When we had just launched our secure email service SFLetter.com it turned out that email services like gmail.com, outlook.com and yahoo.com marked all emails sent from our domain name as spam. This happened because of incorrect DKIM settings.
DKIM (DomainKeys Identified Mail) is a framework which provides a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. The idea is the following: before sending an email message it is signed with a private key on the mail server. This private key is available only to the administrator of the domain. When this email is received by the mail server on the other side, this mail server asks a corresponding DNS server for a public DKIM key that can help it to validate a digital signature. If validation is successful, the further scenarios depend on the settings of the mail server. The first variant - an email is delivered to the recipient without any further verification. The second variant - the server only lowers the spam rating and further verification is launched. Most popular email services automatically mark emails as spam if they don't have a DKIM signature. That is why it is important to set up DKIM to ensure normal email exchange.
There are two steps:
You can generate keys manually or with the help of special web services, e.g. https://www.dnswatch.info/dkim/create-dns-record, http://www.port25.com/support/domainkeysdkim-wizard/.
For automatic key generation via a web service you need to enter your domain's name, a key ID (you need this if there are several mail servers in the domain and it's better to use a separate key for every server). When generation is completed you will see a page containing a private key, a public key and a TXT record to be copied to DNS server. Save public and private keys in separate TXT files and restrict access to the private key.
If you are going to generate the key manually I recommend to use the openssl utility. First let's generate a private key:
openssl genrsa -out mailprivate.key 1024
And then generate a public key based on the private key:
openssl rsa -pubout -in mailprivate.key -out mailpublic.key
Let's start with DNS. We add 2 new TXT records to the necessary DNS zone:
_domainkey.mydomain.com. IN TXT "o=~;"
The record starts with the word "_domainkey.", this is an attribute of the DKIM signature. We set the "o" parameter:
"o=~" means that some emails can be sent unsigned from this domain;
"o=-" means that only signed emails can be sent from this domain.
The second record is:
mail._domainkey.mydomain.com. IN TXT ( "v=DKIM1\; k=rsa\; p= "public key" )
Here "mail." is a key ID for our pair of keys. Please note that you should use a private and a public key from one set.
Here v=version of DKIM protocol, k=algorithm of key generation, p=the value of the public key.
After this you need to activate the use of the DKIM signature on the mail server and specify the path to the file where the private key is stored. Don't forget to use a private and a public key from one set. Every mail server has its own setting rules, so I recommend to use the manual to set up a DKIM function correctly.
Now we need to check if everything works fine. So we send an email message to the services which support DKIM technology, such as gmail.com, outlook.com, yahoo.com. You need to have accounts on these services for testing purposes. We check the header of the received email. There should be a line "dkim=pass". See an example for gmail.com:
spf=pass (google.com: domain of firstname.lastname@example.org designates 18.104.22.168 as permitted sender) email@example.com;
After DKIM was set up, our secure email service SFLetter.com works faster because of skipping spam verification. It increased its reliability and strengthened its protection against spam activity.
Author: Alexey Udalov
If you have an idea how to improve our service please share it with us or vote for ideas of other users.