Solved

HOWTO - DomainKeys E2K3-SP2

Posted on 2006-11-27
17
1,274 Views
Last Modified: 2008-03-03
Documentation I've found on DomainKeys installation for Exchange Server has been sparse.

The following site lists what *should* be done, however it lacks any amount of detail beyond SSL certificate creation.

http://mmmservices.web.cern.ch/mmmservices/Antispam/DomainKeysLibrary.aspx

I'd like to see a step by step guide, detailing how to install and configure DomainKeys on a Exchange 2003 platform.

0
Comment
Question by:dskillin
  • 9
  • 7
17 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Any particular reason you want to use Domain keys? As far as I am aware Yahoo are the only people using it. It is like SPF, nice idea but the deployment isn't high enough to make it worth while.

The deployment that you have linked to looks like it is an event sink, but the instructions are pretty poor and I can find very little else on deploying it with Exchange.

Simon.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
DomainKeys is being checked by more and more organizations.  Part of your assessment with senderbase.org for example, is based on DomainKeys.

http://www.senderbase.org


Different software checks different aspects of your mail server.  

It's more of a matter of "why not", than "why".  It can't hurt to provide another method of authentication, in case that is the "ideal" method for a specific site.

Also, I'm pretty tired of user complaints about bounced mail to Yahoo! ;)  Especially given that all my A, PTR, and MX records line up.

The lack of documentation is the problem, there just aren't any good docs out there...that I've found.  The link was the best to date, but it's still pretty worhless past SSL creation.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I have been working this site for almost three years, and this is the first time that DomainKeys has even been mentioned.
Yahoo have developed this "standard" (I use the term loosely) but haven't really thought about the deployment. That article about deploying it for Exchange 2003 is useless to most Exchange server administrators, hence the poor take up within the Exchange community. Most Exchange admins wouldn't know how to build an event sink. I don't - I know someone who does when I need them.

I don't have any problems with Yahoo on any of the servers I have built or administrate. Perhaps you have another problem with email to Yahoo?

Have you set SPF? That is deployed a little more widely, although still very small.

I have asked elsewhere in a channel available to MVPs about DomainKeys.

Simon.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
Yes, SPF is set and functional, both SPF1 and SPF2 (SenderID).

No open relay, no blacklists, etc.

It doesn't appear that Yahoo weighs SPF as much as they do DomainKeys.

From the header info to a test message sent to Yahoo!

domainkeys=neutral (no sig)

There are no header references to SPF, as I find in gmail.

Received-SPF: pass (google.com: domain of dskillin@xxx.com designates xx.xx.xx.xx as permitted sender)

About 50% of my messages get bounced completely, most are delayed.

It appears as if Yahoo! is grey-listing, where many messages are "try again later", however that later never comes.

Perhaps your organizations send more mail, or are weighted higher on a "trust" scale.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
If Yahoo are greylisting then it isn't working very well. I have a Yahoo account that collects 300+ spam messages a day. I use greylisting elsewhere and find it very effective in cutting down spam.

Yahoo see SPF as a competitor to their DomainKeys system, so the fact that they don't use it is not a surprise. Although not everyone who uses SPF tags the headers with that information. Both DomainKeys and SPF should be used for scoring only - neither has wide scale deployment to use as a drop if you don't have it.

Checking my own domain on Senderbase I don't even register, yet can send to Yahoo without any problems. If anything my trust level is lower because I am not in the list.

"Please try Again Later" type errors usually means that the server is overloaded. I see that a lot with Blackberry's servers. If you are forwarding email to a consumer Blackberry (ie not using a BES) then the messages can hang around because there aren't enough connections available to their server. What I usually suggest in that case is to route the email via the ISPs SMTP server. The idea being that the ISP has more traffic going in to the RIM domain and the email messages can use that existing connection.

Simon.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
"Both DomainKeys and SPF should be used for scoring only - neither has wide scale deployment to use as a drop if you don't have it."

There you hit the nail on the head, and you're correct, this is the way it *should* be.

Not in the list is usually considered neutral, not good, not bad, just...

The way I see it, anything I can do to improve my "score" is a good thing, when I have mails bouncing.

Yahoo being one (no real determination why), Cisco occasionally (reporting -5 score on senderbase, which oddly enough Dell reports me as around 1).  Each system is selecting thier "criteria".

I just don't see it as a bad thing giving another option.

