I've a problem with dkik.
I send message signed by dkim but my mail server doesn't support this feature.
So I've generate a pair of keys (private and public) and I've configured the TXT record with the public key.
The problem is that I haven't access to the mail server.
Can I sign the message manually with my client mail or in other way?
Thanks!
Here's a thread that includes some options for client-side DKIM signing - Setting up DomainKeys/DKIM in a PHP-based SMTP client .
That said, most mail servers support DKIM out of the box at this point - you may want to switch to one that does.
Related
I have a web application with email notifications.
I'm using PHPMailer to send mails over authenticated SMTP by the SMTP server given by my provider.
All messages are invalidated by SPF and DKIM settings because somehow it is expected that my webserver is included in the SPF list and PHPMailer has to sign the message.
Is there any way to let the the SMTP server to envelope and sign the email for me?
I tought an authenticated SMTP connection will define the first server as enveloped-by and not the first client. Is this a wrong tought or a misconfiguration of the SMTP server?
Whether your mail server will DKIM-sign for you is up to the mail server – and it is generally preferable to do that as you don't then have to worry about it.
However, it is definitely better to sign it yourself if you can. If you're sending through your hosting provider's mail server, they would need to have access to your private key in order to be able to sign as your domain. For this reason, if they do sign, it is often as an intermediary rather than as the original sender, and this may mean they can't vouch for the From address which you would need to be signed to pass DMARC checks. You can do both at once, because it's entirely legitimate for a message to contain multiple DKIM signatures, signed at different points of the message's journey, by different parties.
SPF does include the originating IP, but you need to be aware of the difference between "regular" SMTP and the SMTP submission protocol defined in RFC6409, and specifically mentions that you might expect a submission server to add a signature. Submission clients will often not be treated as the origin (from an SPF perspective). If that server is in your own network, then you have no issues with holding private keys.
If I have a domain example.com that is using gsuite (DNS settings at registrar has gmail cnames, spf & txt records etc) and I have another service sending on behalf of the domain (Klaviyo). Do the gmail DKIM and DMARC settings help to strengthen the deliverability of those emails sent by the other service (Klaviyo)?
To answer your question: A DMARC reject or quarantine policy helps improve deliverability for all parties that send on behalf of your domain AND properly authenticate by SPF or DKIM, in alignment with your domain.
DKIM consists of a cryptographic key pair. You publish the public key on the Internet and you use the private key to sign headers of your outbound emails. This signing is done on the sending server. So unless Klaviyo is using Google servers to relay your messages, those messages are not being DKIM signed by Google.
You should follow the instructions provided by Klaviyo here, so that the emails you send from their platform, using your email domain, will authenticate properly and will NOT fail DMARC.
Update:
Say you own the domain myexample.com, then you should publish a TXT record at the root of that domain that looks like "v=spf1 include:_spf.google.com ~all". Additionally you can add any other services or servers to this record as you see fit. You don't need to add Klaviyo to your SPF record as they will try to authenticate from the send.myexample.com domain used in the bounce address. That is what you created the first CNAME for. It redirects to an SPF (and MX) record hosted at Sendgrid. Additionally, Klaviyo will authenticate those emails using DKIM.
In order to make DMARC work, you need to publish another TXT record at _dmarc.myexample.com, if you haven't already, looking like: "v=DMARC1;p=none;rua=mailto:DMARC#myexample.com;". Then you'll start receiving aggregate reports at the mailbox you supplied. Once you're confident you've included all required parties in your authentication scheme, you can move to a p=reject policy in order to protect your domain.
Yes, DKIM and DMARC settings do help deliverability.
I assume that Klaviyo does what my company Autoklose is doing as well, and that's using Gmail API to send the email in your name. That means that they only indirectly affect the sending process and the email itself is sent from Google servers and not Klaviyo's servers.
Also, you have to be aware that DKIM & DMARC are only two of the factors in successfully delivering your email. For example, having DKIM & DMARC correctly set gets you positive points but if your domain is blacklisted, it still might not get delivered.
I am using AWS SES and PHPMAILER to handle email sending in my system.
My question is, does the SES SMTP server automatically sign my emails with my DomainKey (DKIM) or do I have to do it manually using PHPMAILER?
On one hand, Amazon declares that they sign emails with DKIM, but on the other hand I see that you can add headers and sign emails with DKIM in PHPMAILER, so I don't really understand whose responsibility it is to sign my emails with it.
If you set up SES's Easy DKIM, all messages sent through SES will be automatically signed. You don't need to bother with having PHP handle that.
If you're sending email from a single domain (or small number of them) this is the way to go. If you are doing something tricky (like sending email on behalf of hundreds or thousands of domains) it might be easier to handle the DKIM signing in PHP.
We have bought the google apps account for the domain www.amarramesh.com hosted by bluehost.com
As per the google apps suggestion, we altered the CNAME records in bluehost for the domain www.amarramesh.com to sync with google apps.
There is an issue when I send the mail through a PHP file stored in my Bluehost server. I tested the email quality through mail-tester.com and it says the DKIM signature is not valid because in the DKIM signature selector = "default" and suggests I should change to "google.domainkey". Due to this, many of the emails sent from the server are going into people's spam boxes. How do I make this change? This problem doesn't happen when email is sent from Gmail.
I have tried Php-mailer and it worked for some time but Bluehost has now blocked it.
Why do you want to send mail from another host if you're using GoogleApps?
DKIM's purpose is to allow remote hosts to authenticate that your mail was really sent by the server(s) you permit to send them. This prevents a spammer from forging your domain name on spam he is sending out. If it wasn't bounced off of servers you authorized in your DKIM DNS record, remote mail servers won't deliver it -- or maybe send it to the spam folder (provided they look at the DKIM header and DNS record).
It does this by putting a private key encrypted header on the mail, and the public key to decrypt it on the DNS record. If it can be decrypted successfully, then it is assumed to be legit (because the sender knew the private key).
This might help if you want to enable mail being sent from both hosts.
https://blogs.msdn.microsoft.com/tzink/2013/04/26/how-to-set-up-your-dkim-records-if-you-are-outsourcing-some-or-all-of-your-email/
We have automated email alerts from a web application hosted on a VPS. Google is marking our outgoing emails from server as SPAM. So, none of our users with a GMail account are receiving the emails.
I have done the required settings for SPF & DKIM, but to no avail.
On viewing the header of the emails, I see the following message against DKIM
dkim=neutral (invalid public key) header.i=#domain.com
I cannot make out what is wrong here. Please help.
Double check your dkim public-key in TXT record and compare it with the key from the key generation program.
This error means that your public and private keys are not suitable.