Does the AWS SES SMTP server automatically sign emails with DKIM? - email

I am using AWS SES and PHPMAILER to handle email sending in my system.
My question is, does the SES SMTP server automatically sign my emails with my DomainKey (DKIM) or do I have to do it manually using PHPMAILER?
On one hand, Amazon declares that they sign emails with DKIM, but on the other hand I see that you can add headers and sign emails with DKIM in PHPMAILER, so I don't really understand whose responsibility it is to sign my emails with it.

If you set up SES's Easy DKIM, all messages sent through SES will be automatically signed. You don't need to bother with having PHP handle that.
If you're sending email from a single domain (or small number of them) this is the way to go. If you are doing something tricky (like sending email on behalf of hundreds or thousands of domains) it might be easier to handle the DKIM signing in PHP.

Related

DKIM validation warning when sending e-mail from Sendgrid API

I've bought a domain and I'm hosting Cloudflare as my DNS host. I mainly use this domain for sending emails.
I use Google workspace for receiving and sending emails, but I also use the Sendgrid API to send one automatic email a day from a simple python program (using Sendgrid's python library) I keep running.
I have correctly authenticated my domain in Sendgrid and added the CNAME records to Cloudflare as Sendgrid advises. I have also configured Google correctly with my domain using their info. I've tested both configurations with their tools.
I'm now in the process of adding extra security to my emails. I've configured SPF, DMARC and DKIM using the simple instructions Google provides. Added all the records once again to my DNS provider (Cloudflare) and started to observe my daily DMARC reports.
I'm using URIports (https://app.uriports.com/) to make sense of these reports :P
Apparently, everything is ok with the mails I send from Google. But not ok with the emails sent via Sengrid. The DMARC analysis is the following:
We have received the following report from google.com about 1 message that was received in the following timespan: 02-13 0:00 (24h). This email was received from IP address xxx.xxx.xxx.xxx with hostname something.outbound-mail.sendgrid.net supposedly from <user>#<mydomain>.
DKIM validation passed because at least one signature is valid
Signature 1 for domain <mydomain> passed. The message was signed, and the signature passed verification tests.
Signature 2 for domain sendgrid.info passed. The message was signed, and the signature passed verification tests but the DKIM signature domain sendgrid.info does not align with the Header-From domain <mydomain>.
SPF and DMARC validations are ok.
I confess I'm lost and I'm searching everywhere without success. Can anyone help me understading in what direction to go?
Can it be a problem with the python program?
Many thanks! Cheers!
Gil
To set your mind at ease, your setup is fine! Nothing to worry about.
DKIM is, among other things a reputation tool. SendGrid is adding two signatures to your emails, one for your domain, which will help pass DMARC authentication. And one for their domain / service. This second one is optional from the DMARC perspective, but may improve Inbox delivery.
There are many services that operate in a similar fashion, adding an additional DKIM signature to outbound emails.

PHPMailer and DKIM, SPF validation with an authenticated SMTP server

I have a web application with email notifications.
I'm using PHPMailer to send mails over authenticated SMTP by the SMTP server given by my provider.
All messages are invalidated by SPF and DKIM settings because somehow it is expected that my webserver is included in the SPF list and PHPMailer has to sign the message.
Is there any way to let the the SMTP server to envelope and sign the email for me?
I tought an authenticated SMTP connection will define the first server as enveloped-by and not the first client. Is this a wrong tought or a misconfiguration of the SMTP server?
Whether your mail server will DKIM-sign for you is up to the mail server – and it is generally preferable to do that as you don't then have to worry about it.
However, it is definitely better to sign it yourself if you can. If you're sending through your hosting provider's mail server, they would need to have access to your private key in order to be able to sign as your domain. For this reason, if they do sign, it is often as an intermediary rather than as the original sender, and this may mean they can't vouch for the From address which you would need to be signed to pass DMARC checks. You can do both at once, because it's entirely legitimate for a message to contain multiple DKIM signatures, signed at different points of the message's journey, by different parties.
SPF does include the originating IP, but you need to be aware of the difference between "regular" SMTP and the SMTP submission protocol defined in RFC6409, and specifically mentions that you might expect a submission server to add a signature. Submission clients will often not be treated as the origin (from an SPF perspective). If that server is in your own network, then you have no issues with holding private keys.

If my domain is using gsuite and I am using gmail's DKIM, will that DKIM setting be used by another sender on my spf? ie. Klaviyo?

