SACRIFICES TO THE EMAIL GODS

It's a bit over a year since I moved my websites from a hosting 
service over to a VPS, including setting up a mail server on it. 
That also seems to be about as long as semi-decent deliverability 
of email from my website has lasted.

In particular Gmail seems to be putting everything into spam now, 
even though I did originally set up SPF and got my VPS provider to 
add a reverse-DNS PTR record. But I did stop short before of 
setting up DKIM and DMARC, and Google say that they want to see 
these:
https://support.google.com/mail/answer/81126

DMARC, like SPF, is pretty simple. Or it was once I'd discovered 
where my domain registrar had hidden their advanced DNS settings 
this week (it's now four clicks deep from the list of domains). But 
DKIM involves cryptography and somehow everything involving 
cryptography causes me to waste hours digging into some aspect that 
isn't properly documented before I can get it to work.

In this case I was following the OpenDKIM guide on the Debian Wiki 
to set that up with Postfix, after failing to find any 
documentation about DKIM on the Postfix website. The main problem 
was that I've got two virtual domains hosted by the VPS that I want 
mail to be sent from (actually one is mainly so that I can test 
things out before messing with the important one). My understanding 
was that one DKIM key should be able to be used for both, but the 
Debian Wiki and other guides on the web always get into complicated 
stuff involving making "keytable", "signingtable", etc. files that 
describe what key matches what domain. 

Nevertheless the man page for opendkim.conf says that the "Domain" 
setting which is used by the Debian guide to set the domain for 
single-domain servers, can accept multiple domains. That sounds 
like exactly what I want, but how to separate them? The 
opendkim.conf man page says they're a "dataset", which is described 
as being described in the opendkim man page. The opendkim man page 
waffles on about reading from different sources and only manages to 
cast doubt on my original guess of "Domain  "example1.com 
example2.com"" (which nevertheless generates no error message from 
the OpenDKIM "milter"), without saying what the deliminator is 
supposed to be if you just want to enter them there in the config 
file. In the end I found the example opendkim.conf file in the 
project's Git repo (it's not installed by the Debian package even 
though it's referenced in the comments in the default opendkim.conf 
file). That still only showed one domain for the "Domain" setting, 
but I worked my way through all the options that took a "dataset" 
parameter until I found one that demonstrated that the "data" is 
comma-separated, so: "Domain  example1.com,example2.com".

OK actually I see that down the very bottom of the long description 
of different dataset types, at "m)", the opendkim man page does 
say: "In any other case, the string is presumed to be a 
comma-separated list.". So I missed that, but really, couldn't they 
just have put a short example in the entry for "Domain" in the 
opendkim.conf man page?

The other trap that I fell into was that the OpenDKIM key generator 
helpfully puts an example for the DNS TXT record in 
"/etc/dkimkeys/[selector].txt". But besides containing lots of 
unwanted quotes, brackets, and newlines, it splits the key into two 
quoted parts, and at first I guessed only the first part was the 
key because the Wiki page is particularly vague about this. This 
mistake was easily detected using "opendkim-testkey -v -v -d 
[domain]", but it's really quite confusing for something that every 
mail server admin is now expected to set up. Apparantly it's the 
right format for BIND, but that doesn't help people like me much 
who are using someone else's DNS via a web interface.

Anyway, after all that, opendkim-testkey is happy (but for an 
expected "key not secure" message), emailing 
"check-auth@verifier.port25.com" gives me pass marks all round, and 
after adding a DMARC record "https://mxtoolbox.com/deliverability/" 
reports that everything's perfect. Now, do I expect that Google 
will deliver my email properly again? well, no not really. For one 
thing I don't think DKIM really adds much over SPF and reverse-DNS, 
except in the case of automatic email forwarding which I've only 
just learnt breaks SPF, but that definately didn't happen in every 
case that Gmail sent me to the spam-can. For another, there are 
articles like this recent one which basically say it's all a waste 
of time and you should just give up on hosting your own email:
https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html

But so far as I'm concerned I've now done what Google ask for, and 
if they still prevent their users from seeing emails that they want 
to read from me, then really it's up to their users to find a 
better email provider. Or, shock horror, maybe actually check their 
spam folder! Personally I don't do spam filtering at all.

Also AT&T have apparantly blocked my VPS provider's IP addresses 
entirely (according to the SMTP errors I'm getting), even though 
they're not on any public spam blacklists. So I guess it won't help 
with that sort of thing.

 - The Free Thinker