Installing DomainKeys and SPF Records
Posted by Pacific Host on 04 December 2011 04:44 PM
DomainKeys (DKIM) and SPF records are becoming a common, and annoying, demand among email providers, mainly Yahoo and Hotmail. In short, both are methods of email authentication designed to verify email integrity, by linking a sender to a specific server or hostname. In other words, DomainKeys and SPF records specify what servers can send email on behalf of a domain name.
You’ll want DomainKeys and SPF records if your users have trouble sending email to certain providers, or they are having issues with spoofed (forged) email. CPanel currently allows two easy ways for you or your users to set up email verification. This is supported at least from cPanel 11.18 onward.
You can enable the “Email Authentication” feature in WHM ~> Feature Manager, which will enable the Email Authentication icon in the users’ cPanels where they can create DomainKeys and SPF records for their domain(s).
There are scripts in /usr/local/cpanel/bin that can install these on a per-user basis:
(and corresponding scripts to remove, like spf_uninstaller and domain_keys_uninstaller)
If you want to hit up everyone on the server, you can run my for loop one-liner:
for user in `ls -A /var/cpanel/users` ; do /usr/local/cpanel/bin/domain_keys_installer $user && /usr/local/cpanel/bin/spf_installer $user ; done
Now what about new users? cPanel already though of that, and has options to create hooks for when after an account is created. To set up the server to automatically create an SPF record and DomainKey for new accounts, edit /scripts/postwwwacct and paste in the following code:
my %OPTS = @ARGV;
To verify an SPF record and/or DomainKey, you can run a DNS check:
A technical note about DKIM:
You might know that DKIM is actually a generated key pair, similar to an SSH or SSL Certificate’s RSA key. CPanel stores these files in /var/cpanel/domain_keys, where thepublic folder contains the key reflected in the DNS zone, and the private folder contains the private key. You may have users that actually authenticate via DKIM in their mail clients, in which case you may need to provide them with the private key in order for them to sent email.