dskillin
asked on
HOWTO - DomainKeys E2K3-SP2
Documentation I've found on DomainKeys installation for Exchange Server has been sparse.
The following site lists what *should* be done, however it lacks any amount of detail beyond SSL certificate creation.
http://mmmservices.web.cern.ch/mmmservices/Antispam/DomainKeysLibrary.aspx
I'd like to see a step by step guide, detailing how to install and configure DomainKeys on a Exchange 2003 platform.
The following site lists what *should* be done, however it lacks any amount of detail beyond SSL certificate creation.
http://mmmservices.web.cern.ch/mmmservices/Antispam/DomainKeysLibrary.aspx
I'd like to see a step by step guide, detailing how to install and configure DomainKeys on a Exchange 2003 platform.
ASKER
DomainKeys is being checked by more and more organizations. Part of your assessment with senderbase.org for example, is based on DomainKeys.
http://www.senderbase.org
Different software checks different aspects of your mail server.
It's more of a matter of "why not", than "why". It can't hurt to provide another method of authentication, in case that is the "ideal" method for a specific site.
Also, I'm pretty tired of user complaints about bounced mail to Yahoo! ;) Especially given that all my A, PTR, and MX records line up.
The lack of documentation is the problem, there just aren't any good docs out there...that I've found. The link was the best to date, but it's still pretty worhless past SSL creation.
http://www.senderbase.org
Different software checks different aspects of your mail server.
It's more of a matter of "why not", than "why". It can't hurt to provide another method of authentication, in case that is the "ideal" method for a specific site.
Also, I'm pretty tired of user complaints about bounced mail to Yahoo! ;) Especially given that all my A, PTR, and MX records line up.
The lack of documentation is the problem, there just aren't any good docs out there...that I've found. The link was the best to date, but it's still pretty worhless past SSL creation.
I have been working this site for almost three years, and this is the first time that DomainKeys has even been mentioned.
Yahoo have developed this "standard" (I use the term loosely) but haven't really thought about the deployment. That article about deploying it for Exchange 2003 is useless to most Exchange server administrators, hence the poor take up within the Exchange community. Most Exchange admins wouldn't know how to build an event sink. I don't - I know someone who does when I need them.
I don't have any problems with Yahoo on any of the servers I have built or administrate. Perhaps you have another problem with email to Yahoo?
Have you set SPF? That is deployed a little more widely, although still very small.
I have asked elsewhere in a channel available to MVPs about DomainKeys.
Simon.
Yahoo have developed this "standard" (I use the term loosely) but haven't really thought about the deployment. That article about deploying it for Exchange 2003 is useless to most Exchange server administrators, hence the poor take up within the Exchange community. Most Exchange admins wouldn't know how to build an event sink. I don't - I know someone who does when I need them.
I don't have any problems with Yahoo on any of the servers I have built or administrate. Perhaps you have another problem with email to Yahoo?
Have you set SPF? That is deployed a little more widely, although still very small.
I have asked elsewhere in a channel available to MVPs about DomainKeys.
Simon.
ASKER
Yes, SPF is set and functional, both SPF1 and SPF2 (SenderID).
No open relay, no blacklists, etc.
It doesn't appear that Yahoo weighs SPF as much as they do DomainKeys.
From the header info to a test message sent to Yahoo!
domainkeys=neutral (no sig)
There are no header references to SPF, as I find in gmail.
Received-SPF: pass (google.com: domain of dskillin@xxx.com designates xx.xx.xx.xx as permitted sender)
About 50% of my messages get bounced completely, most are delayed.
It appears as if Yahoo! is grey-listing, where many messages are "try again later", however that later never comes.
Perhaps your organizations send more mail, or are weighted higher on a "trust" scale.
No open relay, no blacklists, etc.
It doesn't appear that Yahoo weighs SPF as much as they do DomainKeys.
From the header info to a test message sent to Yahoo!
domainkeys=neutral (no sig)
There are no header references to SPF, as I find in gmail.
Received-SPF: pass (google.com: domain of dskillin@xxx.com designates xx.xx.xx.xx as permitted sender)
About 50% of my messages get bounced completely, most are delayed.
It appears as if Yahoo! is grey-listing, where many messages are "try again later", however that later never comes.
Perhaps your organizations send more mail, or are weighted higher on a "trust" scale.
If Yahoo are greylisting then it isn't working very well. I have a Yahoo account that collects 300+ spam messages a day. I use greylisting elsewhere and find it very effective in cutting down spam.
Yahoo see SPF as a competitor to their DomainKeys system, so the fact that they don't use it is not a surprise. Although not everyone who uses SPF tags the headers with that information. Both DomainKeys and SPF should be used for scoring only - neither has wide scale deployment to use as a drop if you don't have it.
