Opened 3 years ago

Last modified 2 months ago

#11487 assigned Feature/Enhancement Request

add dkim signing for all outgoing email

Reported by: Jamie McClelland Owned by: Jamie McClelland
Priority: Medium Component: Tech
Keywords: dkim email-deliverability Cc:
Sensitive: no

Description

We may be able to improve deliverability by using dkim on cleaveland, rustin, gil and paulo.

See also #10499 for the use of spf.

See https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy for a basic tutorial.

Change History (6)

comment:1 Changed 3 years ago by Jamie McClelland

Owner: set to Jamie McClelland
Status: newassigned

comment:2 Changed 3 years ago by Jackrabbit

Curious about this. Will we be adding DKIM authentication to our mail servers? Right now spam score for sent email from civi aren't so great.

comment:3 Changed 3 years ago by Jamie McClelland

This might not happen, at least in the short term.

With DKIM, we need to sign each message based on the From address - since we have thousands of different from addresses for email going through our bulk relay servers.

For groups with a dedicated virtual server, one option would be to have email delivered locally (and we can configure a local dedicated server to dkim sign your messages) and then the dedicated mosh can relay via postfix to our relay servers.

comment:4 Changed 19 months ago by Jamie McClelland

As a first step - we can set this up on our mail.mayfirst.org servers.

With OpenDKIM - you can specify which domains should be signed - and OpenDKIM will ignore messages not included in the list and sign ones that it can.

So, first I'll setup things manually for the mayfirst.org domain on gil and paulo.

The second step is to figure out how regular members can turn it on via the control panel.

Then, we can address implementation on our bulk relay servers.

comment:5 Changed 19 months ago by Jamie McClelland

Keywords: email-deliverability added

comment:6 Changed 2 months ago by Jamie McClelland

I think it will be more flexible if we setup a dedicated opendkim server, so paulo, gil and the bulk relay servers can all use the same opnedkim servers rather than manage opendkim themselves.

Then, we can experimentally configure gil and paulo to use them first, and if successful add to cleveland (watch load) and if it works, add rustin.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.