So I have recently been moving from one VPS to another. My first step was to move this website. Second was email services.
Now, email has existed a long time. SMTP, the protocol used to transfer mail between clients and servers (and from server to server, and often internally on servers from one queue to another during processing) has existed largely unchanged since 1982, almost a decade before the World Wide Web. Yet we’ve seen big changes to how email is used.
I won’t go into how standards like MIME built on top of the older standards in mostly compatible ways to add features like attachments, HTML messages, encrypted messages, and so on. But what I will talk about is DKIM.
When email was first introduced, people didn’t foresee the problems of spam, viruses, phishing, and mail forgery in general. The email protocols include virtually no way to trace or guarantee the origin of a message. DKIM (DomainKeys Identified Mail) fixes this pretty well, in a way that mail servers and clients can handle automatically without being obtrusive and interfering with the content of the message itself.
The server where the message originates takes a few key pieces of information (often the Date, To, From, Reply-To, and Subject headers) and uses its private key to generate a signature for that information, which it stashes into the message header. The server which receives the message can find the origin server’s public key from its DNS records, and use that to verify the signature and check that those key pieces of information (Date, To, From, Reply-To, and Subject headers) haven’t been tampered with in transit.
Is that enough to ensure total trust of the message? No, of course not. But knowing for sure where it came from is good start.
When I first started noodling with DKIM, it was pretty hard to implement and there wasn’t much guidance on how to do it. Nowadays with projects like OpenDKIM, it’s achievable by mere mortals such as I.
I found How To Install and Configure DKIM with Postfix on Debian Wheezy published by hosting company DigitalOcean to be very useful, even though this site isn’t hosted by them, nor is it running Debian Wheezy! I changed a few bits here and there to better match how I had other aspects of my mail infrastructure set up, but mostly this 6 year old article is still pretty applicable.