Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

DKIM implementation with on premise installtion

Marcel_Szimonisz
Community Advisor
Community Advisor

Hello,

can somebody give us some documentation on how to implement DKIM keys:

do we follow open dkim implementation with on premise installation?

where do I put information what private key should be used?

Is it automatically assigned from .ssh folder?

Do we need to sign email before we add txt records?

....


Only thing i have found is this from @Jonathon_wodnicki in https://experienceleaguecommunities.adobe.com/t5/adobe-campaign-standard/how-to-implement-dkim-and-d...

 

 

For DKIM:

Create a TXT record:


Hostname: selector._domainkey

Value: v=DKIM1; p=base64 encoding of pub key



Follow these steps for the key pair:

- Create a private key: openssl genrsa -out dkim_private.pem 2048
- Get its public key: openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null |  openssl base64 -A
- Create a long text xtk:option with internal name selector_RSA_PRIVATE_KEY_domain and 
   fill value with contents of dkim_private.pem. Selector is from the hostname field, 
   domain is the fqdn.
- Set hostname to _domainkey.subdomain if desired

 

 

Marcel

1 Accepted Solution
Marcel_Szimonisz
Correct answer by
Community Advisor
Community Advisor

Hello All,

 

Answer from @Jonathon_wodnicki  on the other post worked at the end - Post about DKIM 

 

I guess it would be beneficial that it is added to the official documentation.

Apart from what @Jonathon_wodnicki wrote:

 

 

 

 

For DKIM:

Create a TXT record:


Hostname: selector._domainkey

Value: v=DKIM1; p=base64 encoding of pub key



Follow these steps for the key pair:

- Create a private key: openssl genrsa -out dkim_private.pem 2048
- Get its public key: openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null |  openssl base64 -A
- Create a long text xtk:option with internal name selector_RSA_PRIVATE_KEY_domain and 
   fill value with contents of dkim_private.pem. Selector is from the hostname field, 
   domain is the fqdn.
- Set hostname to _domainkey.subdomain if desired

 

 

 

 

 also the following 'minor' settings have to be done:

In Administration -> Campaign management -> Non Deliverables Management -> Mail Rule Sets -> Domain management

 

MarcelSzimonisz_0-1630573943665.png

 

You need to enable DKIM for domain you want to have DKIM. I have enabled it for all (no idea if that's good practice but ootb this was not checked, i might change it in the future)

 

Also restart the MTA

 

The option looks like:

Here you need to add Private key as long text option

 

MarcelSzimonisz_1-1630574183296.png

 

selector_RSA_PRIVATE_KEY_domain

 

After this is set and you send yourself email and you can see in the header that email is signed

 

 

Received: from xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
X-MC-Unique: xxxxxxxxxxxxxxxxxxxxxxxxx
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	s=selector;
	d=domain-email.com;
	h=from:subject:date:to:reply-to:mime-version:x-mailer:message-

....
.....

 

Also Public Key has to be added to the TXT record in domain settings. If its not added the email header will contain following:

 

dkim=none ("invalid DKIM record")

 

Marcel

View solution in original post

3 Replies
Marcel_Szimonisz
Community Advisor
Community Advisor

yes 

"Adobe Campaign option declaration: in Adobe Campaign, the DKIM private key is based on a DKIM selector and a domain. It is not currently possible to create multiple private keys for the same domain/sub-domain with different selectors. It is not possible to define which selector domain/sub-domain must be used for the authentication in neither the platform or the email. The platform will alternatively select one of the private keys, which means the authentication has a high chance of failing."

It is not on what option where to add certficates etc.

Marcel_Szimonisz
Correct answer by
Community Advisor
Community Advisor

Hello All,

 

Answer from @Jonathon_wodnicki  on the other post worked at the end - Post about DKIM 

 

I guess it would be beneficial that it is added to the official documentation.

Apart from what @Jonathon_wodnicki wrote:

 

 

 

 

For DKIM:

Create a TXT record:


Hostname: selector._domainkey

Value: v=DKIM1; p=base64 encoding of pub key



Follow these steps for the key pair:

- Create a private key: openssl genrsa -out dkim_private.pem 2048
- Get its public key: openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null |  openssl base64 -A
- Create a long text xtk:option with internal name selector_RSA_PRIVATE_KEY_domain and 
   fill value with contents of dkim_private.pem. Selector is from the hostname field, 
   domain is the fqdn.
- Set hostname to _domainkey.subdomain if desired

 

 

 

 

 also the following 'minor' settings have to be done:

In Administration -> Campaign management -> Non Deliverables Management -> Mail Rule Sets -> Domain management

 

MarcelSzimonisz_0-1630573943665.png

 

You need to enable DKIM for domain you want to have DKIM. I have enabled it for all (no idea if that's good practice but ootb this was not checked, i might change it in the future)

 

Also restart the MTA

 

The option looks like:

Here you need to add Private key as long text option

 

MarcelSzimonisz_1-1630574183296.png

 

selector_RSA_PRIVATE_KEY_domain

 

After this is set and you send yourself email and you can see in the header that email is signed

 

 

Received: from xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
X-MC-Unique: xxxxxxxxxxxxxxxxxxxxxxxxx
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	s=selector;
	d=domain-email.com;
	h=from:subject:date:to:reply-to:mime-version:x-mailer:message-

....
.....

 

Also Public Key has to be added to the TXT record in domain settings. If its not added the email header will contain following:

 

dkim=none ("invalid DKIM record")

 

Marcel

View solution in original post