Does version 5.x support DKIM?

[MC9000]

I couldn't really find any info on DKIM support in version 5, but finding out that more mail is getting rejected now than ever before without the DKIM signing, so wondering if there's any way to do this in AMS now. Anyone?
Thanks!

[Code Crafters]

We have started work on DKIM but it's not released yet. However, most email servers will require either SPF or DKIM but not both so make sure you have SPF set up.

[MC9000]

Ok Thanks! Gmail is the problem child. They don't seem to be supporting SPF anymore (no account I create is able to send mail to gmail accounts - this is a recent thing now)

[Code Crafters]

It's only last month that I had a customer who couldn't send to Gmail but after helping them set up SPF properly, they were able to. Make sure your SPF record is configured properly. You can find sites online to test your SPF records for your domain. You need to create a TXT record for each domain you send from on Ability Mail Server. Generally just a simple record (shown below) which allows your MX record to send should works since this should point to your Ability Mail Server IP.

v=spf1 mx ~all

[EKjellquist]

Along the lines of DKIM, Google, Yahoo etc are beginning to require DMARC as of 2/1/24 for senders of ~5k or more emails per day; no further info at present as to when it may be required for ALL connections, but it'll be coming down the pike. Looking forward to utilizing DKIM in AMS; possible to expect this year?

[Code Crafters]

Thanks for the info. We have started development on DKIM but need to find some time to finish this feature.

[EKjellquist]

SO I wanted to put a bow on this by sharing my experience upgrading to AMS 6.0 and implementing DKIM/DMARC/MTA-STS/security.txt for our mail server. We were already using most of the anti-spam tools built into AMS, but mostly relied on SPF up until version 6 for anti-spoofing.

Following instructions from Outgoing Mail and a few notes from Reddit;

(1) set up DKIM key in AMS
(2) copy the DNS record it generates to make a TXT record for all my DNS servers (both internal to our network and external)
(3) set up a DMARC DNS record using MX Toolbox, using policy of 'none' to start
(4) set up MTA-STS DNS records and placed mta-sts.txt / security.txt on my webserver (Apache in my case)
(5) tested via a few sites I normally use for various email testing:
https://mxtoolbox.com/emailhealth/
https://www.learndmarc.com/
https://www.checktls.com/
https://www.uriports.com/tools

There were two notable issues I ran into:
(1) DKIM txt strings are typically > 255 characters, which isn't an issue for a lot of registrars, but if you're using Microsoft DNS and try to enter a long TXT record, it cuts off - you can use MailHArdener's record splitter to split the string in a way that will copy/paste right.
(2) AMS can utilize command-line mail scanning (Tutorial), which is super-helpful, BUT in our case, using Avast, we scan both incoming and outgoing mail, and it adds an email signature by default for the likes of 'Avast certifies this email virus-free' etc. The issue is that AMS applies DKIM to the email BEFORE AV scanning for outgoing mail, and the addition of that signature (or any other changes for that matter) will cause outgoing emails to FAIL DKIM due to checksums not matching; effectively, DKIM requires the email contents (other than headers) not be changed at all once signed by the sending server. Turning the signature option OFF in avast fixed this issue.

Once this was figured out, DKIM passed and I set the policy from 'none' to 'quarantine'.

[Code Crafters]

Thanks for the feedback.

1. We weren't aware of any DNS setups that didn't auto split long records into multiple for you. We could add a 255 split option in Outgoing Mail if it's useful to have. There are also 2 digital signature algorithms used by DKIM: RSA and ED22519. We verify both but have so far only used RSA for signing as this is the default and the other is an extension that may not be supported by all. We may consider adding the option of ED25519 signing in a future version. This is supposed to be even stronger than RSA but is also a much shorter key that would fit into a single 255 DNS record. See https://datatracker.ietf.org/doc/html/rfc8463 for details.

2. You're right that Outgoing Mail signs the email before passing to what we refer to as the Sorter which then passes through content and antivirus filtering. This was an oversight on our part. I'll log a bug for this to try and move DKIM signing after filtering has been done to fix this problem.

I've logged all 3 of these suggestions for consideration in a future update.

[EKjellquist]

So far Windows DNS was the only place I ran into the 255 char issue, everywhere else I added the record was able to interpret it fine. We do also use ECC-style certificates wherever possible for our other web services, so having it natively in AMS would be welcome - we still generate separate 4096-bit RSA certs for AMS / AFS that work ok, and SHA256 isn't going anywhere soon, but yeah AFAIK ECC style certs usually result in greater computational efficiency vs RSA..

If I could also add a small feature request too, we run AMS / AFS as services, and I really only go into the application-mode Tools screen when I update certificates periodically - it would be nice to be able to have a 'test DKIM' button in the web management GUI as well..

[Code Crafters]

Thanks again for the feedback. I'll add the ECC certificates as another feature request.

Recently, we've released:
- AMS 6.0.0 - DKIM and other features. see https://www.codecrafters.com/AbilityMai ... ateHistory
- AFS 3.1.0 - mainly OpenSSL 3.4 / TLS 1.3, see https://www.codecrafters.com/AbilityFTP ... ateHistory

This week, we're luanching an updated version of our website, rewritten in Angular like WebMail so we can easily translate into 133 languages.

Next, we plan to start another big project; a new AMS Remote Admin UI written in Angular with translations, a more modern look, mobile views and the SSL Certificates, License and Tools pages that were missing in the old remote admin. After that there will be no need to use the dialog admin interface and we'll debate whether to even remove it completely after it's been tested enough. Of course, Remote Admin has the big advantage of being accessed from another machine rather than having to log onto the server too.