11

I've tried improving the security of my emails (and preventing them from being marked as spam) by adding the SPF and DKIM records. So I've created both of them and I tested the results with check-auth@port25.com. This is the result:

==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

So, everything passed except for DomainKeys. The detailed report is:

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: header.From=myemail@mydomain.com
DNS record(s):

I then tried to add the TXT record _domainkey.mydomain.com with content t=y; o=~ and checked again but the result was the same (the DNS have propagated, since I checked the DNS record from mxtoolbox and I got it).

What should I do to fix this?

entropid
  • 265
  • 1
  • 3
  • 8
  • 2
    DKIM is the successor to DomainKeys. If you have DKIM working then do no worry about DomainKeys. Sender-ID is similarly the successor to SPF, though not as widely adopted at this time. – Chris S Nov 25 '13 at 16:37

2 Answers2

8

The correct answer to "what should I do to fix this" is to delete the DomainKeys record. The confusion stems from thinking that DomainKeys and DomainKeys Identified Mail (DKIM) are the same. They aren't. DomainKeys was a Yahoo specific technology that has been officially dead since 2007. As Chris S. stated, DKIM (DomainKeys Identified Mail) is the successor to DomainKeys. As of 2007.

A few years ago I ran both a DomainKeys and a DKIM validator on incoming mail. I did see a few emails bearing DomainKeys signatures but I'd be surprised if that were still the case. There is no longer any reason to deploy DomainKeys as none of the DomainKeys signing software is still supported.

This is all you need to worry about:

DKIM check: pass

And you're good.

Also, Chris S. is mistaken about Sender ID. It is not, nor has it ever been, proposed as a successor to SPF. Sender ID is a defunct Microsoft proposed standard that built atop SPF. SPF and Sender ID don't do the same things. Sender ID was Microsoft's attempt to add header validation checks atop SPF (which validates the Envelope Sender). The rest of the email community rejected it in part because Microsoft asserted patents rights and didn't relinquish them until after Sender ID was still born. Outside of hotmail.com and on-premise Exchange servers, Sender ID's adoption could be accurately described as a rounding error.

Microsoft has ceased validating Sender ID on hotmail leaving only on premise Exchange servers as the last vestiges of Sender ID on the internet. They have announced upcoming changes to Exchange that will stop breaking DKIM signatures as messages pass through Exchange servers. Although DMARC merely prevents phishing, Microsoft has officially hopped on the DMARC bandwagon embracing both DKIM and SPF.

Matt Simerson
  • 419
  • 3
  • 9
0

To make DKIM work you have to sign every outgoing mail with your dkim private key (on the mailserver). The public key should be added to your dkim dns record, so that other people can verify your signed mails.

for dkim signing i use:

http://www.opendkim.org/

spf is easy to implement - dkim takes a little more effort

ah83
  • 1,062
  • 9
  • 8