Domainkeys to DKIM - possible? how to?

[morrow95]

I currently have spf and domain keys enabled for all my site accounts and would like to 'upgrade' to DKIM. From what I have found this is not supported directly by cpanel/whm.

I have found information about something called dkimproxy and have also noticed I have a Mail::DKIM module installed on my server. So, what is the easiest route to go without having issues and without any automated upgrades wiping away my changes?

Do I install DKIM alongside of domainkeys or do I replace it with? It seems as though if I have DKIM installed then domain keys will pass/not be needed sort of like how spf will also pass for sender id.

If anyone could point me to some good info I would appreciate it. I have searched and searched, but have yet to find the best and/or clear way of how to go about it.

For the record I have about 50 some sites between a few ips all of which use my main server ip though for spf validation...

 

[jdfalk]

There's really no good reason to sign with DomainKeys anymore -- hasn't been for years. DKIM is the replacement, and all domain authentication work is being done with DKIM now.

The most common implementation is OpenDKIM. Googling around a bit, I found these instructions for using OpenDKIM with cPanel: http://techinterplay.com/enabled-dkim-cpanel-server.html.

 

[morrow95]

thanks for the reply...

I actually have that page bookmarked from when I was searching the net about this. The problem lies in ...

1 - It doesn't show how to do this for multiple sites? In other words, can I just use a comma list for dkim_domain=your_domain_name.com for all my domains? One person listed using dkim_domain=$sender_address_domain instead for multiple...?

2 - mail._domainkey.rosesource.com.? I'm guessing .rosesource.com isn't needed when adding to the dns?

3 - Can I keep my domain keys setup or do I need to remove domain keys for all the domains?

4 - Does it get removed when there are automatic updates?

 

[morrow95]

Well, after removing domain keys from the sites I followed the instructions given in the earlier post. Everything went smooth, restarted exim and named, then sent out a test email. No signature. I sent to test emails as well as my own gmail account - nothing - gmail puts it right into the spam folder.

I first used dkim_domain=$sender_address_domain in exim as I have multiple domains... I then changed this to a specific site and neither did the trick.

Is there something I'm missing here or does anyone have any suggestions? Really need to get this up and working!

 

[morrow95]

well now it is sending the signature... perhaps dns needed a few moments... but now when sending a test email I get :

result = fail
Details: body has been altered

Anyone?

 

[cPanelTristan]

Where are you sending it to be tested where it is showing this failure result?

 

[morrow95]

hey Tristan, thanks for the response and help...

I followed the instructions at How to enable DKIM in cPanel server. | techinterplay and was using the test they mention at Brandon Checketts which is giving the body has been altered response...

 

[morrow95]

For whatever reason it appears to be working now... just tried sending to my gmail account in both plain text and html and it works... and tried the again test on that website and it works too...

weird... whatever was happening it works now and I'm happy with that! Hope others can find the install listed below helpful!

 

[morrow95]

Well, I added the dns stuff to the rest of my sites... I have been testing them by sending email to a gmail account of mine. For whatever reason only one account goes into my gmail inbox... the rest of my sites go directly to gmails spam folder.

I viewed the original source of one of the emails and it appears to pass fine and looks exactly like the one which works correctly... I can't figure this one out... here is a snippet from an email that goes to gmails spam folder :

Received-SPF: pass (google.com: domain of [email protected] designates xx.xxx.xxx.xxx as permitted sender) client-ip=xx.xxx.xxx.xxx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates xx.xxx.xxx.xxx as permitted sender) [email protected]; dkim=pass [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mysite.com; s=mail; h=Message-ID:Date:From:MIME-Version:
To:Subject:Content-Type:Content-Transfer-Encoding; bh=(the key goes here)

Everything looks exactly the same as the one which goes to the inbox minus the fact the domain is different... why the heck is this going to the spam folder in gmail!?

 

[cPanelTristan]

At this point, you'll have to ask gmail why they are doing this for the other domain:

https://mail.google.com/support/bin/answer.py?answer=17205

Gmail is the only source that can explain why they are filtering the domain in that manner, especially since they are passing the other domain from the same machine and not this one.

 

[jdfalk]

Everything looks exactly the same as the one which goes to the inbox minus the fact the domain is different... why the heck is this going to the spam folder in gmail!?

DKIM isn't a free pass past the spam filters (and it was never intended to be.) Google still looks at other features of the message, and other sending practices. What a DKIM signature does do is give Google (and other mailbox providers who verify DKIM) a reliable identifier, the d= string, to use when calculating reputation or other sending characteristics.

Over time, Google's system will see that messages with that d= string are not reported as spam by Gmail users, so they'll get placed in the inbox instead.

A couple of good articles on domain reputation:

Searching for Truth in DKIM, part 3 of 5
Domain Reputation: What It Means for Email Senders

 

[k-planethost]

google is the best free mailserver even if the ip is blacklisted they send the emails.
also if the domain keys and spf are disabled for a domain they dont blacklist the ip
contact gmail for this issue
yahoo is useless in this case
when cPanel/WHM rebuilds exim, the edits to the exim.conf may be wiped out. You will want to create a backup copy of your edited exim.conf. Then you can create a script (bash/perl/etc) at /scripts/postupcp to copy your custom config back after a cPanel upcp is run.
or You can try setting up attributes (chattr +iA /etc/exim.conf) to avoid the configured from wiping out in the next rebuild.
or wait until cpanel implement dkim on following versions

 

[vanessa]

I've just written an updated tutorial on enabling DKIM on a server with multiple domains:

Using DKIM with Exim and cPanel :: The cPanel Admin

Cpanel developers said that this should be in 11.32, but the above workaround implements dkim flawlessly and can be used until this support is introduced into cPanel.