ClickDimensions employs industry-standard best practices to ensure the highest level of deliverability for its customers, and that includes the use of DKIM Signing.
DKIM is one of the factors that inbox providers and spam filters consider when deciding what to do with an email. DKIM signing allows for an email to be associated with a sending domain by the inclusion of an encrypted signature in the email's header. This signature corresponds to a key in the sending domain's DNS.
What does DKIM accomplish?
- DKIM provides a way to verify the sender of the email. The sender in this case does not have to match the From information, it's more about the server responsible for sending the email.
- DKIM provides a way to verify that a portion of the message body and/or email headers were not changed in transit.
ClickDimensions automatically provides DKIM signing support for all email sent by our customers through our service as the default set up. We sign all outbound emails with DKIM using either email.clickdimensions.com or emaileu.clickdimensions.com.
Example of a standard DKIM signature
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=gears; d=emaileu.clickdimensions.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; bh=FE2Ra3JJOD3+/d5W/4au03QqBPQXjXV1Gt22xYxFoz8=; b=d/hLwvA
For more information on DKIM Signatures, see DKIM.org and Wikipedia.
Custom DKIM Signing
Even though ClickDimensions provides DKIM automatically, we also offer custom DKIM signing. So instead of our default domain (email.clickdimensions.com) being used in the signature, we can sign the emails using your (sub)domain. This will also update the domain used in the Return Path.
For example, if you used the following From information . . .
From: Tomato Gardens <newsletter@tomatogardens.com>
. . . then your custom DKIM Signature may look like this.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=gears; d=market.tomatogardens.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; bh=FE2Ra3JJOD3+/d5W/4au03QqBPQXjXV1Gt22xYxFoz8=; b=d/hLwvA
And the Return Path will look like this
Return-Path: xx-1234-5678-1a2b3c-4d5d6f@market.tomatogardens.com
Why would you consider customizing your DKIM signature?
The number one reason is that you're using DMARC. For DMARC to pass, either the SPF needs to pass and be aligned to the From address, or the DKIM needs to pass and be aligned to the From address. DKIM will pass with the default set up but it will lack the alignment needed.
Microsoft is now requiring the same authentication and alignment requirements of DMARC. If you are a B2B sender, you'll also want custom DKIM for this purpose to avoid emails being delivered to the Junk folder for any recipient that uses Outlook on Exchange or Office 365.
Another reason may be for security and whitelisting reasons. If you or your recipients wish to whitelist the ClickDimensions email traffic specific to that sender, a unique identifier in the headers is needed and the DKIM domain can serve this purpose.
How can you customize a DKIM signature?
To begin the process, please open a support ticket asking for custom DKIM. The ticket will be escalated to the Deliverability team which handles email configuration tickets. They will need the following information from you.
- Domain(s) used in the From Address.
- If you use more than one From Address, please provide all of the domains and designate which one is the default or most used domain.
- A Subdomain not currently in use and something unique to ClickDimensions for the DKIM signature.
- This subdomain will only be visible in the email headers (i.e. it will not be visible to the normal email recipient).
- The subdomain can be anything that makes sense for your organization. For example, an organization named Tomato Gardens could use any of the following subdomains.
- cd.tomatogardens.com
- emails.tomatogardens.com
- market.tomatogardens.com
- e.tomatogardens.com
- A Subdomain for the email CNAME if one is not already set up.
Once the domains are designated, the Deliverability Team will supply the DNS records that need to be set up on DNS under the customer’s domain.
- When the DNS records are created, the records will be verified. At this point everything needed for the account configuration is complete.
- The server changes will be made during the weekly change window (Thursday evening EST).
- Once the server changes are complete there are a few tests that we run on the ClickDimensions side. After which we will request a window to apply the changes to the account when there aren’t bulk sends scheduled.
- Once the changes are applied to the account, we will ask that they are tested.
What DNS records are required for the custom DKIM set up?
- On the domain—SPF and DKIM
- On the subdomain—SPF, DKIM, MX
Why are Subdomain and MX records required?
There are a few pieces of key data that ClickDimensions can receive back from the recipient or recipient’s server that we need to receive directly and process to be compliant—unsubscribes, bounces, and spam complaints.
The subdomain and MX requirements for the DKIM customization are specifically related to spam complaints. Spam complaints are processed via Feedback Loops, and the Feedback Loops can be based on IP or domain. The domain-based Feedback Loops use the domain in the DKIM signature (d=) to send the complaints via email. Therefore, ClickDimensions needs to route those complaints back via MX records on the domain in the DKIM signature. We cannot place MX records on a company’s organizational domain (such as tomatogardens.com) as that would disrupt company email.
Will the subdomain be visible to the end recipient?
No. The end recipient will see the From Name and/or From Email that you declare in the Email Send Record. The subdomain will only be visible in the email headers (and DNS) and the average recipient will not read the email headers.
Do I have to change the From Email Address to use the subdomain?
No. The subdomain will only be used in the headers. For example, if the subdomain is market.tomatogardens.com, the email will use From: newsletter@tomatogardens.com.
The only exception to this rule is if a customer has strict DMARC set up for both SPF and DKIM.
Can my company provide the selector or key?
No. We use a standard selector of “gears” and provide the public key to you for the DNS record.
Does ClickDimensions use 1024 or 2048-bit keys?
We use 1024-bit keys.
Does ClickDimensions support custom DKIM using CNAME records?
We currently do not support custom DKIM using CNAME records.
How does a customer initiate an account configuration for custom DKIM and the Return Path?
Open a Support ticket, explain what is needed and ask for the ticket to be escalated to the Deliverability team. For the escalation you'll need to provide: all sending domains used, preferred subdomains, and any Email CNAMEs already set up.