Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Officially delegate DKIM sign #154

Closed
ale5000-git opened this issue May 24, 2019 · 4 comments
Closed

Officially delegate DKIM sign #154

ale5000-git opened this issue May 24, 2019 · 4 comments
Assignees
@lieser
Labels
question

Comments

@ale5000-git
Copy link

ale5000-git commented May 24, 2019
edited
Loading

When an hosting provider offer domain, hosting, mail and PEC, in some cases (many in Italy) the smtp server (that add DKIM signature to mail) is from the domain of the hosting and not from the domain of the mail itself.

Is there a way to specify in domain DNS that DKIM sign is officially delegated to an "apparently" unrelated domain?
On consultingroupitaly.com the SPF record allow aruba.it to send mail, isn't it enough?
@ale5000-git ale5000-git mentioned this issue May 24, 2019
Closed
@lieser
Copy link
Owner

lieser commented May 27, 2019

Is there a way to specify in domain DNS that DKIM sign is officially delegated to an "apparently" unrelated domain?

As far as I know not. And in my opinion there is no reason for something like this to be added, as DKIM already contains the possibility to delegate signing for a domain to a partner.

In case company_X (with domain company.example) wants to send e-mails through provider_Y, the following should happen:

  1. company_X and provider_Y agree on a selector to use, e.g. 1234
  2. provider_Y generates a DKIM key, and gives the public part to company_X
  3. company_X published the DKIM key under the domain company.example with the selector 1234
  4. Now provider_Y can sign outgoing e-mail on behalf of the company_X for the domain company.example, using the selector 1234.

On consultingroupitaly.com the SPF record allow aruba.it to send mail, isn't it enough?

SPF and DKIM are totally unrelated on how they work. So I don't think extracting some information from SPF, and trying to use it for DKIM (in a non standard conform way) is a good thing to do.

@lieser lieser self-assigned this May 27, 2019
@ale5000-git
Copy link
Author

ale5000-git commented May 28, 2019
edited
Loading

The one that created the specs (probably) completely ignore one common case: small company that use shared hosting.

Just to be clear (since it probably may not be equal over the world) smtp.consultingroupitaly.com point to an IP of aruba.it.
Also the smtp server (smtp.*.*) of over probably 200 really separate domains (hosted by aruba.it) point to the same IPs of aruba.it (that is the one that send and DKIM sign all mails).
The smtp server is included in the shared hosting pack (that include domain, web space, db, php, and mails) that is paid.

The is no way to have a custom smtp server or DKIM signer without buying other external paying services (and in small organizations usually there isn't an internal server).

Also the support of the provider in most cases just say no (and people that reply to support tickets in many cases doesn't realize what is DKIM).
The only things that can be edited are the DNS entries.

So, how to handle this situation?

@lieser
Copy link
Owner

lieser commented May 28, 2019

The one that created the specs (probably) completely ignore one common case: small company that use shared hosting.

Note that I myself have absolutely no experience setting up DKIM signing. But from my understanding of the DKIM standard, I don't see anything that indicates that also small companies should not be able to sign with their own domain (besides incompetence from their e-mail provider).

Just to be clear (since it probably may not be equal over the world) smtp.consultingroupitaly.com point to an IP of aruba.it.
Also the smtp server (smtp..) of over probably 200 really separate domains (hosted by aruba.it) point to the same IPs of aruba.it (that is the one that send and DKIM sign all mails).

DKIM does not care about IPs at all.

An there exist smtp servers setups that can sign outgoing mail for different domain with different keys. So a single smtp server should not be an issue. See e.g. https://wiki.archlinux.org/index.php/OpenDKIM#Multiple_domains.

The is no way to have a custom smtp server or DKIM signer without buying other external paying services (and in small organizations usually there isn't an internal server).

Also the support of the provider in most cases just say no (and people that reply to support tickets in many cases doesn't realize what is DKIM).
The only things that can be edited are the DNS entries.

So, how to handle this situation?

If the provider doesn't provide that you need/want, you will have no other option than switching to another.

There exist e-mail provider for businesses that support DKIM with custom domains. Quick googling found at least the two following;

But I think this discussion is out of scope of the add-on, and should better be made with people who have actual real world experience with DKIM signing. As I said at the beginning, I'm not such a person.

@lieser
Copy link
Owner

lieser commented Jun 13, 2019
edited
Loading

As you haven't responded yet, I will consider your questions to be answered. If not, please reopen.

@lieser lieser closed this as completed Jun 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lieser lieser

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lieser @ale5000-git