With some more research I found that for
dkim pass we don’t neccessarily need to have an email implementation. So, first I got my keys, the syntaxes using openSSL to generate DKIM keys can be found here.
We need two keys, first the private key, and based on private key we generate the public key:
openssl genrsa -out dkim-private.pem 1024
openssl rsa -in dkim-private.pem -pubout -out dkim-public.pem
- notice that the syntax is slightly modified to get
pem extension instead of
Until here the domain name is not important, you can use the keys with any domain as long as you specify the correct key name everywhere. For most of situations we have a project, or a main project using a registered domain name, and that is the domain we can use to send emails from. That domain name must be set in
administration panel > settings > email templates at the sender, e.g.
no-replay@myDomain.com and this is the domain that will provide the
dkim public key.
Following the instructions from the above webpage I got the public key string in a single line.
Then, I added public DKIM record in namecheap like the image shows:
Using an online dns lookup I tested out the result: (the domain name was modified)
The public part being ready and tested we need to configure email provider to sign emails using
dkim-private.pem. For this I moved both keys in my
Strapi root folder (we only need the
dkim-private.pem but is not a problem if we put both).
In order to get
Strapi to read the
dkim-private.pem file I created this PR. Basically, if the file exists, is read and set as
sendmail email provider.
In order to test the setup I modified the file directly in
strapi-provider-email-sendmail and I simullate a registration process (to see if the
email-confirmation passes the dkim test). Protonmail provides the function to export the received email where this dkim validation result can be found, and the result is:
dkim=pass (1024-bit key). I used a 1024 bit key, but 2048 can be also used.
If the above mentiond PR is approved all we need to do is to set the keys: one in dns, the other in the project’s root folder. If the PR is not approved we need an extra step to customize the email provider.
On public key setup in dns do not change the host! It should be:
default._domainKey. This is because I set the
keySelector: 'default' in the PR. Normally, when a domain have more the one email sender that
keySelector can take any name, the whole point is to match the one seen in email by the receiving email provider (to be able to query the correct key from dns)…
Can DKIM solve the problem of emails going into spam on its own? Definitely not! There are several factors that matter:
- the domain used to send emails must be clean, not listed in anti-spam blacklists
- if the domain is new it starts with a domain rating equal to zero (is not trusted yet, you have to ask users to check the spam folder too)
- some email providers are more restrictive than others
What I can certainly say is that DKIM is a mandatory step for getting emails in inbox.