Do you run a mail server, or own a domain example.com that you send mail from?
PSA about the Coming DKIMpocalypse on Thursday when Google and Yahoo tighten mail rules:
https://support.google.com/a/answer/81126?hl=en
https://senders.yahooinc.com/best-practices/
1/3. The mail server must sign outgoing mail with DKIM. You generate a key pair called “foo” (e.g., with opendkim-genkey), configure your mail server to use it, and publish the public key in the DNS like:
foo._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; "
"p=..."
)
DKIMpocalypse PSA
2/3. The domain of the envelope sender you use must have SPF policy in the DNS that doesn't exclude your mail server's IP address, like:
example.com. IN TXT "v=spf1 ?all"
If your mail server is at, say, 198.51.100.42, you might improve odds of delivery by including it explicitly:
example.com. IN TXT "v=spf1 ip4:198.51.100.42 ?all"
(This one isn't new—you probably already had to do this a long time ago.)
DKIMpocalypse PSA
3/3. The domain of your ”From: ...@example.com” header fields must have a DMARC policy in the DNS, like:
_dmarc.example.com. IN TXT "v=DMARC1; p=none"
And as a reward for all your hard work to implement this rigmarole, this will do absolutely nothing to reduce anyone's spam!
At best, you can tighten the SPF and DMARC policies to restrict phishing attempts made using your domain, but there are foot-guns…
DKIMpocalypse PSA
How can you use this to shoot yourself in the foot and make your mail undeliverable to Goohoo! users?
- skip DKIM signature
- exclude your IP from SPF policy
- send mail where “From” doesn't match sender or DKIM domain—e.g., write to a mailing list that forwards your message—and set “p=quarantine” or “p=reject” in DMARC
You can also inundate yourself with extra mail from your recipients by adding “rua=mailto:postmaster@example.com”, because who doesn't thirst for more mail?
DKIMpocalypse PSA
Bonus: DKIM creates a leak incentive because the mail server cryptographically attests to every message you write, in signatures that anyone in the world can verify—even on private messages not meant for public consumption.
So you might want to rotate your DKIM keys and publish the old ones periodically:
https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/