Guide to using DomainKeys with SurgeMail (3.7c)

Note: DKIM has now replaced DOMAINKEYS:

DKIM is just an updated version of DOMAINKEYS that is now more widely used.

Surgemail has both but you should use the DKIM settings instead. So instead of g_domainkeys_sign use the setting g_dkim_sign, apart from that the below notes are still relevant.

How it works:

DomainKeys is a cryptographic method that allows a receiving server/client to verify that the From/Sender header was accurate and not forged.

It does this by looking up the senders _domainkey.domain.name dns record to get the public key which it uses to check the signature in the message headers is correct.

SurgeMail makes use of this information to avoid grey bouncing a message when no SPF information exists. And may in future score signed messages differently.

SurgeMail can also 'sign' outgoing email, this helps your email get delivered to servers that use this information to further verify a message. And this makes it harder for spammers to forge your domain successfully.

There is a button in surgemail to generate your private/public keys. This creates the file domainkey.pem, if you have several servers sending email for your domain you will need to copy this file to each server.

As well as entering your public key into your dns you will define your policy in the txt dns record default._domainkey.your.domain and _domainkey.your.domain, this policy defines if you are testing or not, and if you sign all or some of the messages from your domain. A receiving system 'should' use this information to determine what action is valid if a signature does not exist or fails to verify.

What you need to do to enable DomainKeys checks for 'incoming' email

  1. Upgrade to SurgeMail 3.7c-25 or later.
  2. In the web admin tool, goto the DomainKeys page (spam_control - Alternative sender verification)
  3. Turn on these settings:
    Check incoming DomainKeys signatures g_domainkeys_check [TICK]

What you need to do to generate DomainKeys signatures for 'outgoing' mail

  1. In the web admin tool, goto the DomainKeys page
  2. Turn on the setting
    Check incoming DomainKeys signatures g_domainkeys_sign [TICK]
  3. Press the "Configure" Domainkeys button to generate your keypair and fetch your public key
  4. Enter your public key into your dns server in the appropriate txt record as described on the page. e.g. default._domainkey.your.domain