Posts for Tag: dkim

The Entrepreneur's Guide To Email Deliverability, Part 2

Note: this is the second post in a series on email delivery.

So you’ve just set up your own email server and you’re ready to send your first message. You type in your address, click “Send,” and wait. And wait. Chances are, the message will end up in your spam folder, if it shows up at all.

There are a few existing proto­cols that will greatly improve your chances of getting into the inbox. They are, in increasing order of complexity:

  • Reverse DNS
  • SPF / Sender ID
  • DomainKeys / DKIM

Reverse DNS

The easiest way you can improve your deliv­er­ability is to make sure that a reverse DNS lookup on your mail server returns the server’s hostname. Usually you have to ask your ISP to set this up.

Let’s look at a Digg mailserver for an example. From a UNIX prompt, you can type dig mail.digg.comto get this result (or something like it):

mail.digg.com. 1139 IN A 64.191.203.36

Now, if you check the reverse DNS record for that IP address with dig -x 209.191.118.103, you’ll see that the reverse DNS matches up:

36.203.191.64.in-addr.arpa. 3572 IN PTR mail.digg.com.

Reverse DNS is required for good deliv­ery. Without it, ISPs may reject the message. Hotmail might accept the mail but not deliver it (it just vanish­es), or just throw your mail into the spam folder.

SPF / Sender ID

Sender Policy Framework is a simple protocol for speci­fying which servers are allowed to send mail for a partic­ular domain. All you have to do is set up a TXT DNS record according to a simple format.

Let’s look at Reddit as an example. A quick dig reddit.com txt will pull up their TXT:

reddit.com. 212 IN TXT "v=spf1 mx ip4:208.96.53.70 mx:mail.reddit.com ~all"

Tearing the SPF record apart, we get:

  • v=spf1 identi­fies an SPF specification
  • mx allows the mail servers for reddit.com to send mail (those listed in its MX records)
  • ip4:208.96.53.70 autho­rizes a single IP to send mail
  • mx:mail.reddit.com allows any MX servers for mail.red­dit.com to send mail as well
  • ~all speci­fies that any machi­nes/ad­dresses NOT listed here are not autho­rized to send mail. The~ indicates a “tran­si­tional mode” – once you’re done testing your record, use a dash (-all).

The specification is here, and this tool will help you set up your own record. If you’re sending invites or user-generated mail, check out this OpenSPF best practices page for infor­ma­tion on how to make your invita­tion show up as “From:” a partic­ular user, but ensure that any bounces come back to your mailserver.

A quick note on terminology: Microsoft has a technology that they call Sender ID, which performs the same function as Sender ID but with a slightly different format. For most practical purposes, a valid SPF record is a valid Sender ID record, and when a Microsoft service talks about Sender ID, just read it as SPF. For the curious, the Wikipedia article on Sender ID has more details.

DomainKeys and DKIM

Both DomainKeys and DKIM (DomainKeys Identi­fied Mail) are DNS-based proto­cols for email authen­ti­ca­tion using a public key speci­fied in your DNS record. Before sending a message, your mailserver “sign­s” the email and puts the result in a header on the message. Any recip­ient can verify that the message origi­nated from your servers by checking the public key against the signature header.

DomainKeys is an older standard created by Yahoo!, which is now being replaced by the DKIM standard. Because they are different standards, and different ISPs only support one or the other, you’ll need to set up both DomainKeys and DKIM signing.

Yahoo! and GMail both give a valid signa­ture high impor­tance in deter­mining whether or not a message is spam, and usually tell the user that a message is authen­ti­cated. For example, GMail shows a “signed-by” field:

Let’s take a peek at a record in the wild. Twitter’s DKIM public key can be found by runningdig default._domainkey.twitter.com txt, which returns:

default._domainkey.twitter.com. 600 IN TXT "g=\;" "k=rsa\;" "t=y\;" "p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN+FNJESkUBl+vuJDPsL3RSgYI9Qzlq43+l7Q72pRZRDprrhZTXIi7NdSqy+f9hn" "pet1pKMYMYnCxgmaS3qhUXMCAwEAAQ=="

The longest section of this record is the key itself, after the p=Some registrars don’t let you store TXT records this long, and if you get an error setting up your public key, you might have to switch to a new DNS provider. You can learn about the other fields from the DKIM Spec.

If you’re using Postfix, DKIMProxy does both DomainKeys and DKIM well, and there are decent step-by-step instruc­tions its homepage. You can also check out the SourceForge DomainKeys page to find software for different MTAs as well as testing tools.

Next steps…

Reverse DNS, SPF, and DKIM should definitely help your deliv­er­ability rates – if you weren’t getting through at all, you should at least be hitting the Spam folder now. However, there’s more work ahead. Most ISPs have programs that help senders improve deliv­er­abil­ity, and I’ll talk about them in my next post.