Thursday, January 20, 2011

How to deploy DKIM email authentication in 4 steps

DKIM is an emerging e-mail authentication standard supported by Yahoo, Google and others ISPs, as well as a growing number of Email Service Providers that was developed by the Internet Engineering Task Force. DKIM allows an organization to cryptographically sign outgoing e-mail to verify that it sent the message. Deploying DKIM for your company is pretty straightforward. If you are managing all of your own email servers and outbound email, including sales, marketing and transactional emails, there are 4 steps. If you are using an ESP there are 2 very simple steps that take about 10 minutes. Here’s the rundown.
DKIM provides email authentication and often complements Email authorization. Email authorization is implemented using 'Sender Policy Framework' ("SPF") and/or SenderID. I'll explain how to configure SenderID/SPF in a related posting.
Configuring DKIM (Companies Managing their Own MTAs)
If you are hosting your own email servers, your company needs to take these 4 steps to deploy the emerging DomainKeys Identified Mail (DKIM) standard:
Step #1:
Figure out all the domains that are allowed to send outbound mail on its behalf. Often this includes multiple corporate domains as well as third-party e-mail Service Providers (like Pinpointe). This is often the hardest step - especially for large organizations.
Step #2:
Next you’ll use an online wizard to create the DKIM public / private key pairing and the policy record. The ‘public’ key is a key that will be placed in your public-facing DNS record along with what’s called a ‘policy record’.
The ‘private’ key is a long key that is installed on the MTA/Email sending system(s). When you send an email, the outgoing email server (or the outgoing server of your Email Service Provider, such as Pinpointe), adds the
Here are two online wizards you can use to create the public/private key pair and the policy record. You just enter your sending domain and a ’selector’ - which is kind of like a password key (if you use an ESP - the ESP does all this for you):
http://www.socketlabs.com/services/dkwiz
http://www.port25.com/support/support_dkwz.php
Step #3:
Create DNS text records that include DKIM information for every domain that is used to send e-mail. These records will be inserted in your public facing DNS record for each sending domain. If you don’t know how to insert / modify your DNS entry, you can find a description in our description of setting up an SPF record - the process is pretty much the same:
http://www.pinpointe.com/blog/install-an-spf-record-to-improve-email-delivery
Step #4:
Upgrade your emails servers and/or software to support DKIM. (Note - In the Email world, Email servers are often called “message transfer agents” or “MTAs”).” MTAs are the last component of a messaging system to touch outbound e-mail. That’s where DKIM signatures are attached.

Steps to Implement DKIM With an Email Service Provider :
If you are using an ESP, the process is trivial:

Step #1 - Ensure you have access to your domain’s DNS Entry (see step #2 above)
Step #2 - Call your ESP. Your ISP can provide you the key information and policy entries for your DNS entry.