BTW

IronPort - http://www.ironport.com/company/pp_top_tech_news_10-24-2005.html

Which is fairly widely used (and associated with senderbase)

DomainKeys scores higher because it is a more difficult standard.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I am not really contributing anything here, so I will wait to see if I hear from anyone else as to an easy way to deploy DomainKeys. I don't like having to roll your own event sink - if they want people to use it then they should make it simple to deploy - particularly as Microsoft will not lift a finger as they have their own.

Simon.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
Agreed, it should be simple to deploy, and it's not.

As far as contribution, sure you are, it's always good to have a second voice.

Public forums are tough sometimes.  I'd be more than happy to PM my domain info if you believe something else could be causing my woes.

While I'm still looking for a methodology to install DomainKeys, having a second set of eyes look at the setup wouldn't hurt.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
Comment Utility
Exchange MVPs have internal private discussion lists. I just put this query on there. If anyone will have deployed it then one of my fellow MVPs will have done so.

One has, who runs a hosted Exchange site. Processes 12 million messages an hour and says it showed no difference in the email flow, particularly to Yahoo - where you would expect it to make a difference. It was compared to weight loss pills.

You can send me the domain details if you like... email address is in the profile. I have to post the results back here as solving problems by email is not allowed.

Simon.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
Information has been sent, thanks.

As far as reputation, with 12 million messages per hour, I imagine the reputation of the site isn't marginal as is mine.  It would be interesting to measure against someone in a similar class, around 2000 messages per day in, 1000 messages out, ballpark.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Not a good start... your email to me was flagged by EE's email server as spam, which meant it went in to my spam filter at Google. I had to rescue it.

Everything looks fine on the DNS side, with one exception... your greylisting.


backupmx.domain.net's abuse response:
>>> RCPT TO:<abuse@domain.com>
<<< 451 4.7.1 Greylisting in action, please come back in 00:05:00


Certain sites will take exception to that behaviour.

What is doing your greylisting? I have seen that greylisting behaviour before, but I don't know what is.

I use greylisting myself, but it does its thing after the rcpt to command, not before. That means that the connection is dropped on unknown user. I also don't greylist for as long as five minutes, just 60 seconds I find is enough.

If you are seeing issues with Yahoo specifically, then I would possibly suggest turning off greylisting for a while and seeing if the problems go away.
Why is greylisting causing a problem with sending email? Some sites do a call back, to see if the email address exists on the server that is sending the email message, or that there is a legitimate email server on the end of the IP address. It is yet another antispam measure. The greylisting tactic you are using could be interfering with that process.

On the topic of email message flow, one of my sites runs at similar sorts of numbers, sometimes a little higher depending on what is going on. That site is also using greylisting and doesn't have a problem with Yahoo.

Simon.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
Not exactly sure, that host, the 20 MX (backupmx) is at my provider.  I'll check with them and let you know.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
milter-greylist

Where the MX host(s) in question are MX 20's, and the actual MX server, MX 10, indicated through SPF records as well is answering.

This has been like this since we moved to this provider a few years back, why would it make a difference now?

I can't help but to think that there is something else there.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
There is nothing else that I can spot, but ISPs change their tactics all the time. The fact that something has been working for many years doesn't mean it is working now. Just as the spammers try different things to get through the filters, the ISPs must change things. It is a war on spam and the weapons and tactics must change constantly.

Simon.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
Thanks for the discussion, Sembee. I'll leave this open for a couple days should more information pop up for the installation of DomainKeys, I'm still very curious to see if anyone has solid information and a clean way to install it.
0
 
LVL 1

Author Comment

by:dskillin
Comment Utility
It doesn't appear that an answer to this will arrive.

Reloading the Pix seems to have resolved most of the NDR issues.
0
 

Expert Comment

by:vijaybhatter
Comment Utility
After going through various sites I found that Yahoo Mail is somehow making its DKIM/DomainKeys a very important tool to counter spam. And this is why many of the email providers have implemented and support the same including Gmail and many others. Even when I see mails from Facebook it is even signed with DKIM.

There is not much documentation on implementing the same for IIS Smtp to support DKIM except one software which comes at a good price of $279. Which I feel is too high for many site owners.

I am sure we can make it work for free and the process is:

a) IIS SMTP has a feature Event sink which also supports scripting support and we can process all the emails that comes in.

b) We would require a script that will need to read the mail and create the DKIM signature based on RFC 2781 on it and update the same. It requires RSA SHA1 hash.

c) Publish the Public key on the DNS.

I am already working in direction and have already made significant progress and at the moment just looking for vbscript function that lets me implement RSA algo based on PKCS#1 ver 1.5.

Cheers,
Vijay Bhatter

0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video discusses moving either the default database or any database to a new volume.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now