Installing DomainKeys and SPF Records
Posted by Vanessa | Tagged under email,exim,security,spam | Posted on December 31, 2009
13
DomainKeys (DKIM) and SPF records are becoming a common, and annoying, demand among email providers, mainly Yahoo and Hotmail. In short, both are methods of email authentication designed to verify email integrity, by linking a sender to a specific server or hostname. In other words, DomainKeys and SPF records specify what servers can send email on behalf of a domain name.
You’ll want DomainKeys and SPF records if your users have trouble sending email to certain providers, or they are having issues with spoofed (forged) email. CPanel currently allows two easy ways for you or your users to set up email verification. This is supported at least from cPanel 11.18 onward.
User-Level:
You can enable the “Email Authentication” feature in WHM ~> Feature Manager, which will enable the Email Authentication icon in the users’ cPanels where they can create DomainKeys and SPF records for their domain(s).
Root-level:
There are scripts in /usr/local/cpanel/bin that can install these on a per-user basis:
/usr/local/cpanel/bin/domain_keys_installer $user
/usr/local/cpanel/bin/spf_installer $user
(and corresponding scripts to remove, like spf_uninstaller and domain_keys_uninstaller)
If you want to hit up everyone on the server, you can run my for loop one-liner:
for user in `ls -A /var/cpanel/users` ; do /usr/local/cpanel/bin/domain_keys_installer $user && /usr/local/cpanel/bin/spf_installer $user ; done
Now what about new users? cPanel already though of that, and has options to create hooks for when after an account is created. To set up the server to automatically create an SPF record and DomainKey for new accounts, edit /scripts/postwwwacct and paste in the following code:
#!/usr/bin/perl
my %OPTS = @ARGV;
$ENV{USER} = “$OPTS{‘user’}”;
system q(/usr/local/cpanel/bin/domain_keys_installer $USER);
system q(/usr/local/cpanel/bin/spf_installer $USER);
To verify an SPF record and/or DomainKey, you can run a DNS check:
dig default._domainkey.$domain TXT
dig $domain TXT
A technical note about DKIM:
You might know that DKIM is actually a generated key pair, similar to an SSH or SSL Certificate’s RSA key. CPanel stores these files in /var/cpanel/domain_keys, where the public folder contains the key reflected in the DNS zone, and the private folder contains the private key. You may have users that actually authenticate via DKIM in their mail clients, in which case you may need to provide them with the private key in order for them to sent email.
Related posts:
sending...
Hi. No postwwwacct file in our scripts folder, just createacct and wwwacct (same file, actually). We’d like to add the auto creation of domain keys and spf records. Which file (or both or a different one completely) should we add the mod to?
You actually have to create /scripts/postwwwacct, it doesn’t exist by default :)
Thanks.
Hi, thanks for the tips – I’ve done all this but still don’t notice exim adding any extra headers (domainkey-signature) that would let emails validate against the DNS. My DNS has been set up correctly by the scripts above but nothing else seems to be going on… I’ve had a look in exim.conf and can’t figure out what’s wrong. Any ideas?
Thanks,
Alex
Is there any way to modify your script for installing SPF and DK to not touch DNS entries with Google MX records?
This would be a great help since I’m terrible at shell scripting.
Thanks!
The domainkeys installer script is a cPanel script – not one that I wrote. It currently goes on a per-user basis, so the only way I can think of to skip domains not hosting mail locally is to run a loop on the domains and skip users with domains pointed elsewhere:
for user in `ls -A /var/cpanel/users`do
LOCALMX=1
for domain in $(cat /var/cpanel/users/$user |grep DNS |cut -d= -f2)
do
if grep $domain /etc/remotedomains >/dev/null ; then
LOCALMX=0
fi
done
if [ "$LOCALMX" == "1" ];then
echo "Adding domainkeys for user $user"
/usr/local/cpanel/bin/domain_keys_installer $user
fi
done
When being added to Windows Live Sender ID They say to use -all or ~all and not ?all terminator..which is what cPanel does, How can this be fixed for all accounts.
[...] See: Installing DomainKeys and SPF Records [...]
Hi Vanessa,
Thanks for the tips.
I tried to install your code in postwwwacct but unfortunatly, I already have code in that file that is in ruby.
if it was perl, it wouldn’t be a problem to combine them.
Any hind on how I can go over this ?
I would move the ruby script to another location, and execute it from /scripts/postwwwacct
[...] topic of how to install DomainKeys was previously covered in this article. Install the keys for each user, or run a loop as shown in the article to install them for all [...]
[...] DomainKeys The topic of how to install DomainKeys was previously covered in this article. Install the keys for each user, or run a loop as shown in the article to install them for all [...]
[...] topic of how to install DomainKeys was previously covered in this article. Install the keys for each user, or run a loop as shown in the article to install them for all [...]