As I’ve wrote in the article: “10 Tips for Auditing & Improving Mail Server Performance“, Dkim or Domainkeys is one feature that can be used to increase the acceptance rate (eligibility) of email on the destination mail server.
DomainKeys or DKIM signature basically allowing good senders to “sign” a message to prove that it really did come from them. This process is obtained by signing the outgoing mail with a specific code corresponding domain name and identity of the mail server so it is considered valid and convincing as an authorized sender.
Domain Keys Identified Mail (DKIM) is a technology designed to make it difficult or impossible for criminals to steal the identities of legitimate organizations. This authentication technology allows good senders to “sign” a message to prove that it really did come from them..
DKIM originally written as sender authentication protocol developed in order to address the problem of forged email messages. Yahoo! released the DomainKeys specification and Cisco released the Internet Identified Mail specification. Both methods are based on cryptographic message signing. The two efforts have been merged, and the combined specification is known as DomainKeys Identified Mail (DKIM).
The problem is, DKIM is not very easy to set up. We need to setup the mail server and also add a TXT records into public DNS server. Not all providers provided and authorized us to add or modify TXT records. In some cases, we must create a support ticket so they make the TXT records according to our requirement. If so, how can we check that the TXT records are made is correct?
There are 4 ways that we can do to test DKIM Records in DNS, which is as follows:
- By using CLI with the following command : dig namaselector._domainkey.namadomain.tld TXT ex : dig selector._domainkey.vavai.web.id TXT. Belor are an example of the response :
# dig selector._domainkey.vavai.web.id TXT; <<>> DiG 9.7.1-P2 <<>> selector._domainkey.vavai.web.id TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63688 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION: ;selector._domainkey.vavai.web.id. IN TXT;; ANSWER SECTION: selector._domainkey.vavai.web.id. 172800 IN TXT "v=DKIM1\; r=postmaster\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ5IZT5e5nvmkotroz5ylTlwU8yEEZ+v/576aI+w6TkbP4XibYxDsWVweXXtVeQQmw8AwYuK5R9b373Xqu+Hv9HNAJoAteKF/qlKcZc5Akhj5B7P1imXaurZkkIBp63yBZyZRralzQYNT3UrVB7M/xONMWXcU9xm7Zv1PzH1Y1OQIDAQAB";; Query time: 85 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Mon Dec 5 08:18:00 2011 ;; MSG SIZE rcvd: 316
- By using web : http://dkimcore.org/tools/dkimrecordcheck.html. Type the name of the selector and the domain name then click the Check button.
`
`
- By sending a blank email to the following address : sa-test@sendmail.net or check-auth@verifier.port25.com or autorespond+dkim@dk.elandsys.com and check the respon.
- By sending an email to a Gmail address or Yahoo and see the message header Signed By as shown below`
Hopefully this can help to check whether your DKIM records meets with standard or still require a modification.
vavai,
I have a small company and I migrate my webhosted mail to a private server on linode using zimbra and ubuntu… I tried everything but I still cant pass hotmail anti-spam… as I saw on the net you knows lots about dkim (the reason that I think is the problem) is there some way you could help me with that? maybe we talk on msn or skype I give you a ssh access so you can see my configuration…. I getting crazy with that and we are moving (address change) and I have to warn my customers and all my mails are labed as spam… please let me know if you can help me… I will reallly apreciate that… we can even pay for your time if its needed… just send me the price…
thx in advance… Im looking forward to hear from you
Please in point 3. Don’t write to send a blank email it won’t work. If you send an empty mail (blank subject & blank body) you will always get a fail back from these services. Took me some time to figure out again – did the same error when reading this the first time.