License Portal
Deutsch

Using DKIM

Category: DNS E-Mail
Created: 2024-01-24

DKIM (Domain-Keys Identified Mail) is a procedure in which e-mails sent are signed so that the recipient’s mail server can check the authenticity of the e-mail. Unlike SPF (Sender Policy Framework), DKIM also works with forwarded emails.

Google and Yahoo have announced that from February 1, 2024 they will tighten the acceptance of emails and, in particular, only allow authenticated emails (SPF and/or DKIM) when sending >5,000 emails per day.

LiveConfig supports DKIM since version 1.8.3. To use DKIM, proceed as follows:

  • install the opendkim package
  • restart LiveConfig (or the lcclient) on the corresponding server to detect the OpenDKIM installation
  • log in to LiveConfig as admin and go to Server administration -> tab Email and edit the Postfix settings. In the Virus/Spam tab, activate the checkbox for the DKIM service (OpenDKIM).

DKIM must be activated per domain. To do this (as an end customer), go to Hosting -> Domains, click on the desired (sub)domain and then on the Email tab. In addition to activating DKIM, you also need to create or import a DKIM key here and change the selector if necessary. Normally, you simply generate a 2048-bit RSA key and save the settings.

The public part of the DKIM key must be stored in the Domain Name Service (DNS) as a TXT record under the name <selector>._domainkey.<domain>. If the DNS records of a domain are managed directly via LiveConfig, you don’t need to do anything else at this point. If a domain is operated via an external DNS server, you must create the corresponding TXT entry there.

Frequently asked questions (FAQ)

Do I also have to set up DKIM for receiving emails?

No. If the spam filter is enabled for an e-mail address, it checks whether received e-mails are signed with DKIM and takes this into account when evaluating them. The DKIM setup described here only concerns the sending of emails, i.e. to sign outgoing emails so that they reach the recipient (better).

Do I have to use DKIM in order to be able to send to Google/Yahoo?

Not necessarily. Google only stipulates that incoming e-mails must be authenticated - and SPF may already be sufficient. However, the larger the volume of emails, the more stringent the tests are likely to be.

If an e-mail cannot be delivered due to insufficient authentication, you will always receive an error message (“Postmaster Notification” or “Bounce Message”) and can then take appropriate action.

Should I use both SPF and DKIM?

Difficult. From a purely technical point of view, these procedures do not really complement each other, as they have the same purpose. DKIM goes a little further than SPF, as it uses checksums and cryptography to ensure that the e-mail actually originates from the sender domain (regardless of which mail server it was actually delivered via). SPF is also broken by design, as normal email forwarding no longer works with it. Together with SRS (Sender Rewriting Scheme, a kludge to enable forwarding with SPF), this can even destroy the DKIM checksums and thus make things even worse.

However, SPF is very easy to implement and “cheap” to check, so it is widely established.

To summarize, SPF and DKIM together make no sense, but at least one of them should be set up - which in turn means that you should actually have both procedures set up.