2010/01/01 by Maarten Oelering.
DKIM recipe for PowerMTA
DomainKeys, and it’s successor DKIM, are important email authentication techniques. Based on cryptography, they are more secure than SPF and Sender ID. With DomainKeys/DKIM the integrity of the content is also protected and authentication does not break when emails are being forwarded. DomainKeys/DKIM is used by large webmail providers such as Google, Yahoo and AOL. Common spam filters such as Postini and Spamassassin also support DomainKeys/DKIM checking.
To register for the feedback loop of Yahoo, you are required to sign emails with DomainKeys or DKIM. DomainKeys requires that the domain used to sign the email (signing identity) matches the Sender: or From: domain (sending domain). This can be troublesome for Email Service Providers, since the DNS and the mail server needs to be configured for each individual From: domain, which often refers to the ESPs customer.
With DKIM, it is not required that the signing identity matches the From: domain. Thus it becomes possible to sign emails with different From: domains using the domain of the ESP. PowerMTA supports this ‘third-party signing’ scheme since release 12 using the dkim-identity parameter. This PowerMTA Recipe shows you how to setup DKIM for any From: domain using PowerMTA.
The dkim-identity parameter
The key to DKIM signing emails with an arbitrary sender domain is the dkim-identity parameter. This parameter allows you to specify the email address of the ‘signing identity’ which becomes the ‘i=’ field in the DKIM signature header.
The dkim-identity parameter is used in combination with the domain-key parameter. The domain-key parameter specifies the selector, the domain of the signing entity and the private key used for signing the mails. The domain becomes the ‘d=’ field in the DKIM signature header.
The DKIM standard requires that the domain part of the ‘i=’ field is the same or a subdomain of the domain in the ‘d=’ field. Thus the domain part of the email address in dkim-identity must match or be a subdomain of the domain in the domain-keys parameter.
Emails will be signed with DKIM by PowerMTA if:
- dkim-sign is set to ‘yes’ or ‘true’ and,
2a. the domain in any domain-key matches the sender domain (Sender: or From:) or,
2b. the domain part of dkim-identity matches or is a subdomain of the domain in any domain-key
Following is an example configuration which signs all emails to yahoo.com, gmail.com and aol.com with DKIM. The ‘i=’ field is set to firstname.lastname@example.org and the ‘d=’ field is set to esp123.com.
Please follow the instructions in the PowerMTA User’s Guide on how to create a private key and how to configure the public key in the DNS.
domain-key sel1, esp123.com, /etc/pmta/sel1.esp123.pem <domain gmail.com> dkim-sign yes </domain> <domain yahoo.com> dkim-sign yes </domain> <domain aol.com> dkim-sign yes </domain> <domain *> dkim-identity email@example.com </domain>
Testing your configuration
You should check your PowerMTA configuration and DNS setup by sending a test email to an account at Gmail, Yahoo, AOL and any other recipient domain configured for DKIM. Retrieve the test email and select Show original (Gmail), Full Header (Yahoo) or View Message Source (AOL). If you see an authentication header with ‘dkim=pass’ or ‘dkim: pass’ your setup is working properly.
If you would like to know more about how we can help you, just send us a message via our contact page.