Opened 3 years ago

Last modified 2 weeks ago

#11487 assigned Feature/Enhancement Request

add dkim signing for all outgoing email

Reported by: Owned by:
Priority: Medium Component: Tech
Keywords: dkim email-deliverability Cc:
Sensitive: no


We may be able to improve deliverability by using dkim on cleaveland, rustin, gil and paulo.

See also #10499 for the use of spf.

See for a basic tutorial.

Change History (6)

comment:1 Changed 3 years ago by

  • Owner set to
  • Status changed from new to assigned

comment:2 Changed 3 years ago by

Curious about this. Will we be adding DKIM authentication to our mail servers? Right now spam score for sent email from civi aren't so great.

comment:3 Changed 3 years ago by

This might not happen, at least in the short term.

With DKIM, we need to sign each message based on the From address - since we have thousands of different from addresses for email going through our bulk relay servers.

For groups with a dedicated virtual server, one option would be to have email delivered locally (and we can configure a local dedicated server to dkim sign your messages) and then the dedicated mosh can relay via postfix to our relay servers.

comment:4 Changed 18 months ago by

As a first step - we can set this up on our servers.

With OpenDKIM - you can specify which domains should be signed - and OpenDKIM will ignore messages not included in the list and sign ones that it can.

So, first I'll setup things manually for the domain on gil and paulo.

The second step is to figure out how regular members can turn it on via the control panel.

Then, we can address implementation on our bulk relay servers.

comment:5 Changed 17 months ago by

  • Keywords email-deliverability added

comment:6 Changed 2 weeks ago by

I think it will be more flexible if we setup a dedicated opendkim server, so paulo, gil and the bulk relay servers can all use the same opnedkim servers rather than manage opendkim themselves.

Then, we can experimentally configure gil and paulo to use them first, and if successful add to cleveland (watch load) and if it works, add rustin.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.