DomainKeys + DKIM Issue

[rmmoore80]

Is there a way to add a _domainkey subdomain in plesk? It doesn't allow the underscore. I need this feature for my domains, or a workaround. I added it manually in the DNS but this will be overwritten if plesk ever reloads DNS with IT'S data.

Is this planned or do we have a workaround for this?

 

[globalmcs]

I started testing DomainKeys and DKIM a few weeks ago and I had to switch my DNS from BIND DNS to Microsoft DNS in the Plesk Components Management to be able to add the _domaminkey

Now, you CAN'T add the _domainkey through Plesk you have to remote into the server and add it using the Microsoft DNS console.

----

Now off your topic are you using MailEnable ?
I ask because I was able to get it to work but still have a problem with the way filtering works in MailEnable Enterprise

http://forum.mailenable.com/viewtopic.php?t=14048

 

[rmmoore80]

Yeah, I use Microsoft DNS. I was able to add them manually, however, emails sent from C#/ASP.NET CODE is not being tagged with the DKIM or DomainKey for some domains.

I use SmarterMail. I downloaded a filter (available on www.SmarterTools.com). So far it works for my initial domain, the second domain however I'm having issues with.

 

[globalmcs]

Yeah, I'm using a program called DKeyEvent that was developed to work with MailEnable... and so far works fine it signs and check for signature no problem.

I hope MailEnable integrates DomainKeys and DKIM into the actual program in the near feature.

 

[rmmoore80]

That's the one I'm doing, except the SmarterMail version.

Does your signature the emails if they come through as a relay? For example, one of my customers has a forum that sends notifications and other emails from PHP code but none of those get signed.

 

[globalmcs]

I just tried it and "relay" e-mail are not getting signed...

 

[rmmoore80]

Great.... I wonder why. Perhaps I will post this on a forum the developer of DKeyEvent reads.

 

[rmmoore80]

I spoke to the developer and relayed emails should NOT be signed. Part of the "rules" of DKIM / DomainKeys is that the sender is authenticated. If the relay is doing using SMTP Authentication, then it will be signed.

As for my concerns, they are true. For whatever reason, Plesk will occasionally overwrite my custom DNS entries and ERASE the _domainkey stuff due to it not being in the plesk database.

Any ideas?

 

[globalmcs]

Here is what I'm testing...
Open your DNS console, right click the name of the server and creanete a new zone, select Primary zone, Forward lookup Zone, for the Zone name you are going to use
_domainkey.yourdomain.com finish the wizard and browse for the new zone and create the TXT records.

You'll notices that under yourdomain.com zone you a "grey out" folder _domainkey

As I said... I'm testing it, so far I can run the following tests and pass, but I'm not sure if the zone will get delete, I dont think it will

http://domainkeys.sourceforge.net/policycheck.html
http://domainkeys.sourceforge.net/selectorcheck.html

 

[rmmoore80]

let me know if it stays or not.

 

[globalmcs]

It didn't stay, as soon as you add an entry through the control panel it deletes the "gray out" _domainkey folder inside the domain zone

I hope SWSoft allows us to enter _ in the DNS entries soon.

 

[rmmoore80]

Shall we contact them? I don't recall if I have the support subscription or not.

 

[Brainwrek]

I do not want to hijack this thread because I think you guys may be talking about something different than I am (Microsoft DNS & stuff...) But I did find a "HOW TO" and an Endorsement for qmail and DomainKeys.

Does this help/apply at all?

 

[globalmcs]

I don't have a support subscription, I pay the $75 per incident when I need them, onces or twice a year...

Brainwrek, thank for the input... we integrated the Domainkey with the mail system, now we are trying to figure out how to make the DNSs entries stay.

 

[rmmoore80]

Hmm, my primary domain works but the others come as authentication failed when I test them.

Do your other domains work ?

 

[globalmcs]

Yes, I'm testing with two domain, and they are both signing. Did you create/add the second domain in DKeyEvent?

 

[rmmoore80]

Yes, i did. Does it matter that my SMTP always reports mail.primarydomain.com? It never reports the sending domain that I can tell.

I'll redo the DKeyEvent for that particular domain.

 

[globalmcs]

I dont think so, my SMTP always announces mail.primarydomain.com.

Now here is how I configured my clients DNS, and I'm not sure it has something to do with your signing issue.


- clientdomain.com > MX > mail.primarydomain.com
- mail.clientdomain.com > A > xx.xx.xx.xx (the Ip address of mail.primarydomain.com)


That way they can use mail.clientdomain.com to configure their clients (Outlook, etc.) but the MX record is actually my domain mail.primarydomain.com

Another good thing about it is that you dont have to ask your ISP to create PTR records for each of your domain MX. You only need one for mail.primarydomain.com

 

[rmmoore80]

Interesting development...

If I send an email from the SmarterMail WebMail from my SECOND domain, it authenticates correctly. However, if I use PHPNuke to send SMTP Authenticated email to the SAME email address it comes up as fail, bad sig (according to Yahoo Mail Server).

Both are using SMTP authentication... strange eh? I"m trying to analyze the headers from a PASS (Sent from WebMail) and FAIL (sent via smtp authentication relay). The ONLY difference I see in the DomainKey-Signature section is the pass one says:

h=Received:

while the failed says:
h=Return-Path:

 

[globalmcs]

Can you post the headers of the pass and fail emails?

Is the PHP script adding anything to the header?

Do you have any filters ? Are you running DKeyEvent before or after the filters ?