What is DKIM email authentication configuration?
Environment:
DKIM (DomainKeys Identified Mail), Email authentication
Oracle B2C Service
Resolution:
DKIM (DomainKeys Identified Mail) is an email authentication technologies designed to identify legitimate senders of email. DKIM is a cryptographic signature that is generated from selected header and body components of an email. That cryptographic signature is then validated against published DNS information for your organization. If you plan on implementing DKIM authentication for your site, please also consider implementing SPF (Answer ID 2489 SPF and Sender ID considerations with Oracle B2C Service sites) in conjunction so your messages are fully authenticated.
Oracle B2C Service supports DKIM for all outbound email (Service and Outreach).
If you use an Oracle-supplied email addresses, either custhelp.com or rnmk.com, for your Friendly From/Branded Address, no further action is needed. Oracle B2C Service already signs these emails. Because DKIM allows domain-based reputation lists to be built, we strongly recommend using your own domain name in the Friendly From/Branded Address.
To enable DKIM for your outbound email using your organization’s domain name in the Friendly From/Branded Address field (email are signed based on the value configured in the outgoing email settings), use the following checklist:
- Submit a service request for this information requesting DKIM signing. Specify the email address you intend on using as the Friendly From/Branded Address in your mailings. Our standard key length is 1024 bit. If you would like a 2048 bit key please add that information to your request. We will DKIM-sign subdomains using DKIM for an organizational domain, or we can setup DKIM keys for subdomains
- Oracle will generate a public-private key pair for use in signing these messages, and will generate a unique selector that will be used for signing your messages, and will update the incident with the selector in a form suitable for use with BIND DNS servers. If you have multiple domains we can specify a key which can be used for multiple domains on one site. By default, we will apply an organizational DKIM key to any mailbox using a subdomain and the public key in the organizational / top level domain DNS would be used for verification purposes. If preferred we can sign specifically for a sub-domain.
- Your organization’s IT administrators must add this selector within the domain desired to be signed. If your IT department uses a DNS infrastructure other than BIND, they must consult their documentation or vendors on the appropriate form to be used. Update the incident when this step has been completed.
- Oracle will verify that your DNS is updated correctly, and that the published selector in your domain validates against DKIM standards.
- Oracle will configure our mail servers to sign messages matching the domain name portion of your “From:” address, and will close the incident after testing. Subsequently, all your email using that domain name delivered from our hosting environment will contain a DKIM signature. If you have added a domain key for multiple domains then the process repeats with (3) you publishing the key for the new domain, then we will verify (4) and enable (5) the key for that domain on our servers.
Example:
You are in charge of marketing and support services for your organization WidgetsRUs, using the domainname “widgetsrus.com”.
- Submit a service request for this information: ‘We would like to sign with DKIM for all emails using a “From:” header of “someemail@widgetsrus.com”’
- Oracle generates a public-private key and a unique selector, called “dkimrnt012345”. We update the incident with the following records suitable for publishing within your domain (these records should all be on one line; no spaces are permitted in the public key [p=] portion):
dkimrnt012345._domainkey.widgetsrus.com. IN TXT “v=DKIM1; k=rsa; h=sha; p=MIG……QAB”
- Oracle receives your confirmation that the selectors have been published. Oracle verifies the validity of these published selectors. Oracle configures our mail servers to sign all messages using an email address containing a domain name portion of “widgetsrus.com”. We verify that these signatures are being added and are validating against your DNS, and update and close the incident with our results.
For additional information, see the following standards and documentation:
http://www.dkim.org - DKIM working group
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail - Summary of DKIM
http://tools.ietf.org/html/rfc4871 - Standards for DKIM