David,
I'm happy to know a knowledgeable person related to DKIM. From what I
can tell, the current james dkim mailet is only usable for non-virtual
hosting servers, where the server rdns is the same as the 'from' domain
in the email. The james dkim mailet is going to need some modifications
to support virtual hosting. But until recently, it was not clear to me
that I needed to sign using each virtual host 'from' domain instead of
the smtp server domain.
I am hosting all of my domains on Amazon Web Services. AWS offers a
gateway that can serve as a james proxy. I'm not thrilled to have to do
it, but I'm now 'laundering' all of my outbound mail through the AWS
gateway. Receiving servers see AWS, not my james server. I analyzed
how the AWS gateway modifies the mail. The AWS gateway adds a DKIM
record for the actual 'from' domain as you explained is required. It
also adds a DKIM record for the AWS server domain itself. Is that
overkill? Or should there always be an smtp server dkim record as well
as a 'from' domain dkim record? At least now, gmail and other recipient
servers are no longer flagging/bouncing my outbound mail. I'd really
like to be able to get the same result without laundering the mail
through the gateway. But until I can update the dkim mailet to support
a bunch of virtual hosts, I'm just going to stick with the duct-taped
process with the gateway that works.
Thanks so much for the info. I may come back to you with more dkim
questions.
Jerry
On 3/17/2020 9:31 AM, [email protected] wrote:
Sorry for belated reply - I'm new to James, but not DKIM, which is pretty much
essential these days if you want the mega providers to not put your email in
spam boxes.
Firstly, DKIM is a per domain thing. You cannot put a single DKIM TXT record in
your server's DNS and expect that will work for all the domains you have on
that server.
I've got it working fine, admittedly for a single domain only and I've included
how to do this in a write up on line (mainly so I remember how to do it
myself!). I *think* you can probably extrapolate from what I've done to make it
work with multiple domains on a single James smtp instance. My nameservers use
tinyDNS which has it's own way of doing things so you may well need to do some
more hunting around to get the correct format for the TXT record to suit
whatever nameserver service you use.
While you're at it, you also need to put up SPF and DMARC records, but they are
easier, being purely DNS TXT record things as opposed to DKIM, which has two
parts:-
1)james is set up to sign outgoing email for your domain(s) with private key(s)
https://dmatthews.org/java_email.html
2)the remote server uses the corresponding public key in your domain's TXT
record to make sure the mail came from your domain and has not been tampered
with in transit
https://dmatthews.org/email_auth.html#dkim
Finally if your mail is actually being bounced rather than just silently being
put into spam boxes, I would worry that your ip address has gotten onto a DNSBL.
--
David Matthews
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
