You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by ma...@dmatthews.org.INVALID on 2020/03/17 14:31:17 UTC
Re: DKIM With Virtual Hosting
Sorry for belated reply - I'm new to James, but not DKIM, which is pretty much essential these days if you want the mega providers to not put your email in spam boxes.
Firstly, DKIM is a per domain thing. You cannot put a single DKIM TXT record in your server's DNS and expect that will work for all the domains you have on that server.
I've got it working fine, admittedly for a single domain only and I've included how to do this in a write up on line (mainly so I remember how to do it myself!). I *think* you can probably extrapolate from what I've done to make it work with multiple domains on a single James smtp instance. My nameservers use tinyDNS which has it's own way of doing things so you may well need to do some more hunting around to get the correct format for the TXT record to suit whatever nameserver service you use.
While you're at it, you also need to put up SPF and DMARC records, but they are easier, being purely DNS TXT record things as opposed to DKIM, which has two parts:-
1)james is set up to sign outgoing email for your domain(s) with private key(s)
https://dmatthews.org/java_email.html
2)the remote server uses the corresponding public key in your domain's TXT record to make sure the mail came from your domain and has not been tampered with in transit
https://dmatthews.org/email_auth.html#dkim
Finally if your mail is actually being bounced rather than just silently being put into spam boxes, I would worry that your ip address has gotten onto a DNSBL.
--
David Matthews
mail@dmatthews.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DKIM With Virtual Hosting
Posted by Jerry Malcolm <te...@malcolms.com>.
David,
I'm happy to know a knowledgeable person related to DKIM. From what I
can tell, the current james dkim mailet is only usable for non-virtual
hosting servers, where the server rdns is the same as the 'from' domain
in the email. The james dkim mailet is going to need some modifications
to support virtual hosting. But until recently, it was not clear to me
that I needed to sign using each virtual host 'from' domain instead of
the smtp server domain.
I am hosting all of my domains on Amazon Web Services. AWS offers a
gateway that can serve as a james proxy. I'm not thrilled to have to do
it, but I'm now 'laundering' all of my outbound mail through the AWS
gateway. Receiving servers see AWS, not my james server. I analyzed
how the AWS gateway modifies the mail. The AWS gateway adds a DKIM
record for the actual 'from' domain as you explained is required. It
also adds a DKIM record for the AWS server domain itself. Is that
overkill? Or should there always be an smtp server dkim record as well
as a 'from' domain dkim record? At least now, gmail and other recipient
servers are no longer flagging/bouncing my outbound mail. I'd really
like to be able to get the same result without laundering the mail
through the gateway. But until I can update the dkim mailet to support
a bunch of virtual hosts, I'm just going to stick with the duct-taped
process with the gateway that works.
Thanks so much for the info. I may come back to you with more dkim
questions.
Jerry
On 3/17/2020 9:31 AM, mail@dmatthews.org.INVALID wrote:
> Sorry for belated reply - I'm new to James, but not DKIM, which is pretty much essential these days if you want the mega providers to not put your email in spam boxes.
>
> Firstly, DKIM is a per domain thing. You cannot put a single DKIM TXT record in your server's DNS and expect that will work for all the domains you have on that server.
>
> I've got it working fine, admittedly for a single domain only and I've included how to do this in a write up on line (mainly so I remember how to do it myself!). I *think* you can probably extrapolate from what I've done to make it work with multiple domains on a single James smtp instance. My nameservers use tinyDNS which has it's own way of doing things so you may well need to do some more hunting around to get the correct format for the TXT record to suit whatever nameserver service you use.
>
> While you're at it, you also need to put up SPF and DMARC records, but they are easier, being purely DNS TXT record things as opposed to DKIM, which has two parts:-
>
> 1)james is set up to sign outgoing email for your domain(s) with private key(s)
>
> https://dmatthews.org/java_email.html
>
> 2)the remote server uses the corresponding public key in your domain's TXT record to make sure the mail came from your domain and has not been tampered with in transit
>
> https://dmatthews.org/email_auth.html#dkim
>
> Finally if your mail is actually being bounced rather than just silently being put into spam boxes, I would worry that your ip address has gotten onto a DNSBL.
>
> --
> David Matthews
> mail@dmatthews.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org