DKIM is here - looking for testers / DKIM está aquí - buscando probadores

Hi @TIAS folks,

I’m happy to report that DKIM signing has arrived in the May First control panel (as of late last night) and we are looking for beta testers to kick the tires a bit. Here’s a link to some basic documentation on how to set things up: faq/email/dkim – Support

What is DKIM? DKIM is a method for signing outgoing email messages to add a degree of proof that if the message claims to be sent from a given email address, it really is sent from that address. It both helps reduce fraud and also provides just a bit more reason for a mail system receiving your message to place it in the inbox instead of the junk mail folder.

The technical details of DKIM are quite hard to understand, so the plan is to automatically setup DKIM for all domain names that are currently sending email via May First and probably set it up automatically for new domain names added in the future. That way our members benefit from DKIM without having to set it up or fully understand it.

However, at this point, we are hoping a few brave individuals would be willing to follow the directions in our FAQ to setup DKIM for your personal domain and report back any trouble you have with it. It will work best if you use a domain that belongs to you, is handled via the May First DNS system and is currently using May First to send email. If that descriptin fits one of your domains, please give it a shot and post back to this thread with your experiences.


Hola amigos de @TIAS,

Me complace informaros de que la firma DKIM ha llegado al panel de control de May First (a última hora de anoche) y que estamos buscando probadores beta para que prueben un poco. Aquí hay un enlace a la documentación básica sobre cómo configurar las cosas: faq/email/dkim – Support

¿Qué es DKIM? DKIM es un método para firmar los mensajes de correo electrónico salientes para añadir un grado de prueba de que si el mensaje dice ser enviado desde una dirección de correo electrónico determinada, realmente se envía desde esa dirección. Ayuda a reducir el fraude y también proporciona una razón más para que el sistema de correo que recibe su mensaje lo coloque en la bandeja de entrada en lugar de en la carpeta de correo no deseado.

Los detalles técnicos de DKIM son bastante difíciles de entender, por lo que el plan es configurar automáticamente DKIM para todos los nombres de dominio que actualmente envían correo electrónico a través de May First y probablemente configurarlo automáticamente para los nuevos nombres de dominio que se añadan en el futuro. De esta manera, nuestros miembros se benefician de DKIM sin tener que configurarlo o entenderlo completamente.

Sin embargo, en este momento, esperamos que algunas personas valientes estén dispuestas a seguir las instrucciones en nuestro FAQ para configurar DKIM para su dominio personal e informar de cualquier problema que tengan con él. Funcionará mejor si utiliza un dominio que le pertenezca, que se gestione a través del sistema DNS de May First y que actualmente utilice May First para enviar correo electrónico. Si esta descripción se ajusta a uno de sus dominios, por favor, inténtelo y publique en este hilo sus experiencias.


1 Like

I setup two of my domains as suggested in the FAQ. The signature was successfully verified by infrastructure and the testing website you mentioned. I also sent outward to another account I control on the Microsoft Exchange 365 hosted infrastructure. It also seems to validate successfully:

ARC-Authentication-Results: i=1; 1; spf=pass (sender ip is;
 dmarc=bestguesspass action=none; dkim=pass
 (signature was verified); arc=none (0)

I also sent to a google hosted domain:

ARC-Authentication-Results: i=1;;
       dkim=pass header.s=mayfirst1 header.b="pbxmR/Hc";
       spf=pass ( domain of designates as permitted sender)

Seems to be working.


That’s great to hear - thanks for testing and reporting back the results!

This is wonderful! I assume this means that email list email (the email from mailman) is now DKIM signed and therefore less likely to get spam trapped, right?

Thank you for this work.

Hi Ken - This stuff is so incredibly complicated. And when you throw email discussion lists into the mix it’s one, big, giant chaos pie.

Some of the devilish details are:

  • DKIM signing is triggered by the From address in the header of the message. For most email lists, that’s the from address of the sender of the message, which means it will only be signed if that address is configured via May First for DKIM signing (e.g. it’s a May First member that uses May First to send their email). So, for example, if someone with a email address is subscribed to the list, the message won’t be DKIM signed.
  • However… if the message is sent by a provider that is DKIM signing outgoing message, then it should arrive with an existing DKIM signature in the header which in theory would be included in the message going out. Hooray.
  • Except… Most DKIM signatures are signed over a group of headers, including the Subject line. And mailman changes the subject line to add the name of the list. So, the existing DKIM signature will be invalidated. Boo.
  • Except… if mailman detects that the from address has a DMARC policy (a DMARC policy says reject any mail that does not have a DKIM signature and an SPF record - the major providers, like Yahoo and Gmail all have DMARC enabled), then mailman will automatically munge the from address so it’s from the email list address (which means which means it will get signed.

So, I think the answer to your question about whether email list traffic will get signed is yes, kinda?

In contrast, one-way announcement lists are way less complicated provided you send the email from an domain that has DKIM signing turned on in the control panel.

Very exciting!!! We use Cloudflare to manage DNS for many of our domains; and so I tried following the instructions in the FAQ for manual set-up, and ran into the following hiccup that domains can’t have an underscore, unless I’m just doing something wrong?

Awesome - I’m glad to get this use case tested!

For the fully qualified domain name you can leave out the “mayfirst1._domainkey” part and just put: (my FAQ was wrong - I just fixed it).

Ok, working now! So glad this is live!