📜 ⬆️ ⬇️

DKIM is easy


I want to share my little experience of screwing DKIM (DomainKeys Identified Mail) to my domain and mail server.

We have:

Start over. What is DKIM in general and what do we need for our mail system to send mail with DKIM support.
From the description of DKIM on the Wiki :
DomainKeys Identified Mail method E-mail authentication.
DomainKeys Identified Mail (DKIM) technology combines several existing anti-phishing and anti-spam methods in order to improve the quality of the classification and identification of legitimate email. Instead of the traditional IP address, to determine the sender of the message, DKIM adds a digital signature to it associated with the organization's domain name. The signature is automatically verified on the recipient's side, after which, in order to determine the reputation of the sender, white lists and black lists are used.
DomainKeys uses domain names to authenticate senders. DomainKeys uses the existing Domain Name System (DNS) to transfer public encryption keys.

To work with DKIM we need:
  1. DKIM support by mail server for signing of sent mail;
  2. Getting a pair of private and public key;
  3. Record in the DNS domain the necessary records about the presence of support for DKIM.

With the support of DKIM mail servers, everything is quite clear. hMailServer version 5.1 supports the signature of outgoing correspondence with a key.

Now you need to find how to create a pair of secret and public key. After going through several options, I stopped at the web-utility of the port25.com service which, in addition to generating the necessary keys, also generates a DNS hint:

A small explanation about a certain field "domain selector". This field allows you to bind several DKIM records for different needs to one domain (for example, for different mail servers). In my case, I have only one mail server and I do not need a selector, so I chose just “mail” as the selector.

The obtained private key is saved to the server in the folder to which the mail server has access. The public key, in principle, can not be saved as a file. It is useful to us only to make the necessary records in the DNS. In the configuration of the domain in hMailServer, we need to specify the path to the private key file, as well as indicate the selected selector (remember, I took mail as a selector).

In the DNS zone file, we need to specify records like:
_domainkey.example.com. TXT "t = s; o = ~;"
mail._domainkey.example.com. TXT "k = rsa \; t = s \; p = MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQmO9AuWRbWPgl / jzDPQodrLfFLFqYYi6bCBnsTOCOJQrFbGgiR1C01j4zLw8XgG3rQ0WAaeg6Z / y39Ah7IONfs5gQuK6eGZMmYwIsZyz2dQoUDmDLCb1WygpkrqsCbyPw3SWGihM4iChOwo7Ovo2mTOWOf5ejeZcP2qqNb9nRMQIDAQAB"

Where “mail” before _domainkey in the second record is nothing more than our selected selector, and the long character set in the same record going after “p =” is our public key.

It seems to be all. Now we will try to send a letter from our mail server to gmail, since it is known for certain that gmail checks DKIM. We look at the received letter in gmail and see the cherished lines:
Authentication-Results: mx.google.com; spf = pass (google.com: domain of example@example.com designates as permitted sender) smtp.mail=example@example.com; dkim = pass header.i=@example.com

Congratulations on the successful conquest of DKIM))), and what you want. Good luck.

UPD: To get a pair of keys without using external services, you can use OpenSSL:
openssl.exe genrsa-out tstpriv.pem 1024 - generate a secret key (1024 is the key length).
openssl.exe rsa -pubout -in tstpriv.pem -out tstpub.pem - we get the public key from the secret

Thank you lorc for the addition.

UPD 2: A small addition from nshopik :
It is also possible to register an ADSP entry at the domain ( RFC5617 ) - this will allow the receiving server to understand whether your letter should be signed or not.
The record looks like this:
_adsp._domainkey.example.com. Txt "dkim = all"

There are three dkim values:

UPD 3: Update from tolik89u :
ADSPs in RFC5617 are already labeled as HISTORIC, because the technology "did not take off." Instead, they are now using DMARC , which is now widely distributed: tools.ietf.org/html/rfc7489.

Source: https://habr.com/ru/post/106589/

All Articles