Questions tagged [dkim]

DomainKeys Identified Mail is a scheme for signing and verifying email messages to confirm that that the source hasn't been forged, and is typically implemented by MTAs. The source MTA adds a header to the message body containing a signature, and the destination MTA verifies this signature against a key retrieved from DNS.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.

DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.[1] It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. The recipient system can verify this by looking up the sender's public key published in the DNS. A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.[2] Usually, DKIM signatures are not visible to end-users, and are affixed or verified by the infrastructure rather than the message's authors and recipients.

The first version of DKIM synthesized and enhanced Yahoo!'s DomanKeys and Cisco's Identified Internet Mail specifications. It was the result of a year-long collaboration among numerous industry players, during 2005, to develop an open-standard e-mail authentication specification. Participants included Alt-N Technologies, AOL, Brandenburg InternetWorking, Cisco, EarthLink, IBM, Microsoft, PGP Corporation, Sendmail, StrongMail Systems, Tumbleweed, VeriSign and Yahoo!. The team produced the initial specification and several implementations. It then submitted the work to the IETF for further enhancement and formal standardization.

574 questions
110
votes
6 answers

Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?

This is a Canonical Question about Fighting Spam. Also related: How to stop people from using my domain to send spam? What are SPF records, and how do I configure them? There are so many techniques and so much to know about fighting SPAM.…
Chris S
  • 77,337
  • 11
  • 120
  • 212
42
votes
7 answers

Is it becoming impossible to be a small mail provider?

I operate a small mail server for my private emails, some friends who have websites and two NGOs. In total my server sends between 60 and 400 messages a day. Now a lot of these emails are personal mails, between two or more people who know each…
Stefan Seidel
  • 732
  • 1
  • 7
  • 20
41
votes
5 answers

Find DKIM and DMARC Records?

Is there a method to find a domain's DKIM and DMARC records using dig or nslookup? I have attempted to do the following: dig somedomain.org any returns many records, but not the known DKIM and DMARC text records. nslookup -type=txt…
Evil Genius
  • 521
  • 1
  • 4
  • 5
40
votes
4 answers

DKIM sign outgoing mail from any domain (with Postfix and Ubuntu)

I got DKIM setup on my mail server (postfix and ubuntu) so it signs outgoing emails. I used these instructions: https://help.ubuntu.com/community/Postfix/DKIM However, I need it to sign emails from any domain (in the From address) and not just my…
Brian Armstrong
  • 1,557
  • 3
  • 18
  • 22
34
votes
3 answers

Remove "via" from emails sent to Gmail from Amazon SES

When sending emails from Amazon SES, gmail shows "sent via amazonses.com". How do I remove this? According to Google, I'm a sender and I don't want my recipients to see the "via" link. What can I do? Gmail checks whether emails are correctly…
csi
  • 1,535
  • 7
  • 22
  • 42
26
votes
3 answers

SPF vs. DKIM - The exact use cases and differences

I'm sorry for the vague title. I don't fully understand why SPF and DKIM should be used together. First: SPF can pass where it should fail if the sender or DNS is "spoofed" and it can fail where it should pass if some advanced setup of proxies and…
deleted user 42
  • 363
  • 1
  • 3
  • 6
25
votes
7 answers

How do I enter a strong (long) DKIM key into DNS?

I'm trying to enter a 4028 bit DKIM key into DNS and it seems that I'm exceeding both the UDP 512 byte limit and also the maximum record size for a TXT record. How does someone properly create a large key (with implied larger encoded size) and…
makerofthings7
  • 8,821
  • 28
  • 115
  • 196
22
votes
5 answers

Does DKIM alone not solve the spam issue? Why do I need SPF?

FINAL EDIT : I was completely wrong about DKIM it seems, the signing domain does not have to be the same as the sender domain, thus the whole premise for my question is flawed. A lot of thanks to Paul for pointing out my mistake! Original Question…
cornergraf
  • 481
  • 1
  • 4
  • 8
18
votes
6 answers

Domain Key not showing up in DNS query

*SOLVED - See bottom of this post * So problem here is that I have been trying to set up a domain key for several days. I've done it successfully in the past, but I just can't get it to work this time. Now the problem I am currently wrestling with…
Dan Miller
  • 193
  • 1
  • 1
  • 6
13
votes
1 answer

DKIM: Can I use a RSA key larger than 2048bit, i.e. 4096?

I wonder if I can simply use a 4096bit RSA key for DKIM (in DNS TXT Record). Are there any downsides (neglecting computational effort)? Maybe there are mail servers which can't handle a key this large? Also: Is there any big mail provider which…
13
votes
2 answers

What does dis=NONE mean in an email's Authentication-Results header?

The following is from an email I received recently: Authentication-Results: mx.google.com; spf=neutral; dkim=pass header.i=@yahoo.com; dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com I've been reading about SPF, DKIM, and…
Alex Henrie
  • 234
  • 1
  • 2
  • 7
11
votes
4 answers

Why is my opendmarc failing pretty much everything that comes through?

I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone: example.com. 600 IN MX 1 mail.morpheu5.net. example.com. …
Morpheu5
  • 259
  • 4
  • 18
11
votes
4 answers

postfix: connect to Milter service inet:127.0.0.1:8891: Connection refused

I noticed that there is a error with milter if I type service postfix status : Jul 01 17:39:01 mail postfix/cleanup[13921]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused but what does that mean and how do I fix that? It…
Sarius
  • 141
  • 1
  • 2
  • 10
11
votes
2 answers

Mail with DKIM Signature gets T_DKIM_INVALID flag by SpamAssassin

I've installed a Debian (jessie) box with postfix and spamassassin. Configured and everything works fine. Except receiving mails with DKIM signatur will produce a flag T_DKIM_INVALID even if the signature is valid. See log example below. After that,…
High Ball
  • 478
  • 4
  • 11
11
votes
2 answers

Publishing long domain key records in bind9

I am setting up a mail system based on exim4. This system implements DKIM signing and checking (among other things). Signing seems to work without problems but checking doesn't work and exim4 complains about the syntax of my TXT records which…
alxgomz
  • 1,600
  • 1
  • 10
  • 14
1
2 3
38 39