4

Let's say I own example.com, that I install and configure dkim on my server (apt-get install opendkim opendkim-tools, etc.), and that I add the relevant public key to the domain's DNS records.

Then when sending email from my server (example: with PHP mail(...) or postfix), it will have DKIM signature.

But I also send emails for contact@example.com from Gmail, using "Send mail as" feature with a Sendgrid SMTP.

But I don't see in Gmail the setting for DKIM. Will the mails sent from Gmail be banned / not sent correctly because they're not sent with DKIM signature?

How to send email from Gmail for my domain using DKIM? (using Send mail as feature)

Note: this is the "Send mail as" feature I'm speaking about:

enter image description here

Basj
  • 569
  • 3
  • 8
  • 27
  • I am not 100 % sure - this is why I do not answer it, but it will work. In any case, you can set up gmail to send email via your server and sign dkim there. – Nick Aug 30 '17 at 21:34
  • @nick i prefer to set up gmail to send email via sendgrid.com because this is a very well-known trusted provider, avoiding potential problems with my own mail server. Having a 100% working self server is [not easy](https://blog.codinghorror.com/so-youd-like-to-send-some-email-through-code/), I can confirm! – Basj Aug 30 '17 at 21:39
  • you can setup second DKIM in gmail, so mails from there will be sign, but with different signature than from your webserver. I have domains in gmail, saw the menu, but never tried to setup DKIM. I even think they sign everything by default but cannot be sure. Unfortunately I can not check this right now. – Nick Sep 01 '17 at 04:54

2 Answers2

7

DomainKeys Identified Mail (DKIM) is for ensuring that mail content hasn't tampered during transmission. Unlike Sender Policy Framework (SPF) it's not trying to validate the source of the message as permitted sender. RFC 5585, 1.1 DKIM's Scope explains this:

DKIM is intended as a value-added feature for email. Mail that is not signed by DKIM is handled in the same way as it was before DKIM was defined. The message will be evaluated by established analysis and filtering techniques. (A signing policy can provide additional information for that analysis and filtering.) Over time, widespread DKIM adoption could permit stricter handling of messages that are not signed. However, early benefits do not require this and probably do not warrant this.

Therefore, checks regarding DKIM are only performed for emails containing the signature. Unless required by DMARC (which may be considered, among its other purposes, as the stricter handling mentioned), not signing the messages with DKIM wouldn't cause rejecting them.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thanks a lot. Is there a doc explaining this in detail? I really thought that if a DKIM TCT DNS record is present on example.com, then only the mail providers who have the keys will be able to send mail @example.com. So this is wrong? – Basj Aug 31 '17 at 07:35
  • Citation added and the relation between DMARC and DKIM clarified. – Esa Jokinen Aug 31 '17 at 07:48
  • Thanks for the link to dkim.org @EsaJokinen. However I still don't find the paragraph that states for "dkim is only to check if content is not altered during transmission, but not verification if sender is allowed to use @example.com". Any reference about this specific point? Looking at the document we could think it also does this (there's a paragraph "Identity verification"). – Basj Aug 31 '17 at 10:10
  • SPF is for giving the originating server permission to use the domain. Not having an DKIM signature is not wrong, as cited, but when signing, it should match the key introduced in DNS. – Esa Jokinen Aug 31 '17 at 10:12
2

SendGrid, Gmail, etc will sign with the appropriate DKIM Selector, so there won't be any overlap.

For instance, if you're not whitelabeled on SendGrid, they will sign with s=smtpapi, d=sendgrid.net. They have a record at smtpapi._domainkey.sendgrid.net. If you are whitelabeled on SendGrid (and you should be), you'll have created a DNS record, either m1._domainkey.example.com, or s1._domainkey.example.com, which will have the public key, or a CNAME to the public key, respectively. Google apps uses the selector ga1; I'm not sure what Gmail itself uses. Your own server-sent mail would also use whatever Selector you define when you setup your DKIM.

When a receiving server is validating the DKIM signature, it takes the s= value of the signature into account when it queries for the public key. This is an important feature of DKIM, as it allows you to rotate your public keys for security, as well as allowing you to have ESPs sign on your behalf, or any other need for multiple keys.

jacobmovingfwd
  • 131
  • 3
  • (Background: I'm not [Sendgrid whitelabeled](https://sendgrid.com/docs/User_Guide/Settings/Whitelabel/domains.html) for now.). If I understand well, you say it will work without any problem? But how? Let's say a mail sent via sendgrid from `contact@example.com` arrives to customer's inbox. The receiver will look at my domain `example.com` and see a DKIM TXT DNS record. But sendgrid doesn't have my keys, so how will the receiver know sendgrid is allowed to use my `@example.com`? – Basj Aug 30 '17 at 22:27
  • 1
    If you're note whitelabeled, The DKIM Signature SendGrid adds to your message will be for `sendgrid.net`, not `example.com`. The receiving system determines where to check by using the DKIM signature. It doesn't care (much) what domain you purport to be from, just which one the Signature is from. You'd more want your SPF record to be updated, so that SendGrid's IPs pass your SPF record check. – jacobmovingfwd Sep 01 '17 at 00:57