4

I added some new IP addresses and domains to a VPS (Centos) managed with Vesta Control Panel. Everything seemed to work, but then, a few hours later, I noticed some emails (SMTP) from a previous, unchanged domain on the same VPS were bouncing to some addresses but not others.

Investigating, I looked in the DNS records for the older (in theory unchanged) domain and saw some unfamiliar entries. I certainly didn't add these myself.

I can't find anything helpful on "mail._domainkey" online (and most of the few, uninformative, hits I did find were in Russian). I'm wondering if these could be the by-product of some Vesta feature I was unaware of, or (hopefully not) some symptom of an attempted attack:

mail._domainkey    TXT    "k=rsa; p=MIGfMA0GCShPSdoV5Ynvcb+OAEXNkYfu3A739VBNKPNGiEjKyqGSIb3DQEBAQD3AcJa3UEHUAA4GNADCBiQKBgbKJB38x9E8ORC6I3CXbqt5P0wmX4d216O6faEG96uWO0NpoOO4A2qLNBqf6lqCgQDEkCtpZfRLhSL36BAAZSOeuCtXr30PlIDXwzhdZJ3wVFObgFF568lTYfgyiwIDAQAB"

@                  TXT    "v=spf1 a mx ip4:123.123.123.123 ?all"

_domainkey         TXT    "t=y; o=~;"

I mixed up the long string of characters in case it was a password hash or similar and I anonymised the IP address but otherwise these are unchanged.

What is mail._domainkey? What could these DNS entries mean?

Possibly relevant context: the domain these rules apply to is also used for private nameservers used by my new domains. https://mxtoolbox.com reports "SMTP Reverse DNS Mismatch" on the domain, which I was working to fix when I found these strange entries, but no other warnings or errors beyond slow SMTP connection times.

user56reinstatemonica8
  • 243
  • 1
  • 6
  • 17
  • 1
    The `._domainkey` DNS entry is (as you point mention in your answer below) the DNS component of the DKIM message integrity system (verifies the message hasn't be tampered with in transit by signing it with a private key, which anyone can verify by looking up that public key in the DNS). What is concerning is that you were seeing non-delivered messages. A new DKIM entry by itself shouldn't cause a message to bounce. (If you previously had DKIM and changed the values, maybe). Does the SPF record IP match your server? Do you also have a `_dmarc` record? – Ruscal Feb 06 '19 at 16:36

1 Answers1

4

I found another question containing some similar content, which was enough to work out that mail._domainkey defines a DKIM key ("DomainKeys Identified Mail").

mail here is simply the selector for the appropriate subdomain, and could be anything.

It's a perfectly normal security system to check against spoofed or modified mail.

Specs are here. In particular:

  • The p= string is the public string, hashed then Base64 encoded.
  • The k= is the key type, and rsa is the default.

I think an update to my control panel software automatically added DKIM to my emails, which would explain why I was surprised to see them.

Community
  • 1
user56reinstatemonica8
  • 243
  • 1
  • 6
  • 17