Authenticating email through SMTP or DKIM

2
votes

I'm using Perl with the Mime::Lite module to send email to my subscribed mailing list using DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) record:

use MIME::Lite;
use Net::SMTP;

my $host = 'mail.domain.com';
my $user = '[email protected]';
my $pass = 'password1234';

MIME::Lite->send('smtp', $host, AuthUser => $user, AuthPass => $pass);
my $msg = MIME::Lite->new(
    From     => $from,
    To       => $to,
    Subject  => $subject_enc,
    Type     => 'text/plain; charset=UTF-8',
    Encoding => 'quoted-printable',
    Data     => 'Hello everyone!'
);
$msg->send;

This works just fine, but the DKIM signature fails in Gmail (and presumably others).

However, when I send email without SMTP authentication:

use MIME::Lite;
my $msg = MIME::Lite->new(
    From    => $from,
    To      => $to,
    Subject => $subject_enc,
    Type     => 'text/plain; charset=UTF-8',
    Encoding => 'quoted-printable',
    Data     => 'Hello everyone!'
);
$msg->send;

The DKIM passes fine.

So my question is: if I have successfully implemented both DKIM and SPF records on all my outgoing email, is it even necessary to use SMTP authentication to verify the sender of the email, or is piping to Sendmail with the appropriate headers sufficient to ensure best chance of delivery?

1
perlsmtpsendmailspfdkim

1 Answers

1
votes

Local authentication doesn't add much to the credibility of your messages, but also there's no harm in it. It will show up in your Received headers either way, and there's a distant possibility you might be marked down by spam filters for it (they'd probably be more interested in whether any hops were unencrypted, which is independent of auth).

That you used auth shouldn't make any difference to DKIM - but what will make a difference is where (and if) your DKIM signing takes place - for example if your local mail server signs but your remote one doesn't. Does the Mail::Lite package do DKIM signing itself? Or are you relying on your servers to do it? Your headers in received messages will show you what has been signed where, and they may also give you some clues about what exactly is wrong with your DKIM signature - it would be useful if you added gmail's headers to your question.

A separate concern is performance - submitting via a sendmail binary is relatively inefficient - all sendmail binaries do is open a synchronous SMTP connection to localhost anyway, so you may as well do it directly - this is what postfix recommends.