With some more research I found that for dkim pass
we don’t neccessarily need to have an email implementation. So, first I got my keys, the syntaxes using openSSL to generate DKIM keys can be found here.
We need two keys, first the private key, and based on private key we generate the public key:
openssl genrsa -out dkim-private.pem 1024
openssl rsa -in dkim-private.pem -pubout -out dkim-public.pem
- notice that the syntax is slightly modified to get
pem
extension instead of key
Until here the domain name is not important, you can use the keys with any domain as long as you specify the correct key name everywhere. For most of situations we have a project, or a main project using a registered domain name, and that is the domain we can use to send emails from. That domain name must be set in administration panel > settings > email templates
at the sender, e.g. no-replay@
myDomain.com and this is the domain that will provide the dkim public key
.
Following the instructions from the above webpage I got the public key string in a single line.
Then, I added public DKIM record in namecheap like the image shows:
Using an online dns lookup I tested out the result: (the domain name was modified)
The public part being ready and tested we need to configure email provider to sign emails using dkim-private.pem
. For this I moved both keys in my Strapi
root folder (we only need the dkim-private.pem
but is not a problem if we put both).
In order to get Strapi
to read the dkim-private.pem
file I created this PR. Basically, if the file exists, is read and set as dkim.privateKey
in sendmail email provider
.
In order to test the setup I modified the file directly in strapi-provider-email-sendmail
and I simullate a registration process (to see if the email-confirmation
passes the dkim test). Protonmail provides the function to export the received email where this dkim validation result can be found, and the result is: dkim=pass (1024-bit key)
. I used a 1024 bit key, but 2048 can be also used.
Conclusion
If the above mentiond PR is approved all we need to do is to set the keys: one in dns, the other in the project’s root folder. If the PR is not approved we need an extra step to customize the email provider.
Caution
On public key setup in dns do not change the host! It should be: default._domainKey
. This is because I set the keySelector: 'default'
in the PR. Normally, when a domain have more the one email sender that keySelector
can take any name, the whole point is to match the one seen in email by the receiving email provider (to be able to query the correct key from dns)…
Final thoughts
Can DKIM solve the problem of emails going into spam on its own? Definitely not! There are several factors that matter:
- the domain used to send emails must be clean, not listed in anti-spam blacklists
- if the domain is new it starts with a domain rating equal to zero (is not trusted yet, you have to ask users to check the spam folder too)
- some email providers are more restrictive than others
What I can certainly say is that DKIM is a mandatory step for getting emails in inbox.