User Guide - Dkim and Dk-milter (Domain Keys for Mail Service)

  1. Portal Home
  2. Knowledgebase
  3. User Guide - Dkim and Dk-milter (Domain Keys for Mail Service)
Applicable Plans: All Standard VPS, Advanced VPS, and Premier VPS Plans

Dkim and Dk-Milter are commonly used implementations of DomainKeys, an authentication scheme which stores public keys in DNS and digitally signs emails sent by a domain. Use of Domain Keys helps combat fraud because it is more difficult to send emails with a spoofed domain. Many large mail providers such as Yahoo!, Hotmail, and Google use Domain Keys. These email providers will take into account whether or not DomainKeys is being used by the sender when determining whether to deliver a message to the SPAM or “bulk mail” folder versus the Inbox. The use of DomainKeys will not guarantee your sent mail will not be directed to the SPAM/bulk folder, but it will greatly increase the likelihood that it does not.

 

About DKIM - The DomainKeys Identified Mail (DKIM) Internet standard enables email senders to digitally sign their messages so that receivers can verify that those messages have not been forged. The DKIM sender authentication scheme allows the recipient of a message to confirm a message originated with the sender's domain and that the message content has not been altered. A cryptography-based solution, DKIM provides businesses an industry-standard method for mitigating email fraud and protecting an organization's brand and reputation at a relatively low implementation cost. Learn more about DKIM.

 

About DK: Implements the historical DomainKeys e-mail authentication protocol as designed by Yahoo!. Learn more about DK.


Requirements

You must use SMTP Authentication from your email clients or the messages will not be signed. This means that the mailboxes you create from your control panel must be created with the user@multipledomains format. When you configure your email client the username will be the "user" without @domain and the password will be the password you assigned. Please see our email user guide at http://support.eapps.com/hsp/email for more datails.

Installation

Dkim and Dk-milter are provided by a single application called Dk-Dkim-Milters which can be installed from your control panel. We have combined them together because they are not incompatible with one another and using both will give you the greatest coverage of email services. To install Dk-Dkim-Milters:

 

log into your control panel -> click System tab -> Add Application -> select the check box next to Dk-Dkim-Milters -> click Next

 

Generating Keys

The installation provides a script that is used to generate the key that you will add later at to your DNS zone. To generate a key log into your VPS as root using SSH and execute the commend below.

 

/usr/share/doc/dkim-milter-2.8.3/dkim-genkey.sh -s yourdomain -d yourdomain.com

(Replace yourdomain with your original domain name.)

The command above will create 2 files in your current directory:

default.private,  and default.txt

 

Install the private Key

cp default.private /etc/mail/domainkeys/dk_yourdomain.com.private

chown dk-milt:dk-milt /etc/mail/domainkeys/dk_yourdomain.com.private

chmod 600 /etc/mail/domainkeys/dk_yourdomain.com.private

cp default.private /etc/mail/dkim-milter/keys/yourdomain

chown dkim-milt:dkim-milt /etc/mail/dkim-milter/keys/yourdomain

chmod 600 /etc/mail/dkim-milter/keys/yourdomain

 

Add DNS Settings

From your control panel System tab:

click All My Domains -> yourdomain.com -> DNS Zone -> New Record

Add the appropriate values to the fields similar to the example below. The contents of the default.txt will be added to the Value field.

Name: default._domainkey

Type: TXT

Value: g=*; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALbcGIJbiH+ip8I4kaw9ZsTA2jBDvADwDvl0V+qLv/iCUP0+vOO/FB0BB1t+KW1lNvXqE2Le707SNN55RYXhdxsCAwEAAQ==

 

Configure dk-milter and dkim

Edit the file /etc/sysconfig/dk-milter and change the lines below

 

#USER="dk-milt"

#PORT="local:/var/run/dk-milter/dk.sock"

#SIGNING_DOMAIN="example.com"

#SELECTOR_NAME="default"

#KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.private"

#SIGNER=yes

#VERIFIER=yes

 

to...