If I have a domain example.com that is using gsuite (DNS settings at registrar has gmail cnames, spf & txt records etc) and I have another service sending on behalf of the domain (Klaviyo). Do the gmail DKIM and DMARC settings help to strengthen the deliverability of those emails sent by the other service (Klaviyo)?
To answer your question: A DMARC reject or quarantine policy helps improve deliverability for all parties that send on behalf of your domain AND properly authenticate by SPF or DKIM, in alignment with your domain.
DKIM consists of a cryptographic key pair. You publish the public key on the Internet and you use the private key to sign headers of your outbound emails. This signing is done on the sending server. So unless Klaviyo is using Google servers to relay your messages, those messages are not being DKIM signed by Google.
You should follow the instructions provided by Klaviyo here, so that the emails you send from their platform, using your email domain, will authenticate properly and will NOT fail DMARC.
Update:
Say you own the domain myexample.com, then you should publish a TXT record at the root of that domain that looks like "v=spf1 include:_spf.google.com ~all". Additionally you can add any other services or servers to this record as you see fit. You don't need to add Klaviyo to your SPF record as they will try to authenticate from the send.myexample.com domain used in the bounce address. That is what you created the first CNAME for. It redirects to an SPF (and MX) record hosted at Sendgrid. Additionally, Klaviyo will authenticate those emails using DKIM.
In order to make DMARC work, you need to publish another TXT record at _dmarc.myexample.com, if you haven't already, looking like: "v=DMARC1;p=none;rua=mailto:DMARC#myexample.com;". Then you'll start receiving aggregate reports at the mailbox you supplied. Once you're confident you've included all required parties in your authentication scheme, you can move to a p=reject policy in order to protect your domain.
Yes, DKIM and DMARC settings do help deliverability.
I assume that Klaviyo does what my company Autoklose is doing as well, and that's using Gmail API to send the email in your name. That means that they only indirectly affect the sending process and the email itself is sent from Google servers and not Klaviyo's servers.
Also, you have to be aware that DKIM & DMARC are only two of the factors in successfully delivering your email. For example, having DKIM & DMARC correctly set gets you positive points but if your domain is blacklisted, it still might not get delivered.

Send mail with sendmail to gmail

I have a server on OVH and I'm trying to send some mail to my Gmail address using sendmail.
I installed sendmail with apt-get on debian, and echo "Subject: test" | /usr/sbin/sendmail -v mymail#gmail.com works. However Gmail puts the mail in the spam folder and says the mail is not authenticated.
I have no knowledge of how email works and from what I've seen I could use SPF or DKIM to provide authentication, but it seems it requires admin access to ovh DNS servers.
What would be the easiest way, using only admin access to the server that sends mails, to make sure emails sent from it are not marked as spam ?
Thanks
There are no easy way. That's the simple answer.
Google Mail is fighting spam every second, every day, all year. To get mail delivered directly to the inbox requires time and patience and there are no shortcuts. If there where, spammers would have it way to easy!
You are very correct that Google's SMTP servers will ask you to beef up your SMTP mail headers to include better authentication and security. There's no way around it if you want to be on good terms with Google's SMTP servers.
Here is a list of things to consider
SPF (Must have, also to defend spam sent in your name)
DKIM (Must have, this is somewhat a step up from SPF)
ESMTP (Google likes it when you talk to them encrypted)
Bulk headers (Use them if it's bulk, no reason to lie!)
Unsubscribe headers (Use them if you are sending out maillist content)
SMTP relay's with nice Senderscores (Easy access to the inbox, but cost)
SMTP relay's with good reputation (Easy access to the inbox, but cost)
Feedback loop headers/setup (If you send large amount of mails)
Only use "warmed up" SMTP relay servers (Mostly used by bulk senders)
Reverse DNS to match HELO/HELO (Mismatch can make problems)
Static IP (It's a given)
As you can see it's no simple task to "just" send an email to Google and expect it to be passed along to the users Inbox without getting targeted as spam.
Most of the options above requires extensive server knowlagde or that your hosting provider supports it. You need to have access to change your own DNS records but also the SMTP server that you send your mail from needs to be setup with the things in advance.
Now to the:
"How to send emails to Google Mail that always land in the inbox for dummies"
Well you basically buy your way into the inbox. Use SMTP services like Mailchimp, Amazon AWS-SMS (Simple Mail Service) many if not all of these services have already setup DKIM, SPF and are on good terms with Google. They do however have many rules and what and what not to do so if you don't follow the rules they will close your account right away.

How to send transactional mails from many addresses (without spamming or on behalf of)

In a Laravel/Symfony SaaS app I want my clients to send out mails to their customers – my clients can manage their customer information in my app.
I am looking for a way they can send emails that are from their own addresses – and not from my domain (via sendmail).
These mails should not have a on behalf of in their FROM, but also I want to make sure that my service will not get gamed by spammers.
One idea was that every client can set up her own SMTP settings which Swiftmailer will then use to deliver the mails for each individual address. Maximum daily delivery per client should by below 500, so that might work.
Another idea was to use a service such as Amazon SES, who let you verify up to 1000 addresses. Or Sendgrid, who offer something similar.
What is the most secure way to send mails from different addresses with a maximized deliverability and minimum risk of being gamed by spammers?
For safe guarding against being marked as spam you need to
Have your DKIM and SPF settings in place
Do a LITMUS spam test of your email to check your spam score against various spam check engines
Do domain throttling
It has nothing to do with email verification in SES because that is just a mandate for using a From email id while sending out emails