Forums & Blog

DKeyEvent SM 0.3.2 has been released. It is available free of charge for private, non-profit, and educational use.



So what does it do?

DKeyEvent SM is a filter for SmarterMail, that signs and authenticates messages according to DomainKeys and DKIM specifications. Besides being designed to prevent 'identity spoofing' - i.e. claiming that mail originates from a different domain - by hashing each message on transmission, it can check whether a message has been altered prior to delivery, and, should it be the case, restore the message to its original form.



Some things to note

- After installation, make sure you take a look at the documentation, as it contains important information on how to configure DKeyEvent, and how to publish public key entries in your domain's DNS. Without these, signed mail will fail authentication.

- If you are using a router or firewall, make sure that DKeyEvent is given outbound UDP access to remote port 53 (DNS).

- to test your DomainKeys/DKIM signatures, you can send an email to < dktest at exhalus.net >, < dkim-test at altn.com > or < sa-test at sendmail.net >

 


___________________

related topics and posts:

- old thread about DKeyEvent SM

I know that people tend to think that setting up DomainKeys is a difficult task; well, it's not, and to prove it, here is an end-to-end video tutorial which shows you everything you need to do in order to set up DomainKeys for your first domain. And all in less than 4 minutes.

DKeyEvent SM - Setup VT :: watch :: download

format: Flash 7, size: 6.5 MB, with sound

in this tutorial:

- installing DKeyEvent SM

- setting up DomainKeys for your first domain

- adding your public key to your domain's DNS using the Microsoft DNS services in Windows Server 2003

After completing this tutorial, all incoming mail should be authenticated for DomainKeys, and outgoing mail from the enabled domain should now be signed.

great tutorial !!!

it assures me that i have everything right  untill the dns setup !!

my dns server is running bind9  and its cortrolled by our web interface

that looks like this
and it still wont work  what the %¤/%/"¤#%" am i doing wrong

hope someone know!! what to do here..

Best regards  Lars M.

The zone file looks like this !!

$ttl 3600
@  IN SOA xxx.xxxxxxx.xx.  hostmaster.xxxxxxxxxx.xxx. {
   xxxxxxxxxxxxx ; serial
   xxxxxx ; refresh
   xxxx ; retry
   xxxxxxxx ; expire
   3600 } ; default_ttl

  IN NS   ns1.xxxxxxxx.net.
  IN NS   ns2.xxxxxxxx.net.

 IN MX 10 mail

* IN A xx.xxx.xxx.xxx
@ IN A xxx.xxx.xxx.xxx
key1._domainkey IN TXT p=MHwwDQYJKoZIhvcNAQEBBQADawAwa.And so on, and so on
mail IN A xx.xxx.xxx.xxx
www IN A xx.xxx.xxx.xxx

Well, a quick look at your domain's DNS indicates that everything looks fine. You didn't mention what the exact problem is; are your signatures not passing validation? If so, you should double check that the public key in your DNS matches the one in the DKeyEvent setup utility. Web interfaces will sometimes have fixed length fields for entering DNS RR data, so if you're not careful, they might trim your key to a certain smaller size (and this would obviously invalidate your key).

I found that most problems which users new to DomainKeys encounter are caused by incorrect or mismatched keys. So the general advice is to simply double check your keys; if they appear to be fine, don't fret. Delete your keys, and create new ones (preferably in a different selector, so as to avoid DNS cache issues). This may sound obvious enough, but you'd be surprised to hear just how many times this simple process has 'fixed' the problem which had the users baffled.

Thanks for the suggestions ill check it !! 

the domain and selector is ok    copy paste  checked blanks and everything ..

took the key from the generator  and put it in a notepad  also i took   the key in the dns server and put it right under  that checks ok also ... ( good point with that  key lenght i havent thought of that ! )

server name / admin / pass -->   all ok

I followed the video you made  and everything looks right !


the problem is the test anwser i get from this url --> http://domainkeys.sourceforge.net/cgi-bin/check_policy?domain=webserve.dk&Submit=Submit

damn i hop to get this working  ;o)   sometime this year  

Best regards  Lars M

information: http://antispam.yahoo.com/domainkeys

information: http://mipassoc.org/dkim

The problem with the test in 28296 is that you were trying a policy test, and you had no policy defined. Note that a policy record and a selector record are two different things, and should not be confused. With DomainKeys, the selector is the record at: selector._domainkey.yourdomain.tld. This records holds your public key, and is necessary if you wish to sign messages. The policy record is _domainkey.yourdomain.tld. This is an optional record which can be used to define policy, i.e. how you want verifiers to deal with messages which failed authentication, for example. DomainKeys policy examples are available in the DKeyEvent documentation.

