Wednesday, August 12, 2009

SPF and DKIM

Wow, has it been THAT long since my last post ? Been moving house and now I'm a certified Telecommuter, 100% of my Job done from my lovely home office at the beach.

Anyways, I had to do a large mailshot to about 1.4 million customers, and in the runup, to increase delivery rates, I instituted SPF and DKIM.

A quick explanation of each:

SPF - Sender Policy Framework
DKIM - Domain Keys Identified Mail

Both systems are a way of making sure that mail sent by a particular server is from the correct domain in question. Both are heavily used in the enterprise, and having them on your mailserver will increase hit rates.

SPF is easy, you just need to add a TXT DNS record to your domain, like so:

v=spf1 ip4:11.11.11.11 ip4:22.22.22.22 mx ptr mx:somedomain.com include:somedomain.com ~all

lets break it down:

v=spf1 Version (currently only v1 exists).
ip4:11.11.11.11 ip4:22.22.22.22 If source mail server is IP 11.11.11.11 or 22.22.22.22 then it is authorised.
mx ptr if source IP has reverse lookup to this domain then it is authorised.
mx:somedomain.com include:somedomain.com source domain authorised to send mails on behalf of this domain.

DKIM is a bit harder, first you need an MTA that supports it, I've used Merak 9 (which has it built in) and postfix (with the dkim-milter plugin).

The Logic is that you generate a keypair, the private part of which is integrated into your mailsystem, and the public part in a TXT DNS record on your domain.

The receiving MTA looks up the TXT record, finds the public key, and checks with the sending server through keypair handshake to confirm that it IS in fact the correct sender. If it is, the mail is accepted.

The source MTA adds headers like this:

X-DKIM: Sendmail DKIM Filter v2.8.2 sender1.yourdomain.com 75866730012
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=yourdomain.com;
s=default; t=1239981026; bh=+NNkD6jOlYKtY2AIGNRToH2tkm0=;
h=Date:List-Help:List-Subscribe:List-Unsubscribe:List-Owner:
List-Post:From:Reply-To:To:Subject:MIME-Version:Content-Type:
Message-Id;
b=MrjXBShjNexWy62fC4Uu7xS3Hxav+cHtqIBzwMlcufadsffLtW9KmF5sO58+yHjyy
I3SiX0TNyEbvXtSHvRKm9z630zDiN0dxVXGqhgEfdklaj4jlkfhR6GrsRgzW2YOW6/9
sKFnz214AkhAPrFBD30hNmZfRfY75v5q94FnGDUo=


and the domain TXT record is setup thus:

v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GWETBNiQKBgQC5KT1eN2lqCRQGDX+20I4liM2mktrtjWkV6mW9WX7q46cZAYgNrus53vgfl2z1Y/95mBv6Bx9WOS56OAVBQw62+ksXPT5cRUAUN9GkENPdOoPdpvrU1KdAMW5c3zmGOvEOa4jAlB4/wYTV5RkLq/1XLxXfTKNy58v+CKETLQS/eQIDAQAB


Where:

v=DKIM1 Version 1 of DKIM
k=rsa Keytype DSA or RSA
p=xxxxxx The actual public key

These two techniques, along with actually having proper forward and reverse lookups on your mailserver will increase delivery rates and decrease spam scores, making sure your mail ends up in the inbox, and not junkmail.