0

I have a off the shelf PHP app it uses msmtp to do its mail sending. My some of my users are part of another external_organisation, and they need to send email from my php app as their external_organisation.com email address. And some need to send as mycompany.com

For the most part this has been working all ok, until now...

external_organisation has recently setup DKIM, and have told me I need to give them a key and sign emails being sent as them or they will stop working soon. I have searched ALL of the internet three times, but I cant work out how to make this happen.

Can I please get some pointers?

I assume I need to configure msmtp, and not PHPMailer ? I really am not sure about this.

Synchro
  • 35,538
  • 15
  • 81
  • 104
Matt
  • 53
  • 1
  • 7
  • You need to configure DNS and SMTP relay (server), not the clients. – Daniel W. Sep 03 '20 at 09:43
  • You can configure sendmail to use an upstream SMTP relay server and do the DKIM signing. I have done that with a SMTP Server that doesn't do DKIM itself. It works great now but it was a real hassle to setup. Sendmail is a lot more complicated to configure than msmtp. – Gellweiler Nov 04 '21 at 11:02

1 Answers1

1

This question would be better suited to ServerFault as it's a server config question, not a programming question.

It's definitely better and faster to configure your mail server to do the signing rather than PHPMailer, but you need some way of specifying the selector to sign with (assuming you want to use more than one). Most mail servers that support DKIM allow you to do this via a specially-named header, but you'll need to refer to their docs on it.

The simplest way to configure things is to sign with your own private key and get the external org to put your public key in their DNS in a TXT record under your selector, for example in yourservice._domainkey.external-org.example.com

Alternatively, they can set up a CNAME for your service in their DNS, and you then have control over the public key in your DNS. Something like external-org.yourservice.example.com.

Either way, wherever the signing happens needs access to the private key, and the domain and selector need to point at a public key in DNS.

Minor tip: saying things like "I have searched ALL of the internet three times" is unlikely to make a good impression. There are a zillion articles on how to use DKIM and they will all say basically the same thing, because it is the same thing.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • thanks for this. I am lost at the first step, after that I think I am ok. So I want to sign all my emails with my private key, not just the emails destined for the specific external org? – Matt Sep 04 '20 at 08:23
  • No, you can sign whichever messages you like; you don't have to do all of them, though it's not a bad idea if you can. If you do it means that DMARC becomes much more effective. Both of the DNS approaches I described are a way for the external org to say "that domain is allowed to sign messages for our domain". – Synchro Sep 04 '20 at 09:21