Tips & tricks for installing and running ICS products

DKIM deployed on my mail servers

Tom Bosmans  16 June 2017 10:40:42
After moving my server to a new physical box (and new IP Address), some of the more difficult large mail systems started rejecting mail from my domains.
Google was OK with my mails, although not ecstatic, but Yahoo and especially Microsoft considered my systems dangerous apparently.

I googled around, found a lot of crap information, but resolved the issue and improved my mail setup in the end.  Turned out that I should be using TLS (for secure smtp) and DKIM (DomainKeys Identified Mail - http://dkim.org/ )


The bad stuff


- There's a lot of links advising you to use Return Path (ao. here :  https://blog.returnpath.com/google-is-failing-your-perfectly-good-dkim-key-and-why-thats-a-good-thing/)
Don't invest time here.  It's a service for spammers, I would say (they call it "email marketing").  You need to register and likely never get a response anyway.  
- Domino does not support DKIM natively, and likely never will (http://www-01.ibm.com/support/docview.wss?uid=swg21515751)
- Microsoft (with all their domains - hotmail.com, outlook.com, ...) are very tricky
- Yahoo is difficult as well, but should you care ?  You shouldn't be using Yahoo mail anyway these days.
- MailScanner breaks DKIM, so requires changes in the configuration (the problem being that it
It's a little tricky to find out all the details - because most test tools identify that "dkim is working", while google complains ....
- Postfix works with Letsencrypt certificates, but again , the information on the internet is sometimes incorrect or incomplete at best.
- DKIM relies on DNS configuration, and that can be tricky (depending on your DNS provider or your DNS server)

The good information


- Postfix support DKIM through the opendkim milter add-on (http://www.opendkim.org/)
- testing DKIM can be done using a tool like this  : http://www.appmaildev.com/en/dkim  
Very handy, fast, easy, no registration.
- the proof is in the pudding, and sending mail to gmail.com (Google) actually shows the information nice and tidy.
- Letsencrypt and Postfix work together nicely once the setup is done correctly.


Let's get to work


So what I had to do, in a nutshell :


  • Change my Domino configuration , so also send outgoing mail through Postfix.  This is as simple as setting the "Relay host for messages leaving the local internet domain".
    This is necessary, to allow opendkim to sign the outgoing mails as well.
    Relay host for messages leaving the local internet domain: mail.gwbasics.be



  • Configure Postfix - add the milter for dkim (and configure TLS with LetsEncrypt) in main.cf
  • Configure MailScanner  - apply the settings that are in the configuration file, that mention dkim.
  • Configure opendkim (generate the keys)
  • Configure DNS (create a new TXT record for the key you created.  In general, you can use "default", and you require a record for default._domainkey. )
  • Verify your key using opendkim-testkey
  • Test the DNS entry (eg. using http://dkimcore.org/tools/keycheck.html , or using host (eg. host -t txt default._domainkey.gwbasics.be)
  • Test the mails you send out (use  http://www.appmaildev.com/en/dkim  ).  Or use gmail to check.



Use Gmail to check your settings


Gmail actually has the possibly by default to verify various settings.  
Next to the "to me", click the dropdown button.
In the case that you have set up DKIM correctly, it will show a "signed-by" line.  You can see TLS information here as well .
Image:DKIM deployed on my mail servers
Additionally, you can also go to "Show original"
Image:DKIM deployed on my mail servers
This will show the source of the  email, and has a summary header that contains important information.
As you can see  , it shows that DKIM has PASS.  If it says something else here, you need to go back to the drawing board.
Image:DKIM deployed on my mail servers

This can contain a lot more options, btw.  If you use DMARC as well, it will show up here too.  For my domain, you see the SPF option.


Microsoft's domains



Once you're certain DNS is setup correctly and you're no open relay, you can easily contact Microsoft directly to unblock your mail server(s) here :
This immediatly works for hotmail.com, outlook.com and the other domains.

https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us&ccsid=636329734561893294

This took only a few hours in my case.