Expand my Community achievements bar.

SOLVED

DKIM implementation with on premise installtion

Avatar

Community Advisor

Hello,

can somebody give us some documentation on how to implement DKIM keys:

do we follow open dkim implementation with on premise installation?

where do I put information what private key should be used?

Is it automatically assigned from .ssh folder?

Do we need to sign email before we add txt records?

....


Only thing i have found is this from @Jonathon_wodnicki in https://experienceleaguecommunities.adobe.com/t5/adobe-campaign-standard/how-to-implement-dkim-and-d...

 

 

For DKIM:

Create a TXT record:


Hostname: selector._domainkey

Value: v=DKIM1; p=base64 encoding of pub key



Follow these steps for the key pair:

- Create a private key: openssl genrsa -out dkim_private.pem 2048
- Get its public key: openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null |  openssl base64 -A
- Create a long text xtk:option with internal name selector_RSA_PRIVATE_KEY_domain and 
   fill value with contents of dkim_private.pem. Selector is from the hostname field, 
   domain is the fqdn.
- Set hostname to _domainkey.subdomain if desired

 

 

Marcel

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hello All,

 

Answer from @Jonathon_wodnicki  on the other post worked at the end - Post about DKIM 

 

I guess it would be beneficial that it is added to the official documentation.

Apart from what @Jonathon_wodnicki wrote:

 

 

 

 

For DKIM:

Create a TXT record:


Hostname: selector._domainkey

Value: v=DKIM1; p=base64 encoding of pub key



Follow these steps for the key pair:

- Create a private key: openssl genrsa -out dkim_private.pem 2048
- Get its public key: openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null |  openssl base64 -A
- Create a long text xtk:option with internal name selector_RSA_PRIVATE_KEY_domain and 
   fill value with contents of dkim_private.pem. Selector is from the hostname field, 
   domain is the fqdn.
- Set hostname to _domainkey.subdomain if desired

 

 

 

 

 also the following 'minor' settings have to be done:

In Administration -> Campaign management -> Non Deliverables Management -> Mail Rule Sets -> Domain management

 

MarcelSzimonisz_0-1630573943665.png

 

You need to enable DKIM for domain you want to have DKIM. I have enabled it for all (no idea if that's good practice but ootb this was not checked, i might change it in the future)

 

Also restart the MTA

 

The option looks like:

Here you need to add Private key as long text option

 

MarcelSzimonisz_1-1630574183296.png

 

selector_RSA_PRIVATE_KEY_domain

 

After this is set and you send yourself email and you can see in the header that email is signed

 

 

Received: from xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
X-MC-Unique: xxxxxxxxxxxxxxxxxxxxxxxxx
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	s=selector;
	d=domain-email.com;
	h=from:subject:date:to:reply-to:mime-version:x-mailer:message-

....
.....

 

Also Public Key has to be added to the TXT record in domain settings. If its not added the email header will contain following:

 

dkim=none ("invalid DKIM record")

 

Marcel

View solution in original post

3 Replies

Avatar

Employee Advisor

Hi Marcel,

 

Have you also checked out the Adobe helpex documentation below?:

 

https://experienceleague.adobe.com/docs/deliverability-learn/deliverability-best-practice-guide/addi...

 

Regards,

Craig

Avatar

Community Advisor

yes 

"Adobe Campaign option declaration: in Adobe Campaign, the DKIM private key is based on a DKIM selector and a domain. It is not currently possible to create multiple private keys for the same domain/sub-domain with different selectors. It is not possible to define which selector domain/sub-domain must be used for the authentication in neither the platform or the email. The platform will alternatively select one of the private keys, which means the authentication has a high chance of failing."

It is not on what option where to add certficates etc.

Avatar

Correct answer by
Community Advisor

Hello All,

 

Answer from @Jonathon_wodnicki  on the other post worked at the end - Post about DKIM 

 

I guess it would be beneficial that it is added to the official documentation.

Apart from what @Jonathon_wodnicki wrote:

 

 

 

 

For DKIM:

Create a TXT record:


Hostname: selector._domainkey

Value: v=DKIM1; p=base64 encoding of pub key



Follow these steps for the key pair:

- Create a private key: openssl genrsa -out dkim_private.pem 2048
- Get its public key: openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null |  openssl base64 -A
- Create a long text xtk:option with internal name selector_RSA_PRIVATE_KEY_domain and 
   fill value with contents of dkim_private.pem. Selector is from the hostname field, 
   domain is the fqdn.
- Set hostname to _domainkey.subdomain if desired

 

 

 

 

 also the following 'minor' settings have to be done:

In Administration -> Campaign management -> Non Deliverables Management -> Mail Rule Sets -> Domain management

 

MarcelSzimonisz_0-1630573943665.png

 

You need to enable DKIM for domain you want to have DKIM. I have enabled it for all (no idea if that's good practice but ootb this was not checked, i might change it in the future)

 

Also restart the MTA

 

The option looks like:

Here you need to add Private key as long text option

 

MarcelSzimonisz_1-1630574183296.png

 

selector_RSA_PRIVATE_KEY_domain

 

After this is set and you send yourself email and you can see in the header that email is signed

 

 

Received: from xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
X-MC-Unique: xxxxxxxxxxxxxxxxxxxxxxxxx
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	s=selector;
	d=domain-email.com;
	h=from:subject:date:to:reply-to:mime-version:x-mailer:message-

....
.....

 

Also Public Key has to be added to the TXT record in domain settings. If its not added the email header will contain following:

 

dkim=none ("invalid DKIM record")

 

Marcel