Installing DomainKeys and SPF Records
- Written by Vanessa Vasile
- Published in Howto, Linux, Mail
- Permalink
DomainKeys (DKIM) and SPF records are becoming a common, and annoying, demand among email providers, mainly Yahoo and Hotmail. In short, both are methods of email authentication designed to verify email integrity, by linking a sender to a specific server or hostname. In other words, DomainKeys and SPF records specify what servers can send email on behalf of a domain name.
You'll want DomainKeys and SPF records if your users have trouble sending email to certain providers, or they are having issues with spoofed (forged) email. CPanel currently allows two easy ways for you or your users to set up email verification. This is supported at least from cPanel 11.18 onward.
User-Level:
You can enable the “Email Authentication” feature in WHM ~> Feature Manager, which will enable the Email Authentication icon in the users' cPanels where they can create DomainKeys and SPF records for their domain(s).
Root-level:
There are scripts in /usr/local/cpanel/bin that can install these on a per-user basis:
/usr/local/cpanel/bin/domain_keys_installer $user
/usr/local/cpanel/bin/spf_installer $user
(and corresponding scripts to remove, like spf_uninstaller and domain_keys_uninstaller)
Update: On cPanel 11.32 and higher, these scripts are replaced with:
/usr/local/cpanel/bin/dkim_keys_installer
/usr/local/cpanel/bin/dkim_keys_uninstaller
If you want to hit up everyone on the server, you can run my for loop one-liner:
for user in `ls -A /var/cpanel/users` ; do /usr/local/cpanel/bin/dkim_keys_installer $user && /usr/local/cpanel/bin/spf_installer $user ; done
Now what about new users? cPanel already though of that, and has options to create hooks for when after an account is created. To set up the server to automatically create an SPF record and DomainKey for new accounts, edit /scripts/postwwwacct and paste in the following code:
#!/usr/bin/perl
my %OPTS = @ARGV;
$ENV{USER} = β$OPTS{βuserβ}β;
system q(/usr/local/cpanel/bin/dkim_keys_installer $USER);
system q(/usr/local/cpanel/bin/spf_installer $USER);
To verify an SPF record and/or DomainKey, you can run a DNS check:
dig default._domainkey.$domain TXT
dig $domain TXT
A technical note about DKIM:
You might know that DKIM is actually a generated key pair, similar to an SSH or SSL Certificate's RSA key. CPanel stores these files in /var/cpanel/domain_keys, where the public folder contains the key reflected in the DNS zone, and the private folder contains the private key. You may have users that actually authenticate via DKIM in their mail clients, in which case you may need to provide them with the private key in order for them to sent email.
19 Comments
Hi. No postwwwacct file in our scripts folder, just createacct and wwwacct (same file, actually). We’d like to add the auto creation of domain keys and spf records. Which file (or both or a different one completely) should we add the mod to?
You actually have to create /scripts/postwwwacct, it doesn’t exist by default π
Thanks.
Hi, thanks for the tips – I’ve done all this but still don’t notice exim adding any extra headers (domainkey-signature) that would let emails validate against the DNS. My DNS has been set up correctly by the scripts above but nothing else seems to be going on… I’ve had a look in exim.conf and can’t figure out what’s wrong. Any ideas?
Thanks,
Alex
Is there any way to modify your script for installing SPF and DK to not touch DNS entries with Google MX records?
This would be a great help since I’m terrible at shell scripting.
Thanks!
The domainkeys installer script is a cPanel script – not one that I wrote. It currently goes on a per-user basis, so the only way I can think of to skip domains not hosting mail locally is to run a loop on the domains and skip users with domains pointed elsewhere:
for user in `ls -A /var/cpanel/users`
do
LOCALMX=1
for domain in $(cat /var/cpanel/users/$user |grep DNS |cut -d= -f2)
do
if grep $domain /etc/remotedomains >/dev/null ; then
LOCALMX=0
fi
done
if [ "$LOCALMX" == "1" ];then
echo "Adding domainkeys for user $user"
/usr/local/cpanel/bin/domain_keys_installer $user
fi
done
When being added to Windows Live Sender ID They say to use -all or ~all and not ?all terminator..which is what cPanel does, How can this be fixed for all accounts.
Pingback: 10 Tips for Improving Email Delivery :: The cPanel Admin
Hi Vanessa,
Thanks for the tips.
I tried to install your code in postwwwacct but unfortunatly, I already have code in that file that is in ruby.
if it was perl, it wouldn’t be a problem to combine them.
Any hind on how I can go over this ?
I would move the ruby script to another location, and execute it from /scripts/postwwwacct
Pingback: Using DKIM with Exim and cPanel :: The cPanel Admin
Pingback: Using DKIM with Exim and cPanel | TurboNoc.com
Pingback: Web Host Polis | Using DKIM with cPanel and Exim
In this article you mention that making a backup for each account “will double the amount of disk space that the account is using for a short amount of time”
So I was wondering if there is a way to avoid this problem.
Mounting another drive will solve this problem?
Hi,
I tried your code to enable it for all users in cPanel but to it says there’s no script named: /usr/local/cpanel/bin/domain_keys_installer
Am i missing something ?
Thanks.
Cpanel has renamed /usr/local/cpanel/bin/dkim_keys_installer to /usr/local/cpanel/bin/dkim_keys_install , content should be updated to reflect this.
I have DomainKeys Signature enabled but don’t know how to add a DomainKeys Signature. I do not have WHM access.
Use the email auth section in cpanel
Cpanel 11.34.1 have in Tweak Settings two new options:
Enable DKIM on domains for newly created accounts
Enable SPF on domains for newly created accounts