0

We run a server that provides a service for a few hundred customers, and there's a feature that allows them to generate some automated emails which go out to various colleagues and external partners. Some of our clients want to use their company email address (e.g. 'bob@[theircompanyname].com') rather than the one we provide ('alerts@[ourservice].com). Ten years ago, we used to just spoof the emails and hope for the best.

We then moved to asking customers to add an SPF record to their domain to whitelist our server's IP address. However, this isn't always enough to get emails through, presumably because DKIM hasn't also be implemented.

My understanding is we'd need to add a DKIM record for every client who wants to use our service to send emails from their domain (which could mean 20 or 30 records in practice). Beyond that, I'm slightly lost. So my question is: what else do we have to do on our side to get the appropriate DKIM header added to each email that gets sent out?

Thanks!

popkinson
  • 1
  • 1
  • I think you're pretty much on track. However, it may be useful to know that you can put in dkim signatures for you as a sender, not signed for the domain `[theircompanymname].com`. Google does it too. Even when you don't set up dkim for your domain, the mail will still contain DKIM signatures proving it came from Google. So, you can at least already sign all mail with a `d=ourservice.com`, which will likely add to your trust rating. It won't be as good as a 'aligned' sender domain (google 'dkim alignment'), but it's something. – Halfgaar Jan 17 '23 at 14:19
  • I agree with @Halfgaar that it is something to at least sign with your own DKIM key. However, what I was wondering about most, is do you validate your customers' domain ownership? If using shared infratructure, meaning all your customers use your sending server IP address(es), how do you make sure that they can't abuse each others email domains? If that's sorted, you can add one or more DKIM key pairs to your servers and DNS records (private key on server and public key in DNS) and request your customers to publish CNAME records to point to the DKIM public key in your domain. – Reinto Jan 18 '23 at 14:25
  • Reinto, abuse wouldn't be an issue. These are corporate clients sending notifications to their colleagues. It's a very niche service in a tightly regulated space. Any abuse would be immediately obvious. – popkinson Jan 18 '23 at 16:56

0 Answers0