DKIM

Article by on October 14, 2021, last modified on October 15, 2021

This will help you setup DKIM: http://www.dnswatch.info/dkim/create-dns-record

I also tried this one, but I don't think I used it: http://dkimcore.org/tools/

This will help you setup SPF record: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

And, of course, if you need to check your DKIM you can use Gmail itself with this how-to: https://support.google.com/mail/answer/180707?hl=en

And testing SPF: http://www.kitterman.com/spf/validate.html

http://mxtoolbox.com/spf.aspx

DKIM Keys

1 - Create the private key

$ openssl genrsa -out jp202110._domainkey.josephdpurcell.com.private.key 1024

2 - Create the public key

$ openssl rsa -in jp202110._domainkey.josephdpurcell.com.private.key -pubout -out jp202110._domainkey.josephdpurcell.com.public.key

Go to https://www.dnswatch.info/dkim/create-dns-record enter in values.

DKIM Signature

DKIM is going to be two parts: (1) setting up your DNS record, and (2) modifying your mail sender to add DKIM signatures. DKIM is just a Public Key Infrastructure (PKI) protocol, similar to SSL certificates: you create a public and private key, the public key you put in a DNS record and the private key is used on your mail server to sign emails (the signature goes into an email header). Setting up the DNS record is easy, setting up the email signatures is hard.

This tool will help you create the DNS record: http://www.dnswatch.info/dkim/create-dns-record which helps you create your DKIM DNS record. Here is an image of what I used:

I'm not sure what DNS service you use, but it should allow you to create a "TXT" record. It should be key/value, so "TXT" for the key and the value is the big blob of text starting "v=DKIM...".After you've added your DNS record, you can then verify it at:
http://dkimcore.org/c/keycheck

For example, under the "Check a published DKIM Core Key" section, type in "jp052013" as the selector and "josephdpurcell.com" as the domain and it will show you a valid DKIM record. I'm not sure what the validation does exactly, but it ended up working. Here is an image of my validation:

So, all of THAT ^ was just for setting up your DNS record.

Now comes the hard part: getting your mail server to send DKIM signatures with emails. Mine was easy because I was sending email via a PHP script, so I just modified the PHP script. For you, you'll probably have to dig into forums for whatever mail daemon you're using or maybe even find a mailing list to get help.

Once that's all done, you can check to see if Google or Hotmail's mail servers see the DKIM signature as valid by looking at the info Gmail/Hotmail gives you. Here's a screenshot of a valid signature coming from my mail server:

You can also look at the raw mail and see the validation for both the SPF and DKIM:

Delivered-To: josephdpurcell@gmail.com
Received: by 10.25.18.3 with SMTP id h3csp397948lfi;
Sat, 8 Nov 2014 16:27:27 -0800 (PST)
X-Received: by 10.140.40.239 with SMTP id x102mr29397035qgx.69.1415492846964;
Sat, 08 Nov 2014 16:27:26 -0800 (PST)
Return-Path: <mailman@josephdpurcell.com>
Received: from josephdpurcell.com (li321-231.members.linode.com. [66.228.40.231])
by mx.google.com with ESMTPS id b1si24418801qcs.38.2014.11.08.16.27.26
for <josephdpurcell@gmail.com>
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 08 Nov 2014 16:27:26 -0800 (PST)
Received-SPF: pass (google.com: domain of mailman@josephdpurcell.com designates 66.228.40.231 as permitted sender) client-ip=66.228.40.231;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of mailman@josephdpurcell.com designates 66.228.40.231 as permitted sender) smtp.mail=mailman@josephdpurcell.com;
dkim=pass header.i=@josephdpurcell.com
Received: by josephdpurcell.com (Postfix, from userid 33)
id D8D772FC710; Sat,  8 Nov 2014 19:27:25 -0500 (EST)
To: Joe Purcell <josephdpurcell@gmail.com>
Subject: Visit to Cincinnati
X-PHP-Originating-Script: 33:class.phpmailer.php
DKIM-Signature: v=1; a=rsa-sha1; q=dns/txt; l=13058; s=jp052013;
t=1415492845; c=relaxed/simple;
h=From:To:Subject;
d=josephdpurcell.com; i=mailman@josephdpurcell.com;
z=From:=20"Joseph=20D.=20Purcell"=20<mailman@josephdpurcell.com>
|To:=20Joe=20Purcell=20<josephdpurcell@gmail.com>
|Subject:=20Visit=20to=20Cincinnati;
bh=RbEuQ4MJ1DecWkdkZWtIHO9sSHs=;
b=PEdLdKV9JgswaMRjoIuo+x+PTdYtL4Il5+OaQm/aeq2riSUXo9mbqHDW8ZVFXqznQgEXpYsmImbOLpblY+QtTbP7UNs+bpuVqR2dPxc+y+4gPqXQIYXuyzev3YYHigi5vS0u3bTHCfPAQYRo6uMCcrM+ttfUEREApCawEWq9f2o=
Date: Sun, 9 Nov 2014 00:27:25 +0000 +0000
From: "Joseph D. Purcell" <mailman@josephdpurcell.com>
Message-ID: <0fc1a7333bad996b171718580feb5f98@josephdpurcell.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_0fc1a7333bad996b171718580feb5f98"

--b1_0fc1a7333bad996b171718580feb5f98
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

 

SPF Record

SPF is just a TXT DNS record. You don't need to do anything on your server.
Microsoft had a great tool here:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

but, it no longer works. People are complaining about it here: http://answers.microsoft.com/en-us/outlook_com/forum/oemail-osend/status-of-sender-id-framework-spf-record-wizard/a73da814-b99a-41c9-8281-5bd7239d3841

Instead, here are two wizards I found (but haven't used):
http://www.spfwizard.net/
http://spfwizard.com/

You might have to do some research to know what the inputs should be. But, they should be comparable to josephdpurcell.com. You can see what mine is by using a validator:

http://tools.bevhost.com/spf/ (link no longer works, use https://mxtoolbox.com/spf.aspx instead)

Here is an image of my SPF validation:

Oct 2021 update: "PTR" should not be used: https://fundamental.marketing/email-deliverability/why-should-i-not-use-a-ptr-mechanism-in-my-spf-records/

Older Articles »