Welcome to the mailbox.org user forum!
 

DKIM and DMARK for a personal domain

2134711 shared this question 3 years ago
Answered

Hi everyone,


I succesfully configured my personal domain, with SPF working correctly.

Checked with mail-tester.com and it gives an high score, so probably it will never end to the spam folder.

But I've also tried to send to a gmail address and, unfortunately, it will end in the spam folder.


Then I found the DKIM and DMARC debate and other users talking in this forum.

There's also a video of Peer Heinlein explaining this https://www.heinlein-support.de/sites/default/files/SPF_DKIM_Greylisting_CLT-2011.mp4

But German it's not my native language, so even translating something I can't understand everything.

Finally found in the knowledge base some info about DKIM and it says is only available for business users.

With a personal domain is not possible to get DKIM and DMARC? I'm a freelance anyway , don't own a business.

Best Answer
photo

I'm happy to say that the mailbox.org team added DKIM and DMARC support.

In the knowledge base there are all the info. You can check it here https://kb.mailbox.org/display/MBOKBEN/Using+e-mail+addresses+of+your+domain

There's a detailed explanation of how to add DKIM with your domain.

Hope that is helpful.

Replies (7)

photo
2

The blog post released a week or so ago mentioned DKIM will be coming to non-business custom domain owners in the upcoming weeks. Check out the blog for more details. I believe the blog date was 11/14 or 11/15

photo
1

Thanks for your reply!

I didn't read the last blog post till the end. Yes, it says in a few weeks. So we have to wait for more info.

photo
photo
1

I second this issue about DKIM signature.


As my email is reported by https://haveibeenpwned.com and my laptop was hacked a year ago, I have become very concerned about security. This is why I chose to register mailbox.org and delegate my MX.


So please choose to sign DKIM in strict mode, otherwize it has no or little effect.

photo
1

I received DMARC reports from dmartian indicating that someone is using my domain to send emails. So I added this issue in support #732 asking for DKIM for my domain. If you could help this would be nice.

photo
1

I've done a little bit of research on DKIM, SPF and DMARC and found that the best solution for me is to generate the keys by yourself.


First, install openssl on your machine. It's available for every GNU/Linux distro and Windows I think.


In a terminal put this strings:

  1. openssl genrsa -out private.key 1024
  2. openssl rsa -in private.key -pubout -out public.key

If you want a 2048 bit key change "1024" with "2048".


With a TXT record you have to add:

dkim._domainkey as a host name (change "dkim" with everything you want e.g. "default, key1" etc).

in the value part v=DKIM1; k=rsa; p=your/generated/key


The SPF it's easy and reported in the support section of mailbox.org site, just add in a TXT record:

  • v=spf1 include:mailbox.org and leave the host empty.


DMARC it's just a string, you don't have to generate nothing, again in a TXT record put:

  • _dmarc in the host part
  • v=DMARC1; p=none; rua=mailto:youraddress@yourdomain.TLD

(You can create an alias just for DMARC like reports-dmarc@yourdmain.TLD)


Hope this helps you.

photo
1

Do you put the public or private key in de TXT record? Where do you place the other key?

photo
1

Public key in the TXT record.

Keys should be located here I think: /etc/opendkim/keys.

But it's not working in our scenario, because we don't have backend access to mailbox.org servers.

So, the previous post was wrong, unless you have your own server or a cloud VPS and running Postfix, Dovecot etc by yourself.

photo
photo
1

I'm happy to say that the mailbox.org team added DKIM and DMARC support.

In the knowledge base there are all the info. You can check it here https://kb.mailbox.org/display/MBOKBEN/Using+e-mail+addresses+of+your+domain

There's a detailed explanation of how to add DKIM with your domain.

Hope that is helpful.

photo
1

Wordpress and some registrars only allow upto 1024 bit keys for DKIM (no splitting). It would be great if you could also provide this.

photo
3

DKIM isn't truly supported for custom domains. Sure, we can set the shared mailbox.org public key in our DNS, but you'd be signing all emails from all of your customers using the same private key. Meaning that any of us can impersonate any one else's domain.


I keep getting mail rejected because you've got some spammers using your service. The DKIM would normally help with this, but because the spammers have the same DKIM as everyone else, it's basically useless. I'm moving to different service provider over this.

photo
1

I also see shared keys as a problem. But to be fair, DMARC will also pass with just SPF alignment (you only need SPF or DKIM alignment), so if the mailbox.org SMTP doesn’t reject impersonated mails, even without a valid DKIM signature the SPF would be aligned.

photo
1

Same here, missed so many responses because my replies are going into other people's spam. This is unacceptable. Is there any temporary solution until dedicated keys per domain are supported?

photo
1

There's no problem in sharing keys. Even if multiple domains share the same key, nobody will notice or know, that it is the same key. For every singe mail, the recipient's system will fetch the key from that domain and check, if the signature is valid. If any other domain all over the world has the same key, doesn't matter.

Some time ago we also discussed that with several DKIM experts; we can't see that there is a system that would track only the public keys without the combination of key+domain.

For that, we can not see any problem here.

(If, in the meanwhile, there is a system that tracks (only) the key as identifier, I'd be interested to know. In this case, we should and will change our system.)

photo
Leave a Comment
 
Attach a file