 

USER="dk-milt"

PORT="inet:10035@127.0.0.1"

SIGNING_DOMAIN="yourdomain.com"

SELECTOR_NAME="yourdomain"

KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.private"

SIGNER=yes

VERIFIER=no

 

Now edit /etc/mail/dkim-milter/dkim-filter.conf and make the change below.

 

Change...

 

# Domain example.com

# KeyFile /var/db/dkim/example.private

Selector my-selector-name

# Socket local:/var/run/dkim-milter/dkim-milter.sock

# SubDomains No

# Syslog No

# SyslogSuccess No

# UserID userid

# X-Header No

 

to...

 

Domain /etc/mail/dkim-milter/domains

KeyList /etc/mail/dkim-milter/keylist

Selector yourdomain

Socket local:/var/run/dkim-milter/dkim-milter.sock

SubDomains yes

Syslog yes

SyslogSuccess yes

UserID dkim-milt

X-Header yes

 

cd /etc/mail/dkim-milter

 

Create a new file called domains and add the line below and save the file.

 

yourdomain.com

 

Create a new file called keylist, add the line below and save the file.

 

*yourdomain.com:yourdomain.com:/etc/mail/dkim-milter/keys/yourdomain

 

Start dk-milter and dkim

Start the milter service by executing the commands below.

 

service dk-milter start

service dkim-milter start

 

Enable both services to start on system restart.

 

chkconfig --level 3 dk-milter on

chkconfig --level 3 dkim-milter on

 

Configure Sendmail

Using a text editor of your choice edit /etc/mail/sendmail.mc and before the smtp-vilter lines add the dk and dkim filter lines.

smtp-vilter lines:

define(`confINPUT_MAIL_FILTERS', `smtp-vilter')
INPUT_MAIL_FILTER(`spfmilter', `S=unix:/var/run/spfmilter/spfmilter.sock, T=S:8m;R:8m')dnl

dk and dkim filter lines:

INPUT_MAIL_FILTER(`dk-filter', `S=inet:10035@localhost')

INPUT_MAIL_FILTER(`dkim-filter', `S=local:/var/run/dkim-milter/dkim-milter.sock')

Save the file and rebuild the sendmail configuration by executing the commands below.

cd /etc/mail

make

Restart Sendmail if it runs as a Daemon

Check if sendmail is running as a daemon by executing “service sendmail status”. If sendmail is running as a daemon you should see a output similar to “sendmail (pid 18145 18135) is running...” To restart the the service execute the command below.

service sendmail restart

Adding More Domains

If you wanted to add a domain called seconddomain.com complete the steps above starting from Generating Keys to Add DNS settings then proceed as follows, substituting your actual domain name for the example “yourdomain.com” above and “seconddomain.com” below.

 

Edit the file /etc/sysconfig/dk-milter and add the lines below.

 

PORT0="inet:10036@127.0.0.1"

SIGNER=yes

SIGNING_DOMAIN0="seconddomain.com"

SELECTOR_NAME0="seconddomain.com"

KEYFILE0="/etc/mail/domainkeys/dk_${SELECTOR_NAME0}.private"

 

NOTE: PAY CLOSE ATTENTION TO THE 0 ON PORT0, SIGNING_DOMAIN0, SELECTOR_NAME0 AND KEYFILE0 BECAUSE YOU WILL NEED TO INCREASE THESE VALUES IF YOU ADD A THIRD DOMAIN WHICH WILL RESULT IN PORT1, SIGNING_DOMAIN1, SELECTOR_NAME1 AND KEYFILE1

Also note that the port number in the PORT line increased by one from 10035 to 10036. You will need to increment this port number by one for every additional domain you add.

 

Edit the file /etc/mail/dkim-milter/domains and add:

 

seconddomain.com

 

Edit the file /etc/mail/dkim-milter/keyfile, add the line below and save the file

 

*seconddomain.com:seconddomain.com:/etc/mail/dkim-milter/keys/seconddomain

 

restart dk-milter and dkim

 

service dk-milter restart

service dkim-milter restart

You can test if everything is working fine by sending an email to a Yahoo account. Click on "Full Header" and see if it shows the "key" sign as well as the "pass". Since the installation involved DNS update you should provide sufficient time for the DNS propagation (1hr atleast) before you start testing it.

  Print

Comments

Please login to comment