How to set up DKIM?

[Black Tiger]

Yes, it does... I guess you have issues with understanding finer aspects of the English language?

OMG, your starting this discussion again? I thought it was finally finished.
I've really had enough of this crap so I don't discuss any further, especially not with somebody who KEEPS SHOUTING in posts every few words.

 

[Chernabog]

Well, this is a contentious topic for some reason. I am on shared hosting and have been trying to get our DKIM set up under ACP -> Options -> Email -> DKIM.

I've given my host the information to put into our txt record, etc., but I still have this showing days later:


I've verified with the host that OpenSSL is installed and enabled, so I am at a loss as to why nothing is happening. Can anyone shed some light on it for me? The above thread lost me when it went extremely technical and chaotic.

Thanks in advance!

J

 

[Chernabog]

 

[Black Tiger]

I've given my host the information to put into our txt record, etc., but I still have this showing days later:

First of all, where did you get that TXT record? Because DKIM doesn't mean you can just add some TXT record you found or created yourself somewhere and your done.
It's the mailserver which should also sign your e-mails with the DKIM record, the forum software will not do that for you.

So I wonder if your shared host has any hosting experience. Because he should know that only enabling OpenSSL and adding some TXT record will be enough. The mailserver must support it.

Mostly if you are on a shared hosting server, some panel is used, like mostly cPanel, Directadmin or Plesk, which are the 3 professional panels.
These panels can and will create dkim records for you, add them to your DNS and make sure the mailserver supports DKIM.
It's the mailserver that is using the private key for DKIM. Without that, you can forget a working DKIM.

However, why it's not showing in DNS I don't know, but without a domain name it's hard to investigate, I guess most of us don't have a crystal ball.

 

[Kirby]

First of all, where did you get that TXT record?

Most likely:
XenForo ACP > Setup > Options > Email options > DKIM email authentication
as shown in the screenshot.

It's the mailserver which should also sign your e-mails with the DKIM record, the forum software will not do that for you.

Although I'd strongly recommend to implement DKIM signing on the mailserver (as it is much more efficient), XenForo can (and if correctly configured will) sign emails.

 

[Black Tiger]

XenForo ACP > Setup > Options > Email options > DKIM email authentication

Oeps.. you're right I made a big booboo there. Probably because I used my own DKIM key in there, it was already configured correctly.
Anyway, key is not just a key but created by Xenforo in that case.

XenForo can (and if correctly configured will) sign emails.

Oke that is new to me as I always thought the mailserver is signing the mails and needs the private key and Xenforo might have a private key but is not a mailserver.

Thanks for correcting this.

Still.. to investigate DNS records a real domain name is required.

 

[BikeGremlin]

My 2c:

• E-mail setup in cPanel and DNS (the same principle goes for DirectAdmin)
• E-mail-related DNS records explained (what is what and why it matters)

I did not use any XenForo-related keys, just configured my mail server account info:
https://io.bikegremlin.com/32015/xenforo-forum-installation-securing-and-configuring/#3.1

Relja

 

[Kirby]

https://xenforo.com/community/threads/xenforo-2-2-9-released.205251/

In addition to the usual bug fixes and improvements, we've continued to improve compatibility with PHP 8.1 and added support for self-hosted licenses to more easily sign outgoing emails with DKIM as per this recent suggestion by @digitalpoint.

Xenforo might have a private key but is not a mailserver.

Why would Xenforo need a private key for DKIM if it doesn't sign emails?

Still.. to investigate DNS records a real domain name is required.

Yup, definitly

 

[Black Tiger]

Whe would Xenforo need a private key for DKIM if it doesn't sign emails?

??? You don't agree with yourself?

XenForo can (and if correctly configured will) sign emails.

So will or will it not sign emails??? Your make conflicting statements here.

And about 1 thing I'm sure, DKIM signing requires a public and private key and the private key is required on the server. The mailserver normally does the signing of the emails.

So which one is true now, you're statements are confusing.

