • 'v' - The version - usually DMARC1
  • 'p' - What to happen if dmarc fails, eg none, quarantine, reject
  • 'rua' - an email address (or multiple comma separated addresses) of where you'd like to XML receive machine readable statistic reports
  • 'ruf' - an email address (or multiple comma separated addresses) where you'd line to receive individual 'forensic' reports, these are XML machine readable copes of email that failed

There are more options available beyond the ones above.

The rua and ruf will be used by some of the bigger email providers - eg gmail, outlook, yahoo.

We'd suggest initially setting up reporting but no rejecting so that you can see how it's working out.

An example dmarc record which would send you reports but not tell other email severs to block if a message fails DKIM would look like this:

Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:YOU@YOURDOMAIN.COM; ruf=mailto:YOU@YOURDOMAIN.COM; fo=1

Once you are satisified that DKIM is working and all the email you send is being properly then you can change the record so that p is set to quarantine or reject.