How to configure DKIM / Domain Keys Print

Question/Problem Description

Resolution

 

What is DKIM

• DKIM is an email authentication system which expands on the outdated DomainKeys standard, which was originally created in part by Yahoo.
• It gives ISPs and email receivers a mechanism for verifying the domain of each email sender, as well as a way to tell whether the message was altered during transit.
• Additionally, signing your mail with DKIM allows many ISPs to track the reputation of your signing domain, allowing you better control over your deliverability.
• We strongly recommend all senders configure DKIM signing.
• One of the primary reasons for this is that DKIM is the only way to enroll in the Yahoo feedback loop - it's not possible to process Yahoo spam complaints without having DKIM in place.
• To learn more about DKIM/Domain Keys, follow this this link to see the Domain Keys FAQ page in the ListManager documentation. (DKIM and DomainKeys share many similarities, so our existing articles on DomainKeys are generally applicable to DKIM as well.)

Configuring DKIM 

1. From the ListManager web interface, navigate to Utilities > Administration > Sites.
2. Click 'Advanced configuration' next to the desired site.
   • The site you should select depends on the from address you use for mailings
   • For example, if you have a site called Sales where all the lists under that site use the from address, “newsletter@sales.example.com.”, then sales.example.com is the sending domain you will want to configure so all outgoing emails are authenticated.
3. In the 'Domains Requiring Configuration' box, click the 'Add Domain' button.
4. Type the domain and click OK.
5. The selector is an arbitrary value you choose.
   • Note: It is used primarily for purposes of uniqueness - to allow multiple servers to sign DKIM for a single domain, for example.
   • The specific value doesn't matter as long as there are no other selectors using that value.
   • It's generally easiest and most common to use alphanumeric characters for the selector - e.g., 'selector', '8675309', 'lyrisisgreat', 'mailstream1', etc.
   • Technically, it can be any string that is considered legal in DNS and email headers. When you generate a new public/private key combination, you must choose a new selector. It is a good idea to do this periodically for increased security - this is commonly referred to as "key rotation".
6. Click the 'Bits' drop-down list and choose a bit size. We recommend 1024 bits in most cases, and never lower than 1024.
   • This number determines the size (in bits) of the private key. You can choose one of five sizes; 512, 758, 1024, 1536 or 2048. The larger sizes offer greater security, but this is offset by a small penalty in CPU performance. We do not recommend using DKIM keys smaller than 1024 bits in length, as these may be treated as insecure by some ISPs.
7. Click the 'Generate Key' button. The private key and public key appear in the Private Key and Public Key boxes.
   • This procedure runs a program called openssl.exe in the background. You can also generate public and private keys by running openssl.exe outside of ListManager. If you have existing public and private keys and don't need to generate them in ListManager, select the Paste Your Key option, and then paste your keys into the appropriate boxes.
8. Click 'Save Key'. Leave this window open, as we'll be using the key we just generated in the next step.

Creating the DKIM/Domain Keys selector record

• Use your favorite text editor to create the DKIM selector record described below.
• Notepad will work if you're using Windows, but we do not recommend using Wordpad or Microsoft Word (or similar word processing software) as these may modify elements in the record, potentially causing signing issues. 
• The selector record holds your public key.
• You can setup multiple selectors to be used on different servers if you like, or you can use one selector for all your outgoing email.
• You can also create a selector that only works for one specific email address.
• Example selector record: 12345._domainkey.example.com IN TXT "k=rsa; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAlh28b20S2tETjIa4krj8lJFT8VhAHLmcCAwEAAQ==;"

The selector record consists of the following three sections:

1. In the above example, '12345' is the selector.
   • The selector must always be followed by a dot, then an underscore, then the word "domainkey," then another dot, and then the domain name. Like this:
   • 12345._domainkey.example.com
   • Make sure the selector you add to your selector record is the same as the one you used in the DKIM/DomainKey configuration.
2. Record identifier: "IN TXT" This simply identifies the type of DNS record (TXT) we're using.
3. The public key itself, and associated information: "k=rsa; p=MFwwDQYJK... [snip] ...CAwEAAQ=="

Note: This section needs to be enclosed in quotation marks. 

• Your key record should begin with "k=rsa; ". This specifies the type of signing algorithm in use.
• "p=[Public Key]" contains the public key you generated in the configuration process earlier.
  • You will need to make a small change to the key format from what you've been provided in ListManager:
  • LM provides the key with a specific number of characters per line, so the key spans multiple lines. You should remove the returns/line feeds so the key is a single line.
  • Similarly, don't include the lines that read '-----BEGIN PUBLIC KEY-----' or '-----END PUBLIC KEY-----'.

• These instructions cover the most common tags included in the signature - the vast majority of senders won't need to change this. However, if you'd like additional detail, to learn about other tag=value pairs and why you might want to include them, go to http://tools.ietf.org/html/rfc4871 to review section 3.6.1.

When you're done, your record should look like the example above - but your record is likely to be longer, particularly the public key. That's normal.

Finally, publish this record in DNS.

Note: Instructions for publishing in DNS aren't covered here, as this step happens outside of ListManager.

• Consult your DNS hosting provider or DNS host software manual for guidance on this process if necessary.
• Your IT or technical operations team may also be of assistance during this step. 

Configure DKIM Options

1. The Header field lets you assign specific headers to be included in the digital signature. We recommend including:
2. Ensure DKIM Signing is turned on and defaults to on.
   • Note: We currently do not recommend signing with DomainKeys, as it is a deprecated standard replaced by DKIM - so leave DomainKey signing set to 'no', and default to 'off'.
3. Click the site for which you have setup DKIM signing, and then select the 'DKIM/DomainKeys' tab.
4. Navigate to Utilities > Administration > Sites.
   • From
   • Reply-To
   • To
   • Subject
   • Date
   • List-Unsubscribe
   • Content-Type
   • Mime-Version

Header notes

• In some cases, message forwarding may cause the DKIM signature to become invalid for forwarded messages - although forwarded messages will usually make up a very small proportion of your overall recipients. 
• If you find yourself running into issues caused by invalid signatures on forwarded messages, removing certain headers from the signature may help. However, doing so also increases the (small) chance that your DKIM signatures can be spoofed or forged - so it's best not to take that step unless you're experiencing a specific problem.

Testing

1. From Utilities > Administration > Sites, click the Validate Key button.
   • If Validate Key is grey, click save and configure at the bottom so you can select the domain you want to validate.
   • Should you get a failure, verify that sufficient time has passed to allow your new DNS entries to propagate. This can take up to 48 hours depending on the DNS provider, but is commonly much faster.
2. Test that your messages are being signed by sending a message to yourself (at a domain that validates DKIM) so you can view the headers. Screenshots of how you can view headers can be found at this link under the section, “When I open a typical email, I only see a few of the most basic headers. How do I view all headers in Yahoo / Outlook / Gmail?”

Note: Gmail, Outlook and Yahoo will all validate DKIM, but if you have multiple options, we've found it easiest to view the authentication results in Gmail. 

Optimization

• The online JavaScript compressor will help you optimize your scripts for a better page loading speed.