Yuck. In this day and age, if I’m paying someone to provide email service for me, I don’t understand why this isn’t automated. Maybe because many of my provider’s clients have multiple domains? Still, it should be automated for each domain.
Anyway, if you’re using Bluehost as your webserver and email provider (shared hosting, ie the cheapest plan), then you need to setup your email so that Yahoo, Hotmail, Gmail, and others don’t automatically flag emails from your domain (ie firstname.lastname@example.org) as SPAM. To do this, you need to setup DKIM (DomainKeys Identified Mail).
On the plus side, the setup is actually pretty simple:
- Go to dkimcore.org, and create a public/private key pair. Just enter your domain, and press the “Generate” button. In a few moments, you’ll get a key pair. Keep this page open or saved, so you can grab the public key later.
- Go to your domain management Web GUI, for Bluehost it will be something like https://my.bluehost.com/cgi/dm/zoneedit?domain=yourdomain.com
- Look for a DNS TXT record (a key value pair), with “_domainkey” as the key. In my Bluehost setup, it already had a “_domainkey” record with “o=~” as the key, so I updated it with the public key generated by dkimcore.org.
- dkimcore.org will spit out 3 formats for the public key. I found the easiest to use was the Tinydns Format, which had everything on one line. Just copy everything from “v=DKIM1;” to the first colon. You’ll notice that everything from that colon to the end of the line is not included in the other formats.
- Now paste this value into the GUI for changing the TXT record for “_domainkey”
At this point you just have to wait “4 hours” (in my case only a few minutes) for the DNS records to update. dkimcore.org mentions something about attaching a token to each outgoing email, but the Bluehost support staff assured me that I didn’t have to do anything else.
Something that is confusing to me and friends I’ve talked to is that I didn’t have to do anything with the private key generated by dkimcore.org. Does Bluehost get it from them behind the scenes? That would be kinda sketchy. Is it not required for the system to work? Also sketchy.
Anyway, before I did this, when I checked the email headers to a yahoo acc/ount I get
Authentication-Results: mta1247.mail.bf1.yahoo.com from=russandbecky.org; domainkeys=neutral (no sig); from=russandbecky.org; dkim=temperror (key retrieval failed)
While after the changes I get:
Authentication-Results: mta1444.mail.bf1.yahoo.com from=russandbecky.org; domainkeys=neutral (no sig); from=russandbecky.org; dkim=pass (ok)
For comparison, when sending from a gmail account to yahoo, I get:
Authentication-Results: mta1340.mail.ne1.yahoo.com from=gmail.com; domainkeys=neutral (no sig); from=gmail.com; dkim=pass (ok)
Some related links:
- Rackspace’s notes on setting up DKIM
- Fuller set of tools (including checks on DKIM records) from dkimcore.org. The “Check a published DKIM Core Key” doesn’t seem to come back with anything if it worked, and only provides info when it fails. The “Check a DKIM Core Key Record” can be used to verify what you cut and paste into the TXT record’s value.
- Checking DKIM setup of your domain with gmail or yahoo
I just got an email from Scott Cordon. Seems like something to try…
Very considerate of you to post your experiences with DKIM on your blog!
Appreciated; your tips page is also very good. I have used most of them
over the years.
I am also on Bluehost, have recently moved “up” to a VPS (lowest level)
because I can handle
linux admin — have been doing for a number of years.
Noted that you have derived a 1024-bit based key for your DKIM. That was
well-supported at one time.
I think gmail still insists on at least that level. However, most of the
world seems to be moving on to
2048-bit keys … and alas, they don’t fit (easily) within the protocol
designated in the DNS TXT record
which identifies you. Not even sure the libraries and MTAs can put
together the UDP packet’s 255-byte-limited
substrings for a long DKIM key. I suspect you might get it into one UDP
packet, but not necessarily into one string.
Two separate parts to the TXT record are needed, not sure about two UDP
But some people seem to be doing it… just wondered whether you ran
into anyone on Bluehost who is doing it?
By using 2048-bit keys, you can really lock in the power of cryptography
to use a key with a “chain” to validate
your identity — and have a totally verifyable identity chain.
Any ideas or ramblings welcome.
(yep, if you want it done, DIY)