7242: DKIM signing issues
Problem reported by Neal Culiner - 11/27/2019 at 7:07 AM
Not A Problem
SM 7242 Enterprise: If I send an email from the web UI to my gmail it dkim signs and passes. If I have a web application such as a PHP web site that sends through SMTP with TLS and SMTP AUTH those messages are not getting DKIM signed. Why not? How can a web application ensure reliable email transport and utilize DKIM?

8 Replies

Reply to Thread
0
Neal Culiner Replied
I'm not sure if it matters but this may be the issue. The PHP web site is using a domain such as foo.com for emails which is hosted on Exchange server. I'm relaying through foo.net for the email sending from this site. foo.com allows foo.net as a sender in the SPF, etc. Maybe I'll try addking the same domainKey record in the foo.com DNS and see if that helps.
0
Neal Culiner Replied
I added a foo.com domain and enabled DKIM signing and I am still not seeing DKIM signing when the PHP site sends through this mail server. When it sends through Exchange it is getting DKIM signed. 
0
Neal Culiner Replied
I enabled DKIM, was given the record to add to DNS and proceeded. Tests failed. I went back to the domain and I had to again enable DKIM and now it persisted. DKIM is now passing. Terrible UI!
0
Matt Petty Replied
Employee Post
Hello,

Is there anything interesting in the SMTP logs for that session? You mentioned the PHP site is doing an SMTP AUTH, Do you see this same behavior of no DKIM signing when using an SMTP/IMAP client like em Client or Thunderbird?

I ran a test through smartertools.com to gmail.com and I see DKIM signing. However, you mentioned there is more to your setup then what I may have tested. Maybe try those 2 things, a client and checking the SMTP logs. If we don't see anything there maybe I can get System Admin credentials to check out your system, may open a ticket or go through DMs on the community.


EDIT: Scratch all that, I got jinxed. Good to hear it works for you, maybe we can try setting up a new DKIM site to see if the flow is broken there. Thanks for reporting it.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
Also if you have any suggestions or tips on how we can stream line that process better that would be nice. While we are frying some larger bugs and issues right now, we'd take some feedback regarding UI and can take them into consideration.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Neal Culiner Replied
The issue I had was I clicked the option to enable DKIM and got the DNS info but either I was allowed to leave the screen without clicking a required save or it did not remain enabled. I came back and had to enable it again. Also, I think in v15 there was a test button, that seems to be gone to validate the DNS record.

What I wanted to do in the end is not working. I use exchange as my primary mail server now but leave smartermail as backup and for other reasons such as exchange seems to be much more strict in sending emails, i.e. you can't send an email using a smtp auth of john@foo.com when the sender is jane@foo.com which is actually a nice security feature. But due to the fact exchange is using a multi-domain SSL cert and my help desk site using PHP 5.6 doesn't work with that type of cert for secure SMTP auth. So I have to use SmarterMail with a single domain let's call it foo.net used only for sending these messages that exchange won't send as well.

So what I want to do, if possible is have emails from john@foo.com be DKIM signed when being relayed through foo.net. I don't know if this is possible. The DKIM signing is all happening against the foo.net domain and DNS info so the message is not being DKIM signed.  I worked around this by adding foo.com to the SmarterMail server and that worked for dkim signing as the domain matched, however, that domain was trying to validate email such as no such user as john@foo.com so that failed.

Long story longer, is it possible in a relay situation to dkim sign for another domain being sent by the server? So again I want the message going to john@foo.com being sent by foo.net with SMTP auth to allow the sending? I'm not sure if you'd have to override the DKIM signing system to sign the other domain in this scenario so you'd have to register multiple DKIM keys in foo.net such as allowing it to sign foo.com messages.
0
Matt Petty Replied
Employee Post
I think foo.com would need it's own entry in SM with it's own dns+key. I did some quick googling and I don't believe there is a way of allowing multiple domains to share the key like SPF would do since each domain root has it's own key. However, if you do set up foo.com and foo.net I think SM should be able to accommodate that scenario. Do you have many domains would this be a painful procedure? I would say SM could attempt to do this automatically but I know the DNS part is a manual process. The only way of automating DKIM I've thought of was using Cloudflare's DNS API and having SM create it's own entries.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Neal Culiner Replied
Thanks @Matt and that is what I did and once I setup foo.com DKIM signing worked. The problem is if a site such as www.foo.com uses foo.net to relay email to neal@foo.com the foo.com emails never get to exchange but instead stop at SM because it tries to deliver to the foo.com domain and will return no such user. I'd love to use SM as a relay with secure SMTP AUTH but the problem with adding the DKIM signing domain ends up being mail delivery through SM to the exchange server that has the real foo.com and its users. 

My lyris listmanager (mail blast software) has a system where you can add domains and DKIM signing for the sending domain. The paradigm here for SM is that you would add DKIM signing domains without adding domains to SM. This way if foo.net is a relay for foo.com it can sign foo.com messages without having a domain setup but only a signing configuration for a domain it relays for.

Reply to Thread