How To Implement and Set Up DomainKeys Identified Mail (DKIM) on hMail Server
We recently moved from using Magic Winmail as our mail server to hMailServer since it was more cost effective (as in free) and had more features. One of these features is DKIM, or DomainKeys Identified Mail, which if enabled, would improve deliverability of our e-mails. Here’s how I set mine up:
1. Generate the public and private keys. You need OpenSSL to do this.
> openssl genrsa -out private.key 1024 > openssl rsa -in private.key -pubout -out public.key
2. Enter the corresponding TXT records into your DNS for your domain. For example, my domain is journal.suteki.nu. I would do the following in my DNS:
_domainkey.journal.suteki.nu IN TXT t=y; o=-; _adsp._domainkey.journal.suteki.nu IN TXT dkim=all [selector]._domainkey.journal.suteki.nu IN TXT g=*; k=rsa; p=[public_key]
Where [selector] is the name of your selector (eg ‘mail’), and [public_key] is your key from your public.key file generated from #1. Just make up something for [selector] and keep note of it.
An example would be
_domainkey.journal.suteki.nu IN TXT t=y; o=-; _adsp._domainkey.journal.suteki.nu IN TXT dkim=all mail._domainkey.journal.suteki.nu IN TXT g=*; k=rsa; p=bNJOPhYuAAxTdO0PNGiKSL9rLLdDBuj3q0Rpa3pg2r/oNTONqGSIb3DQ8mz16NbSSSs5YcBkKTRDunxOFP0UtEmZJMQk0yERL1jEg86l8ZDmOckldH5EWIhsnbDjGh1fxT5ku7cXjtKwIDAQABMIGfMA0GCSqADCBaku0mO6bbcm/mEfnBKov3otig6iPXiQKBgQDxdpMEBAQUAA4GNEdKCn
(
Note: That’s a made up public key 
Notex2: The t=y is a testing flag. You will want to remove this once you’ve verified your keys work.
Notex3: It will take up to one day for your DNS records to propagate. Do not be frustrated if the tests come up negative within the first 10 minutes of filling in the records!
)
3. Set up DKIM in hMailServer for a domain.
Open up your hMailServer administrator and go to the domain you want to enable DKIM in. For the private key file, select the private.key you generated from #1. In selector, type in the [selector] you selected.
For signing algorithm, choose either SHA1 or SHA256. I went with SHA1 so our server resources do not get consumed as much when signing the e-mails. The config should look something like this:
Save the config. Your domain is now set up for DKIM.
4. Send a test e-mail from one of your accounts in the domain.
I sent a test-email from an account I created, test@journal.suteki.nu, to one of my accounts on gmail. When it arrived in gmail, I checked the headers:
What you want to check for is the dkim-signature block in the headers:
A successful one looks like this:
Authentication-Results: mx.google.com; dkim=pass header.i=@journal.suteki.nu dkim-signature: v=1; a=rsa-sha1; d=journal.suteki.nu; s=mail; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=/edzoYuyn17WXm8KeqcX/R+khdQ=; b=0cnc21MgZMy9suqAgFPlA5OqD5fpFmuGoK+UYlf9zvqPwRgRgjb6OP+VwjwYE2AVxhdVRdX8nEdQ0XnUht45SQHKh78dCXK+UiS7x6qE2haLrZi7CHvs6qp8otQdkcLBrYF0Z95Blp1Vh9BHvQFodNdwJUhgp9u/BoZH/Gq8xx0=
While an unsuccessful one might (might as in I haven’t determined if this is considered invalid, but this is what it first looked like for me) look like:
Authentication-Results: mx.google.com; dkim=neutral (no key) header.i=@journal.suteki.nu dkim-signature: v=1; a=rsa-sha1; d=journal.suteki.nu; s=mail; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=/edzoYuyn17WXm8KeqcX/R+khdQ=; b=h9BHvQFodNdw0cnc21MgZMy9suqAgFPlA5OqD5fpFmuGoK+UYlf9zvqPwRgRgjb6OP+VwjwYE2AVxhdVRdX8nEdQ0XnUht45SQHKh78dCXK+UiSp8otQdkcLBrYF0Z95Blp1V7x6qE2haLrZi7CHvs6qJUhgp9u/BoZH/Gq8xx0=
Hope that helps! See the links below for more information and a way to test and fine-tune your configuration.
Links:
Domainkeys for Postfix – Started with this guide
DKIM flags – understand what the flags are that we used above.
DKIM generator – Generates your private/public key and gives you the DNS info necessary to make DKIM work! You can skip Step #1 with this.
DKIM Tools – Verify your DNS DKIM records.
Author Domain Signing Practices (ADSP) – Understand what the _adsp record is for.
6 Comments »
RSS feed for comments on this post. | TrackBack URI
Hello,
In Gmail everything works great.
In Yahoo I get this: domainkeys=neutral (no sig); from=domain.com; dkim=pass (ok) and my mail is a SPAM.
How can I fix this ?
Thank’s
Comment by Lucian — September 7, 2009 @ 9:55 pm
I need full headers to understand the cause better. I did a quick search on Google:
http://www.google.com/#hl=en&q=%22domainkeys%3Dneutral+%28no+sig%29%22+yahoo+spam&aq=f&aqi=&aq=&aqi=&aq=&aqi=&aq=&aqi=&aq=f&aqi=&oq=&fp=3aa7f458acaa2672
And it seems to be a common Yahoo issue. Also know that DKIM is not necessarily domainkeys. Domainkeys is the precursor to DKIM, so it might not even matter that this is present. Other things to check for
- If you have an MX record for the server you’re sending from
- If you have a PTR record for the IP of the server you’re sending from that matches the domain you’re using (ie if your mail is coming from 123.234.192.34 from the domain test.com, then you might want a PTR record on 123.234.192.34 for test.com; not everyone has the ability to set a PTR, though)
- If you have an SPF record set for the server you’re sending from which says that the IP is OK to send out emails under a particular domain.
Comment by Personalife — September 7, 2009 @ 11:09 pm
Hi,
My domain name registrar doesnt allow to aff more than 1 line in the TXT record.
Is it possible to put the 3 TXT lines into 1 line?
Thanks,
Avi
Comment by Avi — February 17, 2010 @ 4:35 am
Unfortunately, none that I know of. It’s one TXT record / key.
Comment by Personalife — February 17, 2010 @ 2:31 pm
Everyone publishes how to generate a private key under unix/linux systems, but no one says how to generate one under Windows Server operating systems. That’s where I’m stuck.
Any help there?
Comment by Paul G — March 16, 2010 @ 10:00 am
Don’t even need to generate one in windows. Just follow the links at the end of the post, which generates one for you.
Comment by Personalife — March 27, 2010 @ 6:46 pm