Back to Community Threads
1
DomainKeys vs. DKIM
Question asked by Marc Funaro - 2/24/2016 at 10:18 AM
Unanswered
Following Bruce's prior instructions, ages ago i configured both DomainKeys and DKIM in smartermail and in DNS, for every site we host.
 
We're adding some sites to CloudFlare, which requires that we move the DNS zone there.  My understanding is that DomainKeys is actually DEPRECATED at this point, superceded by DKIM, and therefore I don't need DNS records for it.  The question is, which records do I keep and which do I remove?  And should i turn off DomainKeys signing in SmarterMail?

4 Replies

Reply to Thread
0
Bruce Barnes Replied
2/24/2016 at 11:09 AM
Just turn off the DomainKey signing in SmarterMail.
 
In SmarterMail 2015.X BETA, this is removed completely, and also removed from all domains.
 
You will still need all of the DomainKey DNS records - still named as DomainKey, and not as DKIM.
 
Here's an example of the DomainKey records, in Microsoft DNS:
DKIM records as DomainKey entries in DNS
DKIM entries as DomainKey entries in Microsoft's DNS
 
Note the PREPEND of k=rsa; to the 2048 bit public key for the domain shown.
 
 
So, the three records are actually:
 
secure._domainkey.chicagonettech.com
secure being the name of my key, as generated in SmarterMail
 
secure._domainkey.chicagonettech.com
secure._domainkey.chicagonettech.com
note the LEADING UNDERSCORE at the beginning of  _domainkey
 
_adsp._domainkey.chicagonettech.com - declaring the encryption of the key
 
_adsp._domainkey.chicagonettech.com
_adsp._domainkey.chicagonettech.com
 
note the LEADING UNDERSCORES at the beginning of _adsp and _domainkey
 
and _domainkey.chicagonettech.com, with the o=~ declaring that ALL outgoing messages must be signed.
 
_domainkey.chicagonettech.com
_domainkey.chicagonettech.com
note the LEADING UNDERSCORE at the beginning of  _domainkey
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Marc Funaro Replied
2/25/2016 at 8:32 AM
Bruce, i just can't thank you enough for all your help over the years. I truly appreciate all that you do!!

My DNS entries look exactly like yours with regards to naming, etc., and has been working great for many many many months.

I'm a little unsure of how to enter these in the CloudFlare DNS, for some of the sites we want to CDN (ever done this before?).

I bet you're looking forward to the new XML for the spam filters configuration in smartermail... should make your ongoing work of distributing updated filter settings to the world a little easier, eh? =)
0
Marc Funaro Replied
2/25/2016 at 8:47 AM
also, i have nearly 100 MS DNS zones, all of which don't have the prepended k=rsa flag. How essential is it at the moment? I'm not getting any complaints of delivery problems (Time Warner sometimes goes ape for some reason and won't let us send to their customers, been impossible to get it resolved even though as far as I know our reputation is fine, but otherwise...) and I will eventually add that prefix to all the zones but just don't have time at the moment.
0
Marc Funaro Replied
3/1/2016 at 4:28 AM
:: bump ::
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Messages to Yahoo! Emails are Temporarily DeferredSmarterMail > Troubleshooting
Messages from Trusted Senders are going to my Junk folderSmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
SmarterMail and Network Address Translation (NAT)SmarterMail > Troubleshooting