Email, Configuring Authenticated Email using a vendor DKIM record
This KB provides the steps necessary to set up custom domain authentication for 3rd party and cloud applications
Configuring Authenticated Email from a 3rd party using the vendor DKIM record:
This KB provides the steps necessary to set up custom domain authentication for 3rd party and cloud applications who;
a. CAN use their own domain in the 'mail from' address (the 'behind the scenes' email address a typical email recipient will not see).
b. CANNOT configure a custom DKIM signature for your domain to be used for the 'header from' address (this is the address an email recipient sees when they read their email).
To improve deliverability of email, SPF and DKIM should both be configured, but do NOT have use matching domains. In this article, you'll learn how to set up DKIM to authenticate email from your desired domain.
NOTE: If you intend to send email ‘as’ @illinois.edu, we cannot add additional include statements to the campus SPF record. This configuration will require that the vendor use their own domain in the ‘mail from’ address of messages, while using ‘illinois.edu’ in the ‘header from’, using the DKIM signature coordinated with Technology Services in the following steps.
Before You Start
Here are some things to know before you begin this process:
- This configuration will NOT align SPF 'Mail From' your desired domain. It will rely on the vendor using their own domain in the 'mfrom' address and maintaining their own SPF record appropriately.
- This configuration WILL align the DKIM signature to your desired domain, and if the desired domain is used in the 'header from' address your email will align with DMARC and pass authentication tests to help ensure delivery.
To set up domain authentication, you must submit the DNS record details provided by the vendor to your DNS record with the campus host manager. This will be what your messages are signed by, so your recipients will be able to authenticate the sender as allowed to send the email.
Here's a brief overview of the process:
Working within your 3rd party application interface, or with their support:
- verify your sending domain
- request the identifier and DKIM record they will use to sign email
- using the domainkey DNS record they provide, request the DNS CNAME record from your hostmanager;
- <identifier>._domainkey.<desireddomain>.com. | CNAME | <DKIM record from the vendor>