1

Lets say my domain is example.com and we have SPF records for the SMTP servers on example.com. Now lets say I have decided I want to allow example.org to send mail as example.com.I know how to add example.org to the SPF but If I wanted to also use DomainKeys or DKIM to authenticate example.org would the keys need to be in example.com or example.org? For example,

Would I use:

_domainkey.example.com.                  IN TXT          "t=y\; o=~\;"
xxxxxxx._domainkey.example.com.           IN TXT          "k=rsa\;
p=xxxxxxxxxxx

or

_domainkey.example.org.                  IN TXT          "t=y\; o=~\;"
xxxxxxx._domainkey.example.org.           IN TXT          "k=rsa\;
p=xxxxxxxxxxx

Also,

1) Who generates the keys? example.com or example.org? (I am pretty sure that example.org would make the keys, then send us the public for DNS, but not sure)

2) Would I need both SPF and keys or would keys alone be enough to authenticate the other domain and allow it to pass authentication? ( I am in a position where I would like to use only keys)

3) Which one is better to use in terms of provider checking? For example, are providers even checking keys as much as they are SPF?

Sven
  • 97,248
  • 13
  • 177
  • 225
user53029
  • 619
  • 2
  • 14
  • 34

1 Answers1

2

As an email sender properly configuring your server goes a long way toward establishing credibility/trust. Almost all evaluation is automated now, and many organizations are selective on what they publish. A majority of the connections to my server is clearly spam.

1) Who generates the keys? example.com or example.org? (I am pretty sure that example.org would make the keys, then send us the public for DNS, but not sure)

You can use the existing key to sign for both domains. The trick is to sign the email using the correct signer. I extract the domain from the sender address and sign as that domain.

It is perfectly acceptable to have multiple active public keys with different selectors. During key replacement you will want the old and new keys active. Keys should be replaced periodically.

If you are acting as a relay server and example.org are signing, they need to generate the key they use. Whoever is maintaining the DNS for the signing domain will need add the public key for the selector used to sign the messages.

It is safest to generate the key on the signing server. That will eliminate the need to have the private key anywhere else. The public key is public and will be published, so there is no need to secure it.

Many large organizations fail to publish their public keys. I commend you for your efforts to get it right.

2) Would I need both SPF and keys or would keys alone be enough to authenticate the other domain and allow it to pass authentication? ( I am in a position where I would like to use only keys)

Both SPF and DKIM are entirely optional, but they do help distinguish your server from a spambot. I recommend using SPF for all domains. This can be as simple as v=spf1 a mx -all for domains sending email, v=spf1 a -all for mail servers, and v=spf1 -all for all other domains.

3) Which one is better to use in terms of provider checking? For example, are providers even checking keys as much as they are SPF?

SPF is more reliable, but I believe most large sites are checking both DKIM and SPF. A pass with a strict SPF policy is a good indicator that the email is valid. In my experience SPF is used by many organizations to evaluate messages.

For mail servers, I defer acceptance of messages unless: there is no SPF policy for either the mail server's domain or its parent; or SPF passes SPF valiation for its domain or its parent. Soft passes are are considered failures.

As I noted, many large organizations have failed to publish they DKIM public key. As a result I doubt failing DKIM on its own will cause much of an issue. A valid DKIM signature does seem to help establish credibility/trust. However, if you have published a DMARC record its policy may be applied.

Publishing a DMARC record for the domain allows you to make you SPF and DKIM signing policies available for automated validation. DMARC allows the receiving server to send you details on where email for your domains are arriving from, and how they were handled. Both Gmail and Yahoo send me reports. Start with a notify only policy until you are sure your mail is correctly signed, and SPF is working.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • We are not acting as a relay server in the sense I think you are referring. We are simply allowing them to send mail as us by adding their domain in an include statement inside of our SPF. So we are sending on behalf of them so to speak. They - (example.org) created the keys but did it for our domain name (example.com). I am second guessing that and thinking they should have done it for their domain, not ours, since its the one needing to be auth'ed. Can you clarify that aspect for me? – user53029 Aug 29 '16 at 01:53
  • I'd like to clarify my statement about the relay server. We will not be touching any emails coming from example.org SMTP servers. As I mentioned they will be sending AS us. For example, someone at example.org will be sending as @example.com from example.orgs SMTP server. So, I guess the key being signed as example.com IS what's needed. Because now that I think about it, example.org should not be in any of the email headers since they are sending as us. – user53029 Aug 29 '16 at 02:19
  • @user53029 If they are sending as you, your existing setup should be fine. Consider my comments on SPF and DMARC anyway. – BillThor Aug 29 '16 at 02:25
  • @user5029, If they send and sign as `example.com`, then you will need to publish their key, or remove their signature and resign. Either option is acceptable, although it appears you are currently using the first option. -- If they are not sending any email as `example.org`, then an `v=spf1 -all` record would be appropriate for `example.org`. – BillThor Aug 29 '16 at 02:31
  • We are publishing their key in DNS. And one of the reasons I asked about SPF/DKIM "one or the other" was because when we add them to our SPF, it takes us over the SPF lookup limits, and that can cause problems. So, I was looking at DKIM only as a solution for example.org and how that would need to be setup in DNS for them going that route. – user53029 Aug 29 '16 at 02:37
  • 1
    @user53029 The smalledt SPF limit is for lookups. Use IP ranges instead of MX or A records to reduce the number of lookups. Check the records for GMail that has large number of server farms in their records. You only need to list sending servers. It is appropriate to have a separate pool of relay MTAs sending to the Internet and a separate pool of MX servers. Try not to let all your serves send mail directly to the internet. Only servers sending email to the internet need to be listed in your SPF record. – BillThor Aug 29 '16 at 02:42