Welcome to Server Circle. It's a friendly site and all levels of experience are welcome. Be aware that we use cookies for your login.
Server Circle - Ask questions about Servers and get answers from experts.
Beta (0.14 sec)
DKIM vs SPF

Should I install DKIM ? I see Google and Yahoo use them but do anyone else ? The patching for Domain Keys in Postfix looks quite hard.
Asked by:
JimmyC
945 points
 Report Abuse
 Share Page - Category: Email Servers - Tags: DKIM vs SPF
 Enter your response
Please use Pastie.org to paste lengthy code or to fix formatting issues with code
  • Responses in reverse (3)

Best Answer

My impression is that DKIM and SPF are both necessary, but not sufficient, if you want e-mails from your server to reach their recipients and not end up in the spam folder.

Setting up SPF needs no special configuration at the server. DKIM needs a bit more work. First, install the opendkim package.

Next, you must generate a certificate/key pair if necessary:

# opendkim-genkey -d mydomain.net -s mail

Add the opendkim milter incantation into /etc/postfix/main.cf:

milter_default_action = accept

milter_protocol = 2

smtpd_milters = inet:localhost:8891

non_smtpd_milters = inet:localhost:8891

smtpd_sender_restrictions = reject_unknown_sender_domain

Enter the domain (or domains comma-separated), key file location and operation mode (s=sign, (v=verify)) into /etc/opendkim.conf.

Domain mydomain.net

KeyFile /etc/postfix/mail.private

Selector mail

Mode s

Put the certificate text into a DNS entry with name mail._domainkey.

mail._domainkey.mydomain.net IN TXT "v=DKIM1; g=*; k=rsa; p=[certificate_text]" ; ----- DKIM mail for mydomain.net


Response by:
CPKS
225 points
SPF is a no brainer as already mentioned - v simple modifications required to DNS records only

DKIM does require some effort - previous answer refers to setting up all email passing through the server and adding DKIM header, this is OK but not always the best answer as it introduces an overhead for all email

My environment is broken down between emails that are sent by real people (that don't really need DKIM signing) and mass emailing (which do).

To target the system resources more specifically during the email generation stage (perl based) I utilise the Mail::DKIM::Signer module - really simple to setup although there is a tiny caveat worth remembering : when outputting for hashing the signature the output must end each line with a CR/LF - ie SMTP prepared traffic format (not the typical CR alone)

My solution here will be MTA agnostic also (which is pretty helpful to those running sendmail particularly although there is a blanket solution for that as well I understand)


Response by:
marnix
30 points
Great, thanks alot.

Response by:
JimmyC
945 points


  • Related Questions


by jek8o (328 points) in Email Servers - 3 replies



by Keith (432 points) in Email Servers - 1 replies
About Us : Contact Us : Etiquette : Terms : CDN Failover : ShorterURL : CDN Fallback : © 2013 Server Circle