Articles in this section

See more

DKIM Signing

Avatar
Nick Syrax
  • Edited

Click employs industry-standard best practices to ensure the highest level of deliverability for its customers, and that includes the use of DKIM Signing.

DKIM is one of the factors that inbox providers and spam filters consider when deciding what to do with an email. DKIM signing allows for an email to be associated with a sending domain by the inclusion of an encrypted signature in the email's header. This signature corresponds to a key in the sending domain's DNS.

What does DKIM accomplish?

    1. DKIM provides a way to verify the sender of the email. The sender in this case does not have to match the From information, it's more about the server responsible for sending the email.
    2. DKIM provides a way to verify that a portion of the message body and/or email headers were not changed in transit.

Click automatically provides DKIM signing support for all email sent by our customers through our service as the default set up. We sign all outbound emails with DKIM using either email.clickdimensions.com or emaileu.clickdimensions.com.

Example of a standard DKIM signature

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=gears; d=emaileu.clickdimensions.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; bh=FE2Ra3JJOD3+/d5W/4au03QqBPQXjXV1Gt22xYxFoz8=; b=d/hLwvA
For more information on DKIM Signatures, see DKIM.org and Wikipedia.

Custom DKIM Signing

Even though Click provides DKIM automatically, we also offer custom DKIM signing. So instead of our default domain (email.clickdimensions.com) being used in the signature, we can sign the emails using your (sub)domain.  This will also update the domain used in the Return Path.

For example, if you used the following From information . . .

From:  Tomato Gardens <newsletter@tomatogardens.com>

. . . then your custom DKIM Signature may look like this.

  DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=gears; d=market.tomatogardens.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; bh=FE2Ra3JJOD3+/d5W/4au03QqBPQXjXV1Gt22xYxFoz8=; b=d/hLwvA

And the Return Path will look like this

Return-Path: xx-1234-5678-1a2b3c-4d5d6f@market.tomatogardens.com

 

Why would you consider customizing your DKIM signature?

The number one reason is that you're using DMARC. For DMARC to pass, either the SPF needs to pass and be aligned to the From address, or the DKIM needs to pass and be aligned to the From address. DKIM will pass with the default set up, but it will lack the alignment needed.

Microsoft is now requiring the same authentication and alignment requirements of DMARC.  If you are a B2B sender, you'll also want custom DKIM for this purpose to avoid emails being delivered to the Junk folder for any recipient that uses Outlook on Exchange or Office 365.

Another reason may be for security and whitelisting reasons. If you or your recipients wish to whitelist the Click email traffic specific to that sender, a unique identifier in the headers is needed and the DKIM domain can serve this purpose.

How can you customize a DKIM signature?

To begin the process, please bookmark and read through this article here. You will use the Email Sending Domains tool in ClickDimensions Settings to generate a suite of DNS (of type MX and TXT) records that you must create. The DNS records will be created on your public DNS, and you may need your DNS Service Provider to complete that task. You will need the following information.

  1. Your Sending Domains, which are the Domain(s) used in the From Address.
    • If you use more than one From Address, please provide all of the domains and designate which one is the default or most used domain.
  2. A Subdomain not currently in use and something unique to Click for the DKIM signature.
    • This subdomain will only be visible in the email headers (i.e. it will not be visible to the normal email recipient).
    • The subdomain can be anything that makes sense for your organization. For example, an organization named Tomato Gardens could use any of the following subdomains.
      1. cd.tomatogardens.com
      2. emails.tomatogardens.com
      3. market.tomatogardens.com
      4. e.tomatogardens.com
  3. A Subdomain for the email CNAME if one is not already set up.

What DNS records are required for the custom DKIM set up?

  • On the domain—SPF and DKIM records which are TXT, or DNS type 16 resource records
  • On the subdomain—SPF, and DKIM, which are TXT or DNS type 16 resource records, and MX or DNS type 15 resource records

Why are Subdomain and MX records required?

There are a few pieces of key data that Click can receive back from the recipient or recipient’s server that we need to receive directly and process to be compliant—unsubscribes, bounces, and spam complaints.

The subdomain and MX requirements for the DKIM customization are specifically related to spam complaints. Spam complaints are processed via Feedback Loops, and the Feedback Loops can be based on IP or domain. The domain-based Feedback Loops use the domain in the DKIM signature (d=) to send the complaints via email. Therefore, Click needs to route those complaints back via MX records on the domain in the DKIM signature. We cannot place MX records on a sender's organizational domain (such as tomatogardens.com) as that would disrupt the individual email sent from your own mailboxes.

Will the subdomain be visible to the end recipient?

No. The end recipient will see the From Name and/or From Email that you declare in the Email Send Record. The subdomain will only be visible in the email headers (and DNS) and the average recipient will not read the email headers.

Do I have to change the From Email Address to use the subdomain?

No. The subdomain will only be used in the headers. For example, if the subdomain is market.tomatogardens.com, the email will use From: newsletter@tomatogardens.com.

The only exception to this rule is if a customer has strict DMARC set up for both SPF and DKIM.

Can my organization provide the selector or key?

No. We use a standard selector of “gears” or "gears2" and provide the public key to you for the DNS record.

Does Click use 1024 or 2048-bit keys?

By default, we set up custom DKIM/Email Sending Domains with 1024-bit keys. The reason for this is that the public key of 401 characters is well over 255 characters that many DNS services use, and would very often require concatenation. The concern is that some DNS providers will not allow 401 characters in a record for a 2048 bit-length key, so the key will be split into two or more records. However, we can set up 2048-bit keys by special request - please open a Support ticket with us if you want to request 2048-bit DKIM.

Does Click support custom DKIM using CNAME records?

We currently do not support custom DKIM using CNAME records.

Does Click support strict adkim or aspf?

We currently do not support strict adkim, the sending domain will need the applicable DMARC default adkim value of relaxed either by using the adkim=r; or removing the adkim tag altogether. We also do not support strict aspf, the applicable DMARC default aspf value of relaxed either by using the aspf=r; or removing the aspf tag altogether. This is needed to support DKIM signing on a subdomain as described previously.

Was this article helpful?

We're sorry to hear that.

Please tell us why.

Related articles