SPF, DomainKeys and DKIM for alternate domain authenticaton

domain-name-system email spam dkim smtp

Solution 1:

As an email sender properly configuring your server goes a long way toward establishing credibility/trust. Almost all evaluation is automated now, and many organizations are selective on what they publish. A majority of the connections to my server is clearly spam.

1) Who generates the keys? example.com or example.org? (I am pretty sure that example.org would make the keys, then send us the public for DNS, but not sure)

You can use the existing key to sign for both domains. The trick is to sign the email using the correct signer. I extract the domain from the sender address and sign as that domain.

It is perfectly acceptable to have multiple active public keys with different selectors. During key replacement you will want the old and new keys active. Keys should be replaced periodically.

If you are acting as a relay server and example.org are signing, they need to generate the key they use. Whoever is maintaining the DNS for the signing domain will need add the public key for the selector used to sign the messages.

It is safest to generate the key on the signing server. That will eliminate the need to have the private key anywhere else. The public key is public and will be published, so there is no need to secure it.

Many large organizations fail to publish their public keys. I commend you for your efforts to get it right.

2) Would I need both SPF and keys or would keys alone be enough to authenticate the other domain and allow it to pass authentication? ( I am in a position where I would like to use only keys)

Both SPF and DKIM are entirely optional, but they do help distinguish your server from a spambot. I recommend using SPF for all domains. This can be as simple as v=spf1 a mx -all for domains sending email, v=spf1 a -all for mail servers, and v=spf1 -all for all other domains.

3) Which one is better to use in terms of provider checking? For example, are providers even checking keys as much as they are SPF?

SPF is more reliable, but I believe most large sites are checking both DKIM and SPF. A pass with a strict SPF policy is a good indicator that the email is valid. In my experience SPF is used by many organizations to evaluate messages.

For mail servers, I defer acceptance of messages unless: there is no SPF policy for either the mail server's domain or its parent; or SPF passes SPF valiation for its domain or its parent. Soft passes are are considered failures.

As I noted, many large organizations have failed to publish they DKIM public key. As a result I doubt failing DKIM on its own will cause much of an issue. A valid DKIM signature does seem to help establish credibility/trust. However, if you have published a DMARC record its policy may be applied.

Publishing a DMARC record for the domain allows you to make you SPF and DKIM signing policies available for automated validation. DMARC allows the receiving server to send you details on where email for your domains are arriving from, and how they were handled. Both Gmail and Yahoo send me reports. Start with a notify only policy until you are sure your mail is correctly signed, and SPF is working.

Related

SNMP get interface number
Ubuntu 12.04 Samba 4 and winbind
SSH invalid open call: O_CREAT without mode
How may I know the amount of memory used by each one of my apache sites?
How to allow IAM groups to create, see, and manage their own instances and nothing else?
AWS CLI Config profile not found
Managing mass SQL Server ODBC Changes when migrating to a new SQL Server
bandwidth vs throughput in wired/wireless network
how to enable php4 only, no php5
Monitoring MongoDB 3.2 using Stackdriver in Google Compute Engine failed silently
Relay specific Exchange Mailbox to defined SMTP host
Server 2008 R2 Datacenter (and all other version) not detecting hardware