DKIM and sending email on behalf of many domains - explain it to me like I'm a dummy

popkinson

1/17/24, 2:04 PM

We run a server that provides a service for a few hundred customers, and there's a feature that allows them to generate some automated emails which go out to various colleagues and external partners. Some of our clients want to use their company email address (e.g. 'bob@[theircompanyname].com') rather than the one we provide ('alerts@[ourservice].com). Ten years ago, we used to just spoof the emails and hope for the best.

We then moved to asking customers to add an SPF record to their domain to whitelist our server's IP address. However, this isn't always enough to get emails through, presumably because DKIM hasn't also be implemented.

My understanding is we'd need to add a DKIM record for every client who wants to use our service to send emails from their domain (which could mean 20 or 30 records in practice). Beyond that, I'm slightly lost. So my question is: what else do we have to do on our side to get the appropriate DKIM header added to each email that gets sent out?

Thanks!

334

0 + 3

email-server

dkim

Halfgaar

1/17/24, 2:19 PM

I think you're pretty much on track. However, it may be useful to know that you can put in dkim signatures for you as a sender, not signed for the domain `[theircompanymname].com`. Google does it too. Even when you don't set up dkim for your domain, the mail will still contain DKIM signatures proving it came from Google. So, you can at least already sign all mail with a `d=ourservice.com`, which will likely add to your trust rating. It won't be as good as a 'aligned' sender domain (google 'dkim alignment'), but it's something.

Reinto

1/18/24, 2:25 PM

I agree with @Halfgaar that it is something to at least sign with your own DKIM key. However, what I was wondering about most, is do you validate your customers' domain ownership? If using shared infratructure, meaning all your customers use your sending server IP address(es), how do you make sure that they can't abuse each others email domains? If that's sorted, you can add one or more DKIM key pairs to your servers and DNS records (private key on server and public key in DNS) and request your customers to publish CNAME records to point to the DKIM public key in your domain.

popkinson

1/18/24, 4:56 PM

Reinto, abuse wouldn't be an issue. These are corporate clients sending notifications to their colleagues. It's a very niche service in a tightly regulated space. Any abuse would be immediately obvious.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: DKIM and sending email on behalf of many domains - explain it to me like I'm a dummy

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.