Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

DKIM

DKIM Checklist to help avoid spam filters

DKIM (DomainKeys Identified Mail) is an email authentication method that uses digital signatures to help prevent email spoofing. Here’s a suggested checklist for setting up DKIM to help avoid spam filters:

Generate a private and public key pair:

You will need to generate a private and public key pair to use with DKIM. This can be done using a tool like OpenSSL or through your email service provider.

Add the public key to your DNS:

Once you have generated the key pair, you will need to add the public key to your DNS as a TXT record. The key should be in the format “selector._domainkey.example.com”.

Add the private key to your mail server:

The private key should be added to your mail server, and configured to sign outgoing email messages.

Add the DKIM signature to your email headers:

Your mail server should automatically add a DKIM-Signature header to outgoing email messages. In Rackspace this is done by clicking on Domains, then DKIM. You will be given a key/text record, which you add to your DNS wherever your DNS is hosted. After several minutes you will be able to “verify” the DNS has been updated, and then DKIM is setup.

DKIM DNS Propagation

Test your DKIM setup:

You can use tools like the DKIM validator to ensure that your DKIM setup is working correctly.

Keep the key pair private:

Make sure to keep the private key safe and secure, and don’t share it with anyone. If you have multiple servers you setup the key per server. Rackspace does this automatically for you.

https://cp.rackspace.com/Domains/SenderAuthentication#/details?domain=somesite.com

Update your keys periodically:

As a best practice, it’s recommended to update your keys periodically, usually every year or so, to keep your DKIM secure.

Monitor your DKIM:

Keep an eye on your DKIM to make sure it’s still valid and that it’s not causing any issues.

DKIM (DomainKeys Identified Mail):

  • Use a unique selector for each email sending domain.
  • Keep the private key securely, as it can be used by malicious actors to spoof emails from your domain.

A valid DKIM record for example.com would look like this:

domaintypevalue
20230225-5g0la707._domainkey.somesite.comTXTv=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLZdq+CEHqa+Caz1H91AwoMzrB2lgFCWxsQQdb/Fk5hmFc7KAxlQX5iKn0jsriWSSWLE2uVNtz2N/q9V69BBY3Ro+sdmp/SYssCMAuTE8VsA4aFpfSXfOxW5MqTpRJlBCdmJvXo4oPYX0pctloNHN/uUde2Yc1EFJPBZGzLuVqBQIDAQAB

Rackspace Email

If I wanted to create a certificate on my server and manage DKIM myself, I could - but I’m not sending email from my server, I’m using a provider “Rackspace”. They manage all email, so instead I use their DKIM process and it’s very simple. They give me a record, I add the record, then it’s done