Implemented Signing of outgoing emails with DKIM

digitalpoint

Well-known member
I ran into an issue where emails would have a 100% fail rate for certain domains (mac.com and icloud.com for example). Long story short is it was because I was not using DKIM to sign outbound emails. As soon as I went through the hoops of doing DKIM signing of emails, they instantly started to go through.

Ultimately I ended up setting up the dkim signing at the MTA level of my servers (Postfix in my case). But I also noticed that the mail class that XenForo uses (Swift Mailer) has the ability to DKIM sign emails with a single line of code added. It might be useful for those that can't (or don't have the technical knowhow) to do it at your MTA level.

In the \XF\Mail\Mail class, if you add this:
PHP:
$dkimOptions = \XF::options()->dkim;
if ($dkimOptions['enabled'])
{
    $message->attachSigner(new \Swift_Signers_DKIMSigner($dkimOptions['privateKey'], $dkimOptions['domain'], 'xf'));
}

right before this:
PHP:
return $this->mailer->send($message, $transport, null, $allowRetry);

This assumes you have a new option named dkim that is an array with a couple values (your private key for DKIM signing as well as your domain). If you wanted to make it really easy for people, you could generate the public/private key automatically with the openssl PHP functions and have a little blurb about what to do with the public key (add it as a DNS entry).

It also doesn't hurt if someone double signs an email (for example if XenForo signed it as well as Postfix), in fact it's not uncommon for emails to be signed at both the application and MTA level.

Anyway, I've already sorted it out for me at the MTA level, but it would be terribly easy for XF2 to do it at the software level for people if they wanted.
 
Upvote 11
This suggestion has been implemented. Votes are no longer accepted.

Xon

Well-known member
Better support to ensure DKIM signing would go a long way.

I was thinking a private config.php option, but with XF Cloud a helper which generates a hidden private key and spits out the public key to add to DNS would be the best solution.

Especially if it didn't enable DKIM signing until a DNS check successes. This is a critical step to avoid foot-guns of know your email is being actively rejected due to invalid DKIM setup.

Integrating that into XF cloud for automatic setup for non-custom domains that XF control wouldn't actually be that hard either.
 

digitalpoint

Well-known member
Integrating that into XF cloud for automatic setup for non-custom domains that XF control wouldn't actually be that hard either.
DNS for community.forum is already handled by Cloudflare. If they are adding subdomains on demand, they are probably already using the Cloudflare API for DNS management. So ya... would be really easy to just add an extra TXT record if they are already adding the subdomain that way.
 

Chris D

XenForo developer
Staff member
Very valid suggestion but worth noting for XF Cloud we already sign with DKIM at the MTA level (postfix), so not an immediate consideration for Cloud customers, at least.

The other thing is while we're using Swiftmailer in XF 2.2, we've switched to Symfony Mailer in XF 2.3.

So we'd need to check to see if that supports DKIM signing.

UPDATE: It does:
 
Top