 

[Kirby]

XenForo will sign emails if it is correctly configured to do so.
But I personally wouldn't recommend using that as there are quite a few issues:

K

Thread 'DKIM authentication fails ins some scenarios'

Apr 14, 2022

Steps to reproduce

1. Setup an installation at domain.com/xf-install-1, configure it to send emails as xf-install-1@domain.com and activate DKIM
2. After activation is completed and DNS has propagated setup another installation at domain.com/xf-install-2, configure it to send emails as xf-install-2@domain.com, activate DKIM and follow the instructions
3. Send Test Emails from installation 1 and 2 after DKIM setup on installation 2 has been completed (eg. DNS has propagated)

Expected Results
Test emails from both installations validate

Actual Result...

• Kirby
• Replies: 2
• Forum: Bug reports

• 

K

Fixed Thread 'DKIM signing causes serious performance issue when sending emails'

Apr 15, 2022

In order to test the performance impact of DKIM signing I wrote a little test script:

$dir = __DIR__;
require($dir . '/src/XF.php');

XF::start($dir);

$app = \XF::setupApp('XF\Pub\App');

$options = $app->options();
$mailer = $app->mailer();
$transport = $mailer->getDefaultTransport();

$start = microtime(true);

for ($i = 0; $i < 200; $i++)
{
    $mail = $mailer->newMail();
    $mail->setTo('webmaster@local.host');
    $mail->setContent(
        \XF::phrase('outbound_email_test_subject', ['board' => $options->boardTitle])->render('raw')...

• Kirby
• Replies: 4
• Forum: Resolved bug reports

• 

K

Lack of interest Thread 'DKIM: Add an option to regenerate/update keys'

Apr 14, 2022

As per current recommendation, DKIM keys should be changed at least every 6 months.

Unfortunately, this is not really possible with the current implementation - the only option woulde be to disable DIKM and re-enable it afterwards.

My suggestion is to add a button "Regenerate Key" (ro smth. like this) what does the following:

1. Generate a new key pair, do not replace the private key immediately but store it for later replacement
2. Display instruction to add the new RR
3. Schedule a job to verify the the new DSN entry is active
4. Once it is active replace the current key with...

• Kirby
• Replies: 4
• Forum: Closed suggestions

You said

I always thought the mailserver is signing the mails [...] and Xenforo might have a private key

to which I commented

Why would XenForo need a private key for DKIM if it doesn't sign emails?

eg. "Think about what you just wrote: What sense would it make for XenForo to have the private key if it doesn't use that key to sign emails? "

DKIM signing requires a public and private key

Yes

and the private key is required on the server.

Define "on" and "the server".

The private key is required to DKIM sign emails.
It is not required though that the "mailserver" (MTA) does sign emails and it is as well not required that the private key is permanently stored "on" whatever server is signing emails.
In case of XenForo the key is loaded from virtual filesystem internal-data - which might or might not be "on" the server.

The mailserver normally does the signing of the emails.

Yes, normally - but not necessarily.

 

[Black Tiger]

eg. "Think about what you just wrote: What sense would it make for XenForo to have the private key if it doesn't use that key to sign emails? "

I didn't write that. My response was a response to your answer:

XenForo will sign emails if it is correctly configured to do so.

In that case Xenforo would need the private key, right? Either it's own or the domains private key from the sending server.

It is not required though that the "mailserver" (MTA) does sign emails and it is as well not required that the private key is permanently stored "on" whatever server is signing emails.

Maybe that is where my confusion is coming from. Until now I wasn't aware of the fact that anything else than the MTA would be able to DKIM sign emails. So that is interesting new info for me.

However, this does still not solve the issue @Chernabog has. Seems to me his DNS was not correctly configured or his host is using external DNS and forgot to copy the DKIM record to the external DNS.

 

[Kirby]

I didn't write that. My response was a response to your answer:

Let's stop here, this doesn't get us anywhere

In that case Xenforo would need the private key, right? Either it's own or the domains private key from the sending server.

Any system / server / software that wants to add a valid DKIM signature to an email must use a DKIM selector that is published in DNS and must be able to use the corresponding private key.

Wether that selector / keypair is unique to that system / server / software or shared with other systems / servers / software doesn't matter, there can be multiple selectors / keypairs for a domain.
You even could have multiple signatures, like one added by XenForo and another one added by an (intermediate) MTA.

Does that answer your question?

Maybe that is where my confusion is coming from. Until now I wasn't aware of the fact that anything else than the MTA would be able to DKIM sign emails. So that is interesting new info for me.

A DKIM signature is basically just a header.