If your only problem was the policy test you mentioned, then there was no real problem. I see, though, that you have since removed the key from your 'key1' selector (which, again, seemed to be fine) and this is likely why you were receiving  'bad selector format' result from the sa-test reflector.

Setting up DomainKeys or DKIM is really not difficult, but you do need to take a few minutes and read the documentation. There is a bit of jargon involved here (selectors, policies, etc) but as long as you pay attention to what the documentation says, you'll see that it's really not complicated at all. The point is to try not to skip reading anything in the documentation; just take it slowly, follow the instructions to the letter, and you'll be up and running in no time.

As for the difference between DomainKeys and DKIM, well, a minimal selector (a selector which only has a 'p=...' tag defined) will work with both DomainKeys and DKIM. Policy records are defined in different records for the two protocols, but the essential public key follows mostly the same specs for both. So if you don't need any protocol specific settings in your selector, you can safely use the same selector for both protocols.

Which of the two protocols to use? If you're only going to use one, then at this time you should use DomainKeys. But really, I would (and I actually do) use both.

oh well  i thought i had read it all   even printed  it out and have marked places with things to notice

but as i have done everything that everybody told me, i afterwards started to experiment on my own  wich is why i also changed the selector as the last thing  this night before i went to sleep

i did that because the  mail test told me that my selector wasent ok !   didnt cange before that   
today  its still the same but i will keep this selector for awhile to see if its the dns  that is cached or something like that  in the other end

 Thank's for the  info on the  2 diffrent  ways  i will when domainkeys works  also start up the other !!!

i still have the problems with getting it to work  and really dont know what else to do  !!!

i can send you ppl an email and you can then check the  headers    other than that im stuck here

Regards Lars M.

If you're truly stuck, then you can always send me an email directly, and I'll take a look at the headers and the selector.

Thank's Alot !!!!

 I'll might just do that   But i will try to solve it  myself first  for awhile first  just to learn from it !!

Best regards Lars M

Hi,

Did you ever get this to work? I'm having the same trouble and having worked with tech support and read the manual and watched video.  I can see that dkeyevent.exe is being called in task manager but reflector says no signature.

fails the following reflector text: dktest at exhalus.net 

I thought maybe it was timing out so I changed time out to 120, but no change.  Has anyone had similar issues?

Thanks

Well, there are a couple of troubleshooting steps you can take:

- first, try to isolate the problem: enable everything (both DomainKeys and DKIM, signing and verification) and see what, if anything, works

- check the Windows EventLog to make sure DKeyEvent doesn't raise any errors 

- check the SmarterMail logs for anything strange related to the spool executable

- if you have any real-time antivirus, try temporarily disabling it

- try reinstalling DKeyEvent

- try restarting the server

I checked my event logs and I have been receiving the following error:

"DKeyEvent could not use SmarterMail services due to invalid credentials."

on the main DKeyEvent Setup page, I have entered the following information:

Server Name:  localhost
Server URL: http://mail.mydomain.org
Admin Username:  [the account I use to access the administration functions of smarter mail]
Admi Password: [the password for the admin account]

First thing you should check is that the Server URL is correct. Open up Firefox (or IE, or whatever browser you happen to prefer) and try accessing

smURL/services/svcUserAdmin.asmx?WSDL

where smURL is the exact Server URL you have listed in your DKeyEvent configuration.

If the above works, then double check your admin username and password (note that the Admin credentials are supposed to match those of the SmarterMail admin, not a local domain admin) and finally, if you are using any firewall/anti-spyware applications, make sure that dkeyevent.exe is given access to the aforementioned 'website' (on port 80 if you are running it on IIS, 9998 if you are using the bundled SmarterMail web server).