richardp
By:
richardp

How can I get my DKIM identified?

January 19, 2017 1.7k views
Email DNS Ubuntu 16.04

I'm struggling to prevent my emails from vanishing or ending up in the email spam folder, and it looks like it is my DKIM record that is not identified correctly, so is there anyone who knows how to set up the DNS records correctly for this?

I followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy.

I'm using an Ubuntu 16.04 droplet with WordPress and Postfix, and all email is hosted at Office 365, except a few emails which are posted via a web form on the website, and that's where this issue comes into the picture.

This is my authentication report:

==========================================================
Summary of Results
==========================================================
SPF check:          softfail
DomainKeys check:   neutral
DKIM check:         neutral
SpamAssassin check: ham

This is my SPF record:

TXT 
example.com
v=spf1 +a +ip4:1.1.1.1 ~all
3600

This is my DKIM record:

TXT
mail._domainkey.example.com
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBPpo8HHbcFfCIIV10Hwo4PhCoGZSaKVHOjDm4yefKXhQjM7iKzEPuBatE7O47hAx1CJpNuIdLxhILSbEmbMxJrJAG0HZVn8z6EAoOHZNaPHmK2h4UUrjOG8zA5BHfzJf7tGwI+K619fFUwIDAQAB"
3600

In my mail tester feedback I got the following result:

[SPF] Your server 1.1.1.1 is authorized to use www-data@example.com
[Sender ID] Your server 1.1.1.1 is authorized to use inquiry@example.com
Your message is not signed with DKIM
You do not have a DMARC record
Your server 1.1.1.1 is successfully associated with example.com

Please note that it's only emails from a web form on the website that ends up in a spam folder, and all emails sent via the website uses Postfix and a PHP mail() function.

I'm not sure I can set a MX record, because last time I tried the Office 365 stop working, so any other advice on how to correct this is appreciated.

4 Answers

@richardp

When it comes to PHP, the mail() function relies on sendmail (handled by Postfix), though setting up proper validation for SPF, DKIM, and DMARC is a little more in-depth to the point where you would be managing your own mail server. The issue there is that, as noted in your OP, you're using Office 365 and setting up your own mail server and MX would require replacing your Office 365 MX with that of your mail server; they both can't easily co-exist.

When it comes to setting up a working mail server, you need a valid PTR (Reverse DNS) record, which is easily handled as DigitalOcean takes care of that for you so long as you name your Droplet exactly the same as your hostname.

By the above, I mean that your Droplet name should be a fully qualified hostname, i.e:

mail.yourdomain.com

and then you need to set your hostname to match (from the CLI):

hostname mail.yourdomain.com

Once the above is set, you can check your PTR records by logging in to the DigitalOcean CP, visiting the Networking section (link in the header navigation), and then clicking on PTR Records. You'll see a IP next to each Droplet name.

Once that's done, you're shouldn't have to worry about your PTR, but it's worth noting as without valid PTR records, you're mail will most likely still land in the spam box even after you've setup SPF, DKIM, and DMARC.

That being said, once you've got a valid PTR Record, you'll now need to configure Postfix and install all bits and pieces required to get SPF, DKIM, and DMARC working. But, if you're not going to use the Droplet as a fully functional mail server, it's honestly not worth the hassle or investment.

What I would recommend is instead using a service such as Mailgun or SendGrid and using their API to send mail. This relieves you of having to worry about server-side configurations, IP blacklists, etc.

You can use PHP libraries such as phpMailer or SwiftMailer to integrate with the above services pretty easily, and these services will definitely make life easier (i.e. more time programming, less time worrying about proper setup, security, and other aspects of running a mail server).

Mail Services

http://mailgun.com

http://sendgrid.com

PHP Mail Libraries

https://github.com/PHPMailer/PHPMailer

http://swiftmailer.org

How To Setup DKIM, DMARC, and SPF

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/

Thanks for a great answer - it's a real headache.

I'm not familiar with anything mentioned above, but the PHPMailer or Swiftmailer looks promising, so do you happens know if there's any tutorial on how to install any of those libraries on my DigitalOcean droplet?

Is there a requirement to signup for a third-party service to make this work, or can I simply use predefined Office 365 email with credentials to send all emails, or how will it work with my Office 365 hosting?

I tried to follow this tutorial https://gordan.jandreoski.me/how-to-configure-postfix-relay-to-office365-on-ubuntu-14-04/, but that failed miserable, so will above setup be similar?

Cheers

@richardp

It can be a bit of a headache, though thankfully there are solutions that allow you to work around the need to have and manage your own mail server.

The libraries I linked to are standard PHP libraries, so they don't need to be physically installed. If you already have PHP working on your Droplet, you'd need to ensure that you're using an autoloader to handle loading the class files when they are called -- either your own, or use Composer.

That being said, since you're using WordPress, you do have a slightly better option, and that would be to use a plugin. The one I'd recommend installing and using would be WP Mail SMTP:

https://wordpress.org/plugins/wp-mail-smtp/

When configuring the plugin, choose SMTP (not PHP's mail()) function and then provide your SMTP details. As long as your Office 365 plan allows you to connect from an external server using your login details, you would simply provide those details to the plugin.

If Office 365 does not work, then you would need to sign up for one of the services I mentioned. For the purpose of this plugin, I'd probably go with SendGrid.

  • @richardp

    RE: Setup

    Setting up with a service like SendGrid take about as long as creating and setting up an Office 365 account. You won't be making any changes on your server when using a service like theirs, so there's no configuring Postfix to do anything.

    You'd simply follow the guides that they provide you with, which are pretty straight-forward, and in very little time, you should have a working account with them. I think they allow 10,000 free e-mails per month.

I've just installed and tried the https://wordpress.org/plugins/wp-mail-smtp/ plugin, but it was never used for sending the email, and I'm not sure what change to make, for it to work either.

I however, noticed that the password for this SMTP service in this plugin was written in clear and readable text in the database, so I'm not sure if this plugin is that secure to install :)

Well, I'll dig a bit more...

  • @richardp

    Unfortunately, a lot of WordPress plugin authors store data to the database, such as usernames and passwords, in plain text. When I used WordPress, I ran in to that quite a bit myself and it was always an issue for me as well, so I completely understand the concern.

    I think the biggest issue has been that, prior to PHP 7.x being released, many authors were not too keen on writing their own encryption (and they really shouldn't) or including libraries they didn't control, so plain text was always the chosen method for storage.

    I'm hoping once more and more jump to PHP 7.x, the amount of plain text storage will drop and more authors will use more secure means of storing sensitive data.

Have another answer? Share your knowledge.