Making the cut – DomainKeys

We had put off implementing DomainKeys in Hurricane Server due to the multitude of other tasks that were at hand. But at the 9th hour it looks like DomainKeys functionality will make it into the new release. I am very happy about this because using DomainKeys will enable more of your mail to get delivered – and get delivered quicker.

DomainKeys is a technology that enables your recipient’s mail server to verify that the message is authentic. This can weigh in big in getting your messages into your recipient’s inbox and out of their spam box.

The concept behind DomainKeys is really simple. A public / private key pair is generated and the public key is put in a text record on your DNS server. The private key is used to sign every outbound message by Hurricane Server. The signature is placed in a standard header at the top of the message. If the recipient’s mail server does not support DomainKeys, the signature is ignored. But if the recipient’s mail server does support DomainKeys, it will see that your message is signed, and use the domain of the address in the From: header to retrieve your public key from your DNS server and then use the public key to validate that the signature was created by your private key.

Through this process, the end result is that the recipient’s mail server can verify that:

  • The message came from servers under your control (provided that your private key has not been compromised).
  • The message has not changed since it was signed with Hurricane Server.
  • The domain in the From header has not been spoofed.

To use DomainKeys you will need:

  • a public / private key pair to use
  • two TXT records added to your DNS server.
  • an outbound MTA that supports DomainKeys (i.e. Hurricane Server)

To simplify this process I have built a DomainKeys generation wizard that will enable you to easily generate a public / private key pair and provides you with specific instructions on setting up Hurricane Server and your DNS server.

Once you have things set up you can test your DNS policy record and selector record. You can also test the whole shebang out by sending a message to one of the auto-responders that validate DomainKeys signed messages.

Yahoo has such an auto-responder at [email protected]