So anything that

1. Can read a full email (eg. including headers)
2. Does know a valid selector published in DNS
3. Can use the corresponding private key
4. Can add headers to the email

can add a valid DKIM signature, this may include the sending system (like XenForo).

 

[Black Tiger]

Does that answer your question?

Yes it does, thank you.

 

[Chernabog]

@Kirby thank you for your response.

@Black Tiger it seems your entire MO in these discussions is to be a curt, arrogant, and petty tyrant. After reading the long running back and forth that Xenforo moderators should have cut short, I was hesitant to add to this thread. If I didn't think it would have been considered redundant to have done so, I would have made my post in a new thread.

I am not "savvy" with this particular matter, and was hoping that there may be someone in the community who could speak to it and assist. You know, the polite and considerate thing to do. Speaking of polite and considerate "What's your domain?" would have been less asinine a response than "I guess most of us don't have a crystal ball. "

Obviously, this is a hot button topic that cannot get a simple response in this thread, because again it turns back into a back and forth about whose is bigger rather than on topic to the request I posted.

Let's see how well the new ignore functions work in X2.3 - who has time for the stupid BS?

 

[Black Tiger]

I am not "savvy" with this particular matter, and was hoping that there may be someone in the community who could speak to it and assist.

In spite of what you think of me, at least I was the only one trying to help you. And if you are on many forums trying to help people as I am and constantly seeing users asking stuff, without providing enough info to be able to do something, you might be sure it get's tiring.

Seems you also don't understand the meaning of a smiley. I put it there because I wanted to show I don't meant the crystal ball comment badly.

I never ment to start a discussion, but the staff seemed to only answer me instead of providing a solution for you, I can't help that.

Have fun with the new ignore function. It says more about you than about me that you're going to ignore people trying to help and that you don't understand smileys. Goodbye.

 

[Chernabog]

First of all, where did you get that TXT record? Because DKIM doesn't mean you can just add some TXT record you found or created yourself somewhere and your done.
It's the mailserver which should also sign your e-mails with the DKIM record, the forum software will not do that for you.

So I wonder if your shared host has any hosting experience. Because he should know that only enabling OpenSSL and adding some TXT record will be enough. The mailserver must support it.

Mostly if you are on a shared hosting server, some panel is used, like mostly cPanel, Directadmin or Plesk, which are the 3 professional panels.
These panels can and will create dkim records for you, add them to your DNS and make sure the mailserver supports DKIM.
It's the mailserver that is using the private key for DKIM. Without that, you can forget a working DKIM.

However, why it's not showing in DNS I don't know, but without a domain name it's hard to investigate, I guess most of us don't have a crystal ball.

I decided against the ignore function, as it wasn't necessary.

Not to engage in a back and forth, but while I appreciate that you felt you were helping in your reply to me your delivery certainly didn't give that impression.

Kind of you to be busy helping others, on multiple forums, I am sure they appreciate it.

Online, delivery is everything.

I've found another support path for my concerns, that should get the matter corrected.


Take care, Happy Holidays!

 

[Black Tiger]

Online, delivery is everything.

In the discussion, I also especially tried and get the staff answering to you too, see the last line in post #51.

As for the delivery..... understanding goes both ways.

Anyway, glad to see you found other support, hope they will fix it for you.

Happy Holidays for you too!

 

[Kirby]

I've found another support path for my concerns, that should get the matter corrected.

Once the issue has been solved, it would be nice if you could report back what exactly was causing the problem as taht might be helpful for others too.

Without knowing further details (as pointed out by @Black Tiger we don't have crystal balls to know your domain name ) it's hard (if not impossible) to provide help.

Most likely the TXT record was not added correctly, but only you could check that (if you don't provide the domain name).

 

[Chernabog]

Once the issue has been solved, it would be nice if you could report back what exactly was causing the problem as taht might be helpful for others too.

Without knowing further details (as pointed out by @Black Tiger we don't have crystal balls to know your domain name ) it's hard (if not impossible) to provide help.

Most likely the TXT record was not added correctly, but only you could check that (if you don't provide the domain name).

I'll certainly post back any solution. Not that anyone would know, but my domain is in my signature below.

 

[TPerry]

Not that anyone would know, but my domain is in my signature below.

Usually you need to know the selector to check the DKIM entry also.