When creating a website, one will most likely want to send emails from the code. It can be contact request, response to the user or anything else. Many of these emails are better to be signed, as otherwise email clients will show them in a strange (for regular user) or suspicious (for a bit more experience user) way, or send them to spam. For example, Gmail adds a “via” part to From field. So, how would we sign the outgoing emails?
1. SPF
SPF is Sender Policy Framework, an open standard specifying a technical method to prevent sender address forgery. You can read about it more here to find out what and why it is, I will focus only on how would you use it.
You need to create a DNS TXT record with string, saying whom do you allow to send emails by your name. Here is the syntax; if you want to allow anyone from your domain (works perfect for mails sent from the code, but is not too much secure), you can use the string “v=spf1 +a +mx -all”. To be sure your string is correct, you can use the validator.
At the end, you Zonefile will have something like this:
@ IN TXT "v=spf1 +a +mx -all"
After your DNS had updated, you can check the record from the same validator.
However, the best check is in your mail client; for Gmail, validated SPF looks like this:
Received-SPF: pass (google.com: domain of mailer@example.com designates *.*.*.* as permitted sender) client-ip=*.*.*.*;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of mailer@example.com designates *.*.*.* as permitted sender)
2. DKIM
DKIM states for DomainKeys Identified Mail, which attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier is independent of any other identifier in the message, such in the author’s From: field. More on it here.
This one is a bit more complex. You need to generate keys, add one of them to your emails’ header and the second one to you DNS records.
There are rather many implementations of DKIM, I use the simplest for me, PHP-DKIM.
Here are the steps:
1. Create the keys. For example, you can run (on any system):
openssl genrsa -out key.priv 384
openssl rsa -in key.priv -out key.pub -pubout -outform PEM
This one is not too secure, better use SHA256.
2. Copy the keys into dkim-cfg.php, do not mix up public and private. Set there your domain and selector (I understand it can be any word). Run dkim-test.php, it will output a DNS record for you, add it to your Zonefile. Now, add AddDKIM function to your email sending scripts, like it is shown in dkim-test.php.
After DNS had updated, you’ll have something like this:
Received-SPF: pass (google.com: domain of mailer@example.com designates *.*.*.* as permitted sender) client-ip=*.*.*.*;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of mailer@example.com designates *.*.*.* as permitted sender) smtp.mail=mailer@example.com; dkim=pass header.i=@example.com
If you see dkim=hardfail instead, it means something went wrong. I found this service for checking, but had no reason to use it.
This is it! Now your emails must be signed, Gmail won’t show VIA thing in headers, and everyone will like you. Probably 🙂