Using DKIM and SPF

DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are standards that enable OneSpan Sign to send emails on behalf of a customer in a way that can be validated by a recipient's Email Service Provider. Specifically, the provider can perform the following verifications of such email messages:

  • DKIM authenticates the message body and headers against the FROM header domain.

  • SPF authenticates the IP address that originated the SMTP connection.

Any OneSpan Sign account can be configured to use DKIM. However, doing so requires modifications to the account owner’s Domain Name System (DNS) entries. Specifically, the account owner must add a Sender Policy Framework (SPF) record as a “txt” record to their DNS entries.

OneSpan supports both DKIM and SPF authentication. However, DKIM configuration and validation can occur only on certain dates. This activity requires OneSpan Sign's Cloud Operations team to do manual system configuration. To learn the next available dates, please contact your Professional Services Consultant.

Enabling DKIM with OneSpan Sign provides the following features:

  • Ability to change the "FROM" email address to be an email address of your choice: By default, all emails sent from OneSpan Sign use an @onespan.comFrom email address. Enabling DKIM with OneSpan Sign will ensure that emails are not marked as SPAM when they are sent by a custom domain.

  • Out-of-the-box Email Bounce Back handling: OneSpan Sign's default email bounce- back behaviour will apply.

When sending an email on behalf of your domain, OneSpan Sign configures the email's headers to ensure that the replies on bounce-back are routed to OneSpan Sign, independent of the email's FROM field.

OneSpan Sign sends your emails from a "Mail-From" domain that its mail server owns. By enabling DKIM, your emails will pass SPF authentication.

The rest of this section discusses the following:

Domain vs. Single Email Address Verification

Domain Verification (Recommended) Single Email Address Verification

Enables Amazon SES to send emails from any email address within the verified domain

Enables Amazon SES to send emails only from the verified email address. This address will be used as the FROM address in all OneSpan Sign email templates.

Enabling DKIM Signing

DKIM entries enable a message's content to be encrypted to ensure that no one has tampered with it. DKIM entries are provided by OneSpan Sign in the form of a .csv file.

When Domain Verification is used, entries consist of a txt entry and three CNAME entries. When Single Email Address Verification is used, entries consist of only the three CNAME entries.

Here are some examples of possible CNAME entries:

Record name Record type Record value

b2npb3nxdsbhzcbsab2npbrsknzg7gyl._domainkey.us.mydomain.com

CNAME

b2npb3nxdsbhzcbsab2npbrsknzg7gyl.dkim.amazonses.com

ft6st3nxdsbhzcbsapghm5f7xbpakw4e._domainkey.us.mydomain.com

CNAME

ft6st3nxdsbhzcbsapghm5f7xbpakw4e.dkim.amazonses.com

6yg63nxdsbhzcbsappqtz7jdx32pixgf._domainkey.us.mydomain.com

CNAME

6yg63nxdsbhzcbsappqtz7jdx32pixgf.dkim.amazonses.com

Enabling SPF Authentication

SPF authenticates the IP address that originated the SMTP connection. A text entry, like the one below for an SPF record, must be added in the DNS.

Record name Record type Record value

yourdomain.com

TXT

amazonses:bWLeUdKqqcJUNN2uOUPbkMbCfYh5lvskugetbjLlHOc=

If an SPF record already exists, the “include:amazonses.com” clause can be added, separated by spaces. For example:

v=spf1 include:mail.silanis.com include:amazonses.com –all

The “-all” option specifies that all sources not in the SPF record should be rejected. Using the “~all” option would validate but not reject other servers.

Enabling DKIM Authentication

If you want to enable DKIM email authentication, you must work with your Sales Representative to purchase the service. In particular:

  1. Once a technical consultant has been assigned to help you, you will be asked to provide a domain or single email address to be verified. OneSpan recommends that you provide the domain from which your emails will be sent.

    For Single Email Address Verification, ensure that you have access to the relevant email address. To complete the verification process, you will be sent an email from Amazon SES. Click the link in that email.

  2. OneSpan Sign will provide you with the DKIM entries that you will use to update your DNS entries.

  3. Add these DKIM entries in the verified domain’s DNS from which you want to send emails. DKIM won't work unless the DNS entries are updated.

    If you don't update your DNS entries within 72 hours, you will need to restart this process.

  4. Once you have added your DKIM entries to your DNS, OneSpan will send you confirmation that the configuration has been completed.

  5. Log into your OneSpan Sign account to create and send a test transaction. Verify that the FROM email address in the invitation email is the one provided in Step 1.

    When sending an email on behalf of your domain, OneSpan Sign configures the email's headers to ensure that the replies on bounce-back are routed to OneSpan Sign, independent of the email's FROM field.

    OneSpan Sign sends your emails from a "Mail-From" domain that its mail server owns. By enabling DKIM, your emails will pass SPF authentication.

Validating DKIM

To verify that customers have correctly entered the CNAME records in their DNS, the following validation command can be run (using dig):

  dig abcdid312345gqbihlw2pjuhfgdd._domainkey.yourdomain.com cname

If the command has run successfully, you should get something like the following feedback — ANSWER: 1. If you get ANSWER: 0, the configuration is incorrect or has not propagated yet.

; <<>> DiG 1.22.5-P3-RedHat-1.23.6-2.P3.fc24 <<>> abcdid312345gqbihlw2pjuhfgdd._domainkey.yourdomain.com cname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

A useful reference is:

Determining Amazon SES IP Addresses

The following blog describes how to determine the outgoing IP addresses used by Amazon SES:

DKIM Bounce Email Header Sample

Was this information helpful?
X