Home

Geeklog: What I Learnt Today / Adam

Enabling DKIM to improve email delivery

> Was experiencing some issues with emails sent from a customers server not being received. Sender Policy Framework records (SPF) seem not to make that much difference in this case. Eventually set up Domain Keys Identified Mail so that emails sent are signed by the server as a sort of proof of origin. Which seems to be helping so far. Its not immediately evident, in my email clients at least, that DKIM is setup you can read through the email headers and you get something like this

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=TPC456.onmicrosoft.com; s=selector1-colin-co-uk0k;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=w1YgdzreonJQDEXp57tSVab6RFSioTYfF4Ow92Cy6Xc=;
 b=on3S3MeOvI3UHa93jIPUxt23KEpYZrBK5BX3CGHyJxEa1og8zoX4RDU+WauGsjbNRoSPj84qTZUsUj8m22P3mGSo6u1Udh87vL0yIBtXN3SKVMCp9BSKOXC0d2M3QrUUAqOf/mAPs7ieqQQCUnx79q38bPk5L5kuz8t+NnOP+F0=
but I found you can tell if an email is signed in gmail quite easily, if you look at a message then click the down arrow next to that shows you something like this

from:    Colin Example 
to:    Adam 
date:    2 November 2016 at 16:58
subject:    Re: wow is it really?
Signed by:    coldfusionisalive.com
The signed by bit indicates that the email is signed by the coldfusionisalive.com server so you can be somewhat reassured that the email does come from the right server rather than a spammer. Found that most of my email addresses have DKIM set up without me doing anything which is nice.
If you find yourself setting up DKIM or want to check its not setup wrong on your mail server you can also send a test email using that account to check-auth@verifier.port25.com and they very nicely send you something back with a summary like this

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   pass
DKIM check:         fail
SpamAssassin check: ham
and lots of details which was very useful. I was setting it up on a old server where it wasn't just a tick box and it took me many attempts before I got it all to hang to together and the signing to validate successfully. (Canonicalization was what the last thing I was tripping up over in my opendkim.conf)
DMARC
Once you have SPF and DKIM setup you can then go on to set DMARC which gives you some reporting on whatis happening when your emails reach bigger mail hosts like googlemail and outlook. It also provides a way of you instructing the receiving mail server to what to do if the mail sent to them fails to pass DKIM or SPF checks. There is quite a lot to a DMARC record the best explanation I found was this one https://support.google.com/a/answer/2466563?hl=en. I ended up with something like this:

_dmarc.example.com TXT v=DMARC1; p=none; rua=mailto:dmarc@example.com
so I'm not telling receiving servers to do anything other than report to an email address. After a while and as my understanding increases I'll probably instruct it to do more possibly breaking actions (quarantine, reject)
None of this really improves the security of email its still at some point being sent in plain text but it does give a receiving mail server another method of verifying that the email its received is legitimately from who it says it is. So in the end is making it more difficult for someone to send emails pretending to be from you.

/ Adam

← previously