DKIM vs Domain Keys

dkim domainkeys

I've configured DKIM (milter-dkim) on my mail server. Incoming e-mail sent from my domain now containts the following header:

X-DKIM: Sendmail DKIM Filter v2.8.3 MYDOMAIN.com o7FLH1Wa032083
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.com; s=mail;
 t=1281907022; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
 h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:
  Content-Transfer-Encoding;
 b=qetPkilXBdjnuqiKIyvAwsvTvJfAnq5urdgp/i7p/uLJ8DB+svy9A8C6CPmcfELsJ
  hDid5k2AN5JD+wM2INmUIgjeAa/IwpGTbuMloj0Wioh4njqIfbATJqOhuqxTjic

1.) So I guess that confirms that I have DKIM setup correctly, right?

But when I look at a message coming in from Google, I see:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
   ...snip...
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
   ...snip...

2.) What is the relationship of DomainKey-Signature vs DKIM-Signature?


Solution 1:

DKIM is a newer version of the DomainKeys protocol. If you sign your mail via DKIM, you should not need to implement DomainKeys.

Solution 2:

They are two separate things. DomainKeys is older, created by Yahoo!. DKIM is DomainKeys + Identified Internet Mail (another scheme to verify emails created by Cisco).

The headers are compatible, apparently, but some newer systems don't check DKIM, so you have to generate both to make everyone happy.

Solution 3:

To answer your first question, it means that your outgoing mail is being signed, but you must have the corresponding DNS records in order for receiving mail servers to validate it.

When it's all setup, if you check your headers for a message that's come in, your mail server should provide some indication of it's success. If you have a Google account, it will display the results under the 'Authentication-Results' header. If it's setup correctly, you should see the following:

Authentication-Results: mx.google.com; spf=pass (google.com: domain of
[email protected] designates 1.1.1.1 as permitted sender)
[email protected]; dkim=pass [email protected]

Remember to setup SPF records too, they are more widely checked than DKIM/DomainKeys.

Question 2, DKIM is the newer implementation. If you have the ability to use DKIM, use it over DomainKeys.

Related

How to find the browser versions from command-line in Linux & Windows?
Ubuntu login page: where to specify users list shown
How to automatically create user accounts ( SSH + LDAP )
Best Small Linux Distribution for rDesktop
How do you configure Apache/Tomcat to trust internal Certificate Authorities for server-to-server https requests
Why use rack servers over tower servers?
OpenSolaris.. Um, is it becoming unmaintained?
How to fix a "Software caused connection abort" error in Ubuntu 14.04?
Minimizing Evolution to the tray
Ubuntu 20.04 Sound issue
Why is my alias from .bashrc not working?
Ubuntu Desktop or Server ISO on USB key