DKIM email issue

[faddat]

Description
Today we had a nasty DKIM issue! We did not have DKIM in our DNSimple, which was causing our mail to go directly to people's spam.

Tasks

• Generate DKIM record on Google from the Admin panel at admin.google.com (Must be Super-admin)
• Put DKIM record in DNSSimple as a TXT record
• Test DKIM record - Is Not Spam

We fixed it by generating a DKIM key on Google's admin panel, and adding that to our Netlify DNS settings.

DKIM Definition
DKIM (DomainKeys Identified Mail) is a method to validate the authenticity of email messages. When each email is sent, it is signed using a private key and then validated on the receiving mail server (or ISP) using a public key that is in DNS. This process verifies that the message was not altered during transit.

Links
Setup DKIM to Prevent E-mail Spoofing
Generate a DKIM key for your domain

[guylepage3]

@faddat can you provide any links or references for this issue and tasks? Thank you.

[guylepage3]

@faddat I just added back the Tasks list for you. 👍

[guylepage3]

Lastly can you assign this issue a Label please? Thank you

[guylepage3]

Sent @vsund a test email..

[guylepage3]

Testing via Is Not Spam – http://isnotspam.com/

[guylepage3]

Report

This message is an automatic response from isNOTspam's authentication verifier service. The service allows email senders to perform a simple check of various sender authentication mechanisms. It is provided free of charge, in the hope that it is useful to the email community. While it is not officially supported, we welcome any feedback you may have at .

Thank you for using isNOTspam.

The isNOTspam team

==========================================================
Summary of Results

SPF Check : pass
Sender-ID Check : pass
DKIM Check : pass
SpamAssassin Check : ham (non-spam)

Details:

HELO hostname: mail-ed1-f66.google.com
Source IP: 209.85.208.66
mail-from: guy@universe.engineering
Anonymous To: ins-dad5mvk2@isnotspam.com

SPF check details:

Result: pass
ID(s) verified: smtp.mail=guy@universe.engineering
DNS record(s):
universe.engineering. 3594 IN TXT "v=spf1 include:_spf.google.com ~all"

---

Sender-ID check details:

Result: pass

ID(s) verified: smtp.mail=guy@universe.engineering
DNS record(s):
universe.engineering. 3594 IN TXT "v=spf1 include:_spf.google.com ~all"

---

DKIM check details:

Result: pass
ID(s) verified: header.From=guy@universe.engineering
Selector=google
domain=universe.engineering
DomainKeys DNS Record=google._domainkey.universe.engineering

---

SpamAssassin check details:

SpamAssassin 3.4.1 (2015-04-28)

Result: ham (non-spam) (01.4points, 10.0 required)

pts rule name description

---

• 0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source
• [209.85.208.66 listed in dnsbl.sorbs.net]
• 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
• See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
• for more information.
• [URIs: universe.engineering]
• -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
• trust
• [209.85.208.66 listed in list.dnswl.org]
• -2.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
• [209.85.208.66 listed in wl.mailspike.net]
• 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
• [score: 1.0000]
• -0.0 SPF_PASS SPF: sender matches SPF record
• 0.0 URI_TRY_3LD URI: "Try it" URI, suspicious hostname
• 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
• [score: 1.0000]
• 0.1 HTML_MESSAGE BODY: HTML included in message
• -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
• domain
• 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
• valid
• -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
  X-Spam-Status: Yes, hits=1.4 required=-20.0 tests=BAYES_99,BAYES_999,
  DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
  RCVD_IN_MSPIKE_H2,RCVD_IN_SORBS_SPAM,SPF_PASS,URIBL_BLOCKED,URI_TRY_3LD
  autolearn=no autolearn_force=no version=3.4.0
  X-Spam-Score: 1.4

To learn more about the terms used in the SpamAssassin report, please search
here: http://wiki.apache.org/spamassassin/

==========================================================
Explanation of the possible results (adapted from
draft-kucherawy-sender-auth-header-04.txt):

"pass"
the message passed the authentication test.

"fail"
the message failed the authentication test.

"softfail"
the message failed the authentication test, and the authentication
method has either an explicit or implicit policy which doesn't require
successful authentication of all messages from that domain.

"neutral"
the authentication method completed without errors, but was unable
to reach either a positive or a negative result about the message.

"temperror"
a temporary (recoverable) error occurred attempting to authenticate
the sender; either the process couldn't be completed locally, or
there was a temporary failure retrieving data required for the
authentication. A later retry may produce a more final result.

"permerror"
a permanent (unrecoverable) error occurred attempting to
authenticate the sender; either the process couldn't be completed
locally, or there was a permanent failure retrieving data required
for the authentication.

[guylepage3]

Looks as though everything is passing now.

[faddat]

Yes, looks good. We will need to work on #71 next.

Well, that or we could just stay with the netlify/dnsimple setup that we've got. I do find that since we're using G Suite, probably easiest in the long term to just use google's set of solutions.

[guylepage3]

@faddat can you provide the instructions or tasks you executed in order to get the DKIM setup in the Tasks heading? As well as the link to the tutorial? Thanks.