6

I notice that every time I set up google apps, mailgun, mandrill or whatever I always have to set up domainkeys. That part makes sense - RSA, public/private, etc - I get that.

Intuitively I would think there is a single standard for where to find SMTP domain keys, but instead it seems like one of these prefixes get picked at random: smtp k1 mx pic mailo.

Example:

  • smtp._domainkey.example.com (makes sense)
  • mx._domainkey.example.net (yup)
  • mailo._domainkey.example.org (why the o?)
  • k1._domainkey.foo.com (k for key? 1 for primary?)
  • pic._domainkey.bar.com (pic? what does that even mean?)

So I'm looking at my list of domains and it appears that only those 5 variations occur, but I'm not seeing a pattern.

  • Why isn't there just one standard prefix?
  • How does that querying server know which to query?
  • Isn't _ an illegal character?
  • And if the domainkey prefixes are arbitrary, why only arbitrary-ish?

I'd love to be pointed to some reading material as well as some short and sweet explanations if you have one on hand.

P.S. I've tried googling a little, but I don't know enough to figure out what my query should be. All that I see are tech support how to articles for specific email or hosting providers.

coolaj86
  • 911
  • 2
  • 10
  • 19

2 Answers2

7

Here are short sweet answers that you requested:

How does that querying server know which to query?

That prefix is called selector. The receiving server know which DNS record to query by looking into the DomainKey-Signature header containing the cryptographic signature. Among many useful information, there are the selector and domain values. For example:

DomainKey-Signature: a=rsa-sha1; s=smtp; d=example.com; c=simple; q=dns; b=JOc8ZszniSbVoGVyOfAKCdLXyuU4zGffruD4doXSlEG2q8Ldyd00laHRNiYzRv+Z;

selector + "_domainkey" + domain = smtp._domainkey.example.com

Why isn't there just one standard prefix?

There isn't one standard prefix, because in some scenarios you want to have the option to configure multiple different DomainKeys records (e.g. you have two SMTP servers and you want each one to use it's own DomainKeys policy).

Isn't _ an illegal character?

As you can see, it's not :-)

And here are some reading materials ;-)

Tubeless
  • 1,492
  • 13
  • 15
  • You answered it while I was editing the response I got from my mailing list to answer it myself. :-) Thanks man (or woman)! – coolaj86 Nov 23 '15 at 22:14
1

Why isn't there just one standard prefix?

You may wish to use BOTH mailgun and mandrill (or whatever) so you need to be able to specify more than one key.

https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#How_it_works

How does that querying server know which to query?

There is a zone identifier (example.com) and a subdomain identifier (mx) as part of the SMTP DKIM headers. They get put together as mx._domainkey.example.com

https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#How_it_works

Isn't _ an illegal character?

Only sometimes.

http://domainkeys.sourceforge.net/underscore.html

And if the domainkey prefixes are arbitrary, why only arbitrary-ish?

Happy medium? Common convention? Dunno. (will post again when I do)

It is possible that two outbound mail servers might both direct you to use mx._domainkey.example.com, but you can try deleting and recreating the record to see if you get a different one - or contact support if that fails.

I certainly prefer to see something like mail, mx, or smtp as opposed to c15c5385. It's not like I'm going to use hundreds of outbound mail services for any single domain... right?

Credit

Many thanks to my local user group:

https://plug.org/pipermail/plug/2015-November/thread.html

coolaj86
  • 911
  • 2
  • 10
  • 19