DKIM for Google Apps (but not Appengine)

In the ongoing war against spam, DKIM (Domain Key Identified Mail) seems to be the best candidate so far - if all legitimate email users started it, it would be the end of anonymous spam. This article explains DKIM, why you should implement it now, and how to do this with Google Apps.

DKIM allows receiving mail servers to reliably check an email is actually from the domain it says it's from, using a cryptographic key from your domain name service (DNS). This doesn't stop spam, but it makes senders responsible. If you get an unwanted DKIM signed message, you know exactly who sent it so you can take measures against them - blocking their domain perhaps, or suing them.

More and more spam filters are checking for DKIM signatures, and if your messages are signed they usually bypass other spam checks and are delivered immediately. So DKIM will improve your delivery statistics right now. And as more and more organisations implement DKIM, unsigned messages will become increasingly likely to be classed as spam, and so more and more organisations will implement DKIM to ensure their messages get through.

The faster DKIM spreads, the sooner anonymous spam will become history. We'll still need to manage spam because legitimate organisations will continue to do it, but after a few go bust from CAN SPAM fines even this should dry up. Bottom line - unless you are a spammer, it is very much in your interests to implement DKIM as soon as possible.

If you use Google Apps for your email, the good news is that DKIM is very easy to set up. Here's how...

1. Log in as the administrator to your Google Apps dashboard. 
2. Click on the Advanced tools tab and then the link to Set up email authentication (DKIM).
3. Click on Generate new record.
4. Change the prefix selector from google to your organisation (if you want to - this isn't important at all).
5. This should result in a DNS Host name something._domainkey and a TXT record value v=DKIM1; k=rsa; t=y; p=lotsOfWeirdCharacters
6. Do not click the Start Authentication button yet!
7. Now go to your registrar's DNS control panel. I can't give exact instructions here because every control panel is different, but you want to find where you can set the A, CNAME, MX and TXT records for your domain name.
8. Add a TXT record with the host name and TXT record values from step 5. (Some control panels don't provide a 
9. Wait a day or so to let the new DNS records percolate through the global name servers. If you're impatient and have dig, try dig txt something._domainkey.your.domain.name until it returns the key.
10. Log back in to your Google Apps dashboard, and go to the Advanced tools tab and the link to Set up email authentication (DKIM), and click the Start Authentication button.

Once you've done this, messages from your Google Apps domain* should contain a DKIM signature header. To test this, log in to your Google Apps account and send an email to another Gmail account. When it arrives, click the show details link - if all is well, there will be a new line saying Signed by giving your domain name.

* But not messages sent from Appengine, sadly. Please star this issue if this affects you. I'll update this post if the situation changes.