Stuff I'm Up To

Technical Ramblings

Windows DKIM DNS Entry — November 24, 2016

Windows DKIM DNS Entry

Windows always gives me a bit of grief when trying anything a little out of the ordinary. I always find doing the same thing on Linux way simpler. This time it was relating to a DNS TXT entry for DKIM that is longer than 255 characters.

As we have a split DNS system out external DNS entries need to be manually mirrored internally. This is because often the DNS reply is different if you’re from an internal network to that of an external one.

The 255 character limit was no problem for the external system. It parsed the string and split it into the required elements automatically. Internally you MUST split it yourself and enter it into the Windows DNS server as separate lines, delimited with a carriage return.

Using DIG I could see the response from outside being returned correctly. But from inside it took me a few attempts to get Windows to leave it alone and make the entry the same.

Continue reading

DKIM Signature Testing —

DKIM Signature Testing

After setting up a DKIM DNS entry and then sending email we were seeing one of authorised 3rd parties failing to pass the DKIM checks. The DNS record looked OK but the mail systems like Google and Yahoo were saying it was failing. So how do I go about testing a message I received so I can see for myself what’s going on?

Looks like the answer is to use a Perl module “Mail::DKIM::Verifier”

Continue reading

DMARC, SPF and DKIM — November 11, 2016


For several ears now we’ve run a fairly tight ship on our email server. It consumes an awful lot of resources mainly because of how many businesses out there fail to properly configure their email server correctly. By far the biggest failing is not using the proper HELO/EHLO name and not having a reverse DNS (RNDS/PTR) record that matches.

So please, if you’re an email admin, get it sorted. This is an internet standard from way back in the 1980’s and beyond!

Adding to our anti-spam systems using DKIM and SPF we’ve brought in DMARC to enforce compliance with these standards. So in future we’ll be telling recipients to reject mail claiming to be from our domain that fails to meet the SPF and DKIM checks.

Continue reading

Set up Government Email Services Securely — October 25, 2016
Exim4, DKIM & Smarthost — October 13, 2016
Exim4 & DKIM — October 8, 2016

Exim4 & DKIM

Where possible I try to get mail systems setup so that they can be verified as true senders by the recipient by using SPF and DKIM. Seems a shame that few mail systems actually seem to do this as it would trim a lot of spam from the net.

Having moved to another server I needed to move the mail sender with it. This particular system only needs to send email out as there is another system that receives mail for this domain. So All I need do is install an SMTP service and make sure it signs it’s messages with the same private key as I previously used, so it matches the public key that is published in DNS.

Previously the system used Postfix and OpenDKIM, but as this needs to be a barebones simple system I figured I’d stick with Debian’s default mailer Exim4. Turns out this was a good choice as it has DKIM built in.

Continue reading