In my last two posts on outsourcing your email, I explained how to set up your SPF records if you are outsourcing your advertising email, and how to set up your SenderID records if you are outsourcing it.
Next up is how to set up your DomainKeys Identified Mail, or DKIM, records if you are outsourcing your email.
First of all, why DKIM? I am going to assume you have a basically familiarity with DKIM; if not, it is defined in RFC 6376 or at DKIM.org. But to summarize it, DKIM is a way of cryptographically signing a message so that whoever receives it can verify that it both came from the sender it claims to come from, and that the message content has not been modified in transit.
[This is not exactly how DKIM works. Technically, DKIM allows the receiver to validate that the signing domain sent (or is responsible for) the message. The sender (the domain in the From: address) is frequently, but not always the sender. Second, DKIM doesn’t strictly require that the message has not been modified in transit, but only the parts of the message that have been signed have not been modified in transit. Usually, all of the important parts have been signed and that’s what a receiver cares about, but not always.
But receivers frequently approximate it as verifying that the email really did come from the sender and it hasn’t been tampered with.]
How it works (the short version)
DKIM uses public-key encryption to sign a message from a particular domain (e.g., “from” example.com), and this signature is (mostly) tamper-proof. Receivers can trust the signer. However, the reverse is not true; lack of a DKIM signature or failure of validation does not mean you must distrust the message.
How it works (the slightly longer version)
The below diagram is how digital signatures work:
DKIM works by including a digital signature in the message. This digital signature is a string of text that the sender signs with a private key. The receiver can take this signed piece of text, query DNS for the public key, and sign the content with that public key. The receiver then verifies that the original digital signature matches this newly signed content with the public key. If so, then DKIM verifies and the message really did come from the signing domain. If not, then you can make no assertion either way.
This is not the same as saying that the message did not come from the signing domain.
Advantages of signing with DKIM
Why sign with DKIM? There are a couple of reasons:
How to sign with DKIM
If you are going to sign with DKIM (and you do), and you are outsourcing your email, then it is easy to sign with DKIM. Simply find a bulk emailer that will sign with DKIM, and they will do all the work for you.
Let’s go back to our example sender – Oceanic Airlines. They contract out BigCommunications.com to send their marketing email. Oceanic wants the message to pass DKIM. What does that look like?
Now that we are set up and ready to go, BigCommunications prepares the email to send it out. The SMTP conversation looks like this:
HELO mail.bigcommunications.com MAIL FROM: firstname.lastname@example.org RCPT TO: <recipient> DATA Subject: Discover Ireland from $768* RT From: Oceanic Airlines <email@example.com> To: Me Content-Type: multipart/alternative; boundary="----=_Part_8280486_25400197.1366674040595" Date: April 26, 2013, 4:30 PM PST Message-ID: <firstname.lastname@example.org> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=s1024_oceanicairlines; d=bigcommunications.com; h=Message-ID:Date:Content-Type:From:To:Subject; bh=<hash>; b=<hash> <Everything else in the email> . QUIT
When the email receiver gets the message, they do a standard SPF check on the sending IP 126.96.36.199 against the domain bigcommunications.com. This passes.
Next, they see the message has a DKIM header and extracts the public key from s1024_oceanairlines._domainkey.bigcommunications.com. They perform the necessary DKIM validation magic and the message validates.
Both SPF and DKIM have passed!
There’s no free lunch, however
But be mindful about what’s going on here: news.oceanicairlines.com is not building reputation; it is not the domain in the RFC5321.MailFrom where SPF is performed, nor the domain in the d= field in the DKIM signature. Instead, it is BigCommunications.com that is building reputation.
What this means is that email receivers will hold BigCommunications.com responsible for Oceanic’s email. That means that BigCommunications will have stringent anti-abuse policies in place that Oceanic must comply with. This is all well and good because if Oceanic doesn’t play by its rules, Big Communications can cut off their outbound email flow.
On the other hand, it is also BigCommunications.com that is building the good reputation, not Oceanic. If Oceanic decides it doesn’t like BigCommunication’s terms, it can’t just pick up and do it themselves.
Because email receivers don’t know who OceanicAirlines.com is with respect to bulk advertising email. It’s difficult to get bulk email delivered without getting blocked or throttled by all of the big email providers. Reputation is difficult to generate and maintain.
Thus, if you have a 3rd party send email on behalf of you, and they sign it with their DKIM key in their DNS, you give up control of generating your own bulk email reputation. So long as you are willing to comply by the 3rd party’s rules, and you don’t need to send your own bulk email, everything is fine. It’s quick and easy and you don’t have to do anything special other than pay for the service.
However, if you do want to generate your own reputation, then you’re going to have more work to do. That’s a topic for my next post.
Oh, one last thing – you don’t have to bother signing email with DomainKeys, only DKIM.
How to Sign with DKIM?
free smtp server relay email in india
latest update: 11/9/2013
by: jSMTP smtp server relay email in india
smtp server relay email in india - free mass e-mailing solution
What is DKIM? DomainKeys Identified Mail is a method for associating a domain name with an email message, thereby allowing a person, role, or organization to claim some responsibility for the message. The association is set up by means of a digital signature which can be validated by recipients.