Checking my own domain on Senderbase I don't even register, yet can send to Yahoo without any problems. If anything my trust level is lower because I am not in the list.
"Please try Again Later" type errors usually means that the server is overloaded. I see that a lot with Blackberry's servers. If you are forwarding email to a consumer Blackberry (ie not using a BES) then the messages can hang around because there aren't enough connections available to their server. What I usually suggest in that case is to route the email via the ISPs SMTP server. The idea being that the ISP has more traffic going in to the RIM domain and the email messages can use that existing connection.
Simon.
Yahoo see SPF as a competitor to their DomainKeys system, so the fact that they don't use it is not a surprise. Although not everyone who uses SPF tags the headers with that information. Both DomainKeys and SPF should be used for scoring only - neither has wide scale deployment to use as a drop if you don't have it.
Checking my own domain on Senderbase I don't even register, yet can send to Yahoo without any problems. If anything my trust level is lower because I am not in the list.
"Please try Again Later" type errors usually means that the server is overloaded. I see that a lot with Blackberry's servers. If you are forwarding email to a consumer Blackberry (ie not using a BES) then the messages can hang around because there aren't enough connections available to their server. What I usually suggest in that case is to route the email via the ISPs SMTP server. The idea being that the ISP has more traffic going in to the RIM domain and the email messages can use that existing connection.
Simon.
ASKER
"Both DomainKeys and SPF should be used for scoring only - neither has wide scale deployment to use as a drop if you don't have it."
There you hit the nail on the head, and you're correct, this is the way it *should* be.
Not in the list is usually considered neutral, not good, not bad, just...
The way I see it, anything I can do to improve my "score" is a good thing, when I have mails bouncing.
Yahoo being one (no real determination why), Cisco occasionally (reporting -5 score on senderbase, which oddly enough Dell reports me as around 1). Each system is selecting thier "criteria".
I just don't see it as a bad thing giving another option.
BTW
IronPort - http://www.ironport.com/company/pp_top_tech_news_10-24-2005.html
Which is fairly widely used (and associated with senderbase)
DomainKeys scores higher because it is a more difficult standard.
There you hit the nail on the head, and you're correct, this is the way it *should* be.
Not in the list is usually considered neutral, not good, not bad, just...
The way I see it, anything I can do to improve my "score" is a good thing, when I have mails bouncing.
Yahoo being one (no real determination why), Cisco occasionally (reporting -5 score on senderbase, which oddly enough Dell reports me as around 1). Each system is selecting thier "criteria".
I just don't see it as a bad thing giving another option.
BTW
IronPort - http://www.ironport.com/company/pp_top_tech_news_10-24-2005.html
Which is fairly widely used (and associated with senderbase)
DomainKeys scores higher because it is a more difficult standard.
I am not really contributing anything here, so I will wait to see if I hear from anyone else as to an easy way to deploy DomainKeys. I don't like having to roll your own event sink - if they want people to use it then they should make it simple to deploy - particularly as Microsoft will not lift a finger as they have their own.
Simon.
Simon.
ASKER
Agreed, it should be simple to deploy, and it's not.
As far as contribution, sure you are, it's always good to have a second voice.
Public forums are tough sometimes. I'd be more than happy to PM my domain info if you believe something else could be causing my woes.
While I'm still looking for a methodology to install DomainKeys, having a second set of eyes look at the setup wouldn't hurt.
As far as contribution, sure you are, it's always good to have a second voice.
Public forums are tough sometimes. I'd be more than happy to PM my domain info if you believe something else could be causing my woes.
While I'm still looking for a methodology to install DomainKeys, having a second set of eyes look at the setup wouldn't hurt.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Information has been sent, thanks.
As far as reputation, with 12 million messages per hour, I imagine the reputation of the site isn't marginal as is mine. It would be interesting to measure against someone in a similar class, around 2000 messages per day in, 1000 messages out, ballpark.
As far as reputation, with 12 million messages per hour, I imagine the reputation of the site isn't marginal as is mine. It would be interesting to measure against someone in a similar class, around 2000 messages per day in, 1000 messages out, ballpark.
Not a good start... your email to me was flagged by EE's email server as spam, which meant it went in to my spam filter at Google. I had to rescue it.
Everything looks fine on the DNS side, with one exception... your greylisting.
backupmx.domain.net's abuse response:
>>> RCPT TO:<abuse@domain.com>
<<< 451 4.7.1 Greylisting in action, please come back in 00:05:00
Certain sites will take exception to that behaviour.
What is doing your greylisting? I have seen that greylisting behaviour before, but I don't know what is.
