Every Cloudron instance sets a DKIM entry. Is this good or bad or necessary?
-
I switched nearly all our domains to programmatically DNS provider. We have a setup with one Cloudron instance as our central mailserver. Other Cloudron instances are used for internal apps & websites. On every instance the same domains are connected.
I have noticed that every instance creates a DKIM entry in the DNS.
The moment I configure the domain to, let's say, the web server instance and use only Oubound Mail, DKIM is set. There is also a modified SPIF record.
The moment I switched outbound to external SMTP (our Cloudron mail instance), neither DKIM nor SPIF is removed/changed. I had to change the DNS records manually.
Bug or feature?Pronouns: he/him | Primary language: German
-
I switched nearly all our domains to programmatically DNS provider. We have a setup with one Cloudron instance as our central mailserver. Other Cloudron instances are used for internal apps & websites. On every instance the same domains are connected.
I have noticed that every instance creates a DKIM entry in the DNS.
The moment I configure the domain to, let's say, the web server instance and use only Oubound Mail, DKIM is set. There is also a modified SPIF record.
The moment I switched outbound to external SMTP (our Cloudron mail instance), neither DKIM nor SPIF is removed/changed. I had to change the DNS records manually.
Bug or feature?@luckow said in Every Cloudron instance sets a DKIM entry. Is this good or bad or necessary?:
The moment I switched outbound to external SMTP (our Cloudron mail instance), neither DKIM nor SPIF is removed/changed. I had to change the DNS records manually.
Bug or feature?Feature that it creates DKIM and SPF entries.
Possibly bug that it doesn't also remove them under certain circumstances?
-
I switched nearly all our domains to programmatically DNS provider. We have a setup with one Cloudron instance as our central mailserver. Other Cloudron instances are used for internal apps & websites. On every instance the same domains are connected.
I have noticed that every instance creates a DKIM entry in the DNS.
The moment I configure the domain to, let's say, the web server instance and use only Oubound Mail, DKIM is set. There is also a modified SPIF record.
The moment I switched outbound to external SMTP (our Cloudron mail instance), neither DKIM nor SPIF is removed/changed. I had to change the DNS records manually.
Bug or feature?@luckow said in Every Cloudron instance sets a DKIM entry. Is this good or bad or necessary?:
I have noticed that every instance creates a DKIM entry in the DNS.
DKIM is like a ssh public/private key pair . The public key is stored in the DNS . The DNS name under which it is stored is "unique" across Cloudron installations. This allows, two Cloudrons to have the same domain added in them (after all, Cloudrons cannot talk to each other, so they cannot exchange the private key with each other....) . I guess the alternative is to make the user provide keys and store them in more "predictable" names. But this serves no purpose other than complicating things for the end user (and making them learn DKIM).
There is also a modified SPIF record.
Right, it's modified to add Cloudron server as an authorized sender for emails for that domain. SPF btw
The moment I switched outbound to external SMTP (our Cloudron mail instance), neither DKIM nor SPIF is removed/changed
The way DKIM works is that when the other receiving email server gets an email, it verifies the signature using the public key stored in the DNS. It's possible that you removed the domain from Cloudron but the email is still in transit somewhere or waiting to be verified somewhere. If Cloudron deletes the DNS entry , those emails will be flagged as Spam or insecure depending on what the receiver does. This is why they are not removed. Feel free to remove them manually though.
The SPF entry is also unmodified on domain removal. There is a theoretical chance that you have made some app or installed some software to send email directly from Cloudron . In general, the idea is to make it work and not break things (since the entries are fairly harmless).
-
G girish has marked this topic as solved on
-
@luckow said in Every Cloudron instance sets a DKIM entry. Is this good or bad or necessary?:
I have noticed that every instance creates a DKIM entry in the DNS.
DKIM is like a ssh public/private key pair . The public key is stored in the DNS . The DNS name under which it is stored is "unique" across Cloudron installations. This allows, two Cloudrons to have the same domain added in them (after all, Cloudrons cannot talk to each other, so they cannot exchange the private key with each other....) . I guess the alternative is to make the user provide keys and store them in more "predictable" names. But this serves no purpose other than complicating things for the end user (and making them learn DKIM).
There is also a modified SPIF record.
Right, it's modified to add Cloudron server as an authorized sender for emails for that domain. SPF btw
The moment I switched outbound to external SMTP (our Cloudron mail instance), neither DKIM nor SPIF is removed/changed
The way DKIM works is that when the other receiving email server gets an email, it verifies the signature using the public key stored in the DNS. It's possible that you removed the domain from Cloudron but the email is still in transit somewhere or waiting to be verified somewhere. If Cloudron deletes the DNS entry , those emails will be flagged as Spam or insecure depending on what the receiver does. This is why they are not removed. Feel free to remove them manually though.
The SPF entry is also unmodified on domain removal. There is a theoretical chance that you have made some app or installed some software to send email directly from Cloudron . In general, the idea is to make it work and not break things (since the entries are fairly harmless).
@girish said in Every Cloudron instance sets a DKIM entry. Is this good or bad or necessary?:
The way DKIM works is that when the other receiving email server gets an email, it verifies the signature using the public key stored in the DNS. It's possible that you removed the domain from Cloudron but the email is still in transit somewhere or waiting to be verified somewhere. If Cloudron deletes the DNS entry , those emails will be flagged as Spam or insecure depending on what the receiver does. This is why they are not removed. Feel free to remove them manually though.
The SPF entry is also unmodified on domain removal. There is a theoretical chance that you have made some app or installed some software to send email directly from Cloudron . In general, the idea is to make it work and not break things (since the entries are fairly harmless).
Might be worth adding that info to the docs somewhere?
-
@scooke said in Every Cloudron instance sets a DKIM entry. Is this good or bad or necessary?:
why use ai when we already have Real Intelligence here.
Limited time and resources of humans?