I use greylisting myself, but it does its thing after the rcpt to command, not before. That means that the connection is dropped on unknown user. I also don't greylist for as long as five minutes, just 60 seconds I find is enough.
If you are seeing issues with Yahoo specifically, then I would possibly suggest turning off greylisting for a while and seeing if the problems go away.
Why is greylisting causing a problem with sending email? Some sites do a call back, to see if the email address exists on the server that is sending the email message, or that there is a legitimate email server on the end of the IP address. It is yet another antispam measure. The greylisting tactic you are using could be interfering with that process.
On the topic of email message flow, one of my sites runs at similar sorts of numbers, sometimes a little higher depending on what is going on. That site is also using greylisting and doesn't have a problem with Yahoo.
Simon.
Everything looks fine on the DNS side, with one exception... your greylisting.
backupmx.domain.net's abuse response:
>>> RCPT TO:<abuse@domain.com>
<<< 451 4.7.1 Greylisting in action, please come back in 00:05:00
Certain sites will take exception to that behaviour.
What is doing your greylisting? I have seen that greylisting behaviour before, but I don't know what is.
I use greylisting myself, but it does its thing after the rcpt to command, not before. That means that the connection is dropped on unknown user. I also don't greylist for as long as five minutes, just 60 seconds I find is enough.
If you are seeing issues with Yahoo specifically, then I would possibly suggest turning off greylisting for a while and seeing if the problems go away.
Why is greylisting causing a problem with sending email? Some sites do a call back, to see if the email address exists on the server that is sending the email message, or that there is a legitimate email server on the end of the IP address. It is yet another antispam measure. The greylisting tactic you are using could be interfering with that process.
On the topic of email message flow, one of my sites runs at similar sorts of numbers, sometimes a little higher depending on what is going on. That site is also using greylisting and doesn't have a problem with Yahoo.
Simon.
ASKER
Not exactly sure, that host, the 20 MX (backupmx) is at my provider. I'll check with them and let you know.
ASKER
milter-greylist
Where the MX host(s) in question are MX 20's, and the actual MX server, MX 10, indicated through SPF records as well is answering.
This has been like this since we moved to this provider a few years back, why would it make a difference now?
I can't help but to think that there is something else there.
Where the MX host(s) in question are MX 20's, and the actual MX server, MX 10, indicated through SPF records as well is answering.
This has been like this since we moved to this provider a few years back, why would it make a difference now?
I can't help but to think that there is something else there.
There is nothing else that I can spot, but ISPs change their tactics all the time. The fact that something has been working for many years doesn't mean it is working now. Just as the spammers try different things to get through the filters, the ISPs must change things. It is a war on spam and the weapons and tactics must change constantly.
Simon.
Simon.
ASKER
Thanks for the discussion, Sembee. I'll leave this open for a couple days should more information pop up for the installation of DomainKeys, I'm still very curious to see if anyone has solid information and a clean way to install it.
ASKER
It doesn't appear that an answer to this will arrive.
Reloading the Pix seems to have resolved most of the NDR issues.
Reloading the Pix seems to have resolved most of the NDR issues.
After going through various sites I found that Yahoo Mail is somehow making its DKIM/DomainKeys a very important tool to counter spam. And this is why many of the email providers have implemented and support the same including Gmail and many others. Even when I see mails from Facebook it is even signed with DKIM.
There is not much documentation on implementing the same for IIS Smtp to support DKIM except one software which comes at a good price of $279. Which I feel is too high for many site owners.
I am sure we can make it work for free and the process is:
a) IIS SMTP has a feature Event sink which also supports scripting support and we can process all the emails that comes in.
b) We would require a script that will need to read the mail and create the DKIM signature based on RFC 2781 on it and update the same. It requires RSA SHA1 hash.
c) Publish the Public key on the DNS.
I am already working in direction and have already made significant progress and at the moment just looking for vbscript function that lets me implement RSA algo based on PKCS#1 ver 1.5.
Cheers,
Vijay Bhatter
There is not much documentation on implementing the same for IIS Smtp to support DKIM except one software which comes at a good price of $279. Which I feel is too high for many site owners.
I am sure we can make it work for free and the process is:
a) IIS SMTP has a feature Event sink which also supports scripting support and we can process all the emails that comes in.
b) We would require a script that will need to read the mail and create the DKIM signature based on RFC 2781 on it and update the same. It requires RSA SHA1 hash.
c) Publish the Public key on the DNS.
I am already working in direction and have already made significant progress and at the moment just looking for vbscript function that lets me implement RSA algo based on PKCS#1 ver 1.5.
Cheers,
Vijay Bhatter
The deployment that you have linked to looks like it is an event sink, but the instructions are pretty poor and I can find very little else on deploying it with Exchange.
Simon.