Using DKIM and SPF
DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are standards that enable OneSpan Sign to send emails on behalf of a customer in a way that can be validated by a recipient's Email Service Provider. Specifically, the provider can perform the following verifications of such email messages:
-
DKIM authenticates the message body and headers against the FROM header domain.
-
SPF authenticates the IP address that originated the SMTP connection.
Any OneSpan Sign account can be configured to use DKIM. However, doing so requires modifications to the account owner’s Domain Name System (DNS) entries. Specifically, the account owner must add a Sender Policy Framework (SPF) record as a “txt” record to their DNS entries.
OneSpan supports both DKIM and SPF authentication. However, DKIM configuration and validation can occur only on certain dates. This activity requires OneSpan Sign's Cloud Operations team to do manual system configuration. To learn the next available dates, please contact your Professional Services Consultant.
Enabling DKIM with OneSpan Sign provides the following features:
-
Ability to make the "FROM" field an email address of your choice: By default, all emails sent from OneSpan Sign use an @onespan.com From email address. Enabling DKIM with OneSpan Sign will ensure that emails are not marked as SPAM when they are sent by a custom domain.
-
Out-of-the-box Email Bounce Back handling: OneSpan Sign's default email bounce- back behaviour will apply.
When sending an email on behalf of your domain, OneSpan Sign configures the email's headers to ensure that the replies on bounce-back are routed to OneSpan Sign, independent of the email's FROM field.
OneSpan Sign sends your emails from a "Mail-From" domain that its mail server owns. By enabling DKIM, your emails will pass SPF authentication.
The rest of this section discusses the following:
- Enabling DKIM Signing
- Enabling SPF Authentication
- Enabling DKIM Authentication
- Validating DKIM
- Determining Amazon SES IP Addresses
- DKIM Bounce Email Header Sample
Enabling DKIM Signing
DKIM entries enable a message's content to be encrypted to ensure that no one has tampered with it. DKIM entries are provided by OneSpan Sign in the form of a .csv file.
When Domain Verification is used, entries consist of a txt entry and three CNAME entries.
Here are some examples of possible CNAME entries:
Record name | Record type | Record value |
---|---|---|
b2npb3nxdsbhzcbsab2npbrsknzg7gyl._domainkey.us.mydomain.com |
CNAME |
b2npb3nxdsbhzcbsab2npbrsknzg7gyl.dkim.amazonses.com |
ft6st3nxdsbhzcbsapghm5f7xbpakw4e._domainkey.us.mydomain.com |
CNAME |
ft6st3nxdsbhzcbsapghm5f7xbpakw4e.dkim.amazonses.com |
6yg63nxdsbhzcbsappqtz7jdx32pixgf._domainkey.us.mydomain.com |
CNAME |
6yg63nxdsbhzcbsappqtz7jdx32pixgf.dkim.amazonses.com |
Enabling SPF Authentication
SPF authenticates the IP address that originated the SMTP connection. If an SPF record already exists, the “include:amazonses.com” clause can be added, separated by spaces. For example:
“v=spf1 include:mail.yourdomain.com include:amazonses.com ~all”
The “-all” option specifies that all sources not in the SPF record should be rejected. Using the “~all” option would validate but not reject other servers.
Record name | Record type | Record value |
---|---|---|
yourdomain.com |
TXT |
“v=spf1 include:mail.yourdomain.com include:amazonses.com ~all” |
Enabling DKIM Authentication
If you want to enable DKIM email authentication, you must work with your Sales Representative to purchase the service. In particular:
-
Once a technical consultant has been assigned to help you, you will be asked to provide a domain to be verified. OneSpan recommends that you provide the domain from which your emails will be sent.
-
OneSpan Sign will provide you with the DKIM entries that you will use to update your DNS entries.
-
Add these DKIM entries in the verified domain’s DNS from which you want to send emails. DKIM won't work unless the DNS entries are updated.
If you don't update your DNS entries within 72 hours, you will need to restart this process.
-
Once you have added your DKIM entries to your DNS, OneSpan will send you confirmation that the configuration has been completed.
-
Log into your OneSpan Sign account to create and send a test transaction. Verify that the FROM email address in the invitation email is the one provided in Step 1.
When sending an email on behalf of your domain, OneSpan Sign configures the email's headers to ensure that the replies on bounce-back are routed to OneSpan Sign, independent of the email's FROM field.
OneSpan Sign sends your emails from a "Mail-From" domain that its mail server owns. By enabling DKIM, your emails will pass SPF authentication.
Validating DKIM
To verify that customers have correctly entered the CNAME records in their DNS, the following validation command can be run (using dig):
dig abcdid312345gqbihlw2pjuhfgdd._domainkey.yourdomain.com cname
If the command has run successfully, you should get something like the following feedback — ANSWER: 1
. If you get ANSWER: 0
, the configuration is incorrect or has not propagated yet.
; <<>> DiG 1.22.5-P3-RedHat-1.23.6-2.P3.fc24 <<>> abcdid312345gqbihlw2pjuhfgdd._domainkey.yourdomain.com cname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
A useful reference is:
Determining Amazon SES IP Addresses
The following blog describes how to determine the outgoing IP addresses used by Amazon SES:
DKIM Bounce Email Header Sample
Received: from BY1PR0701MB1381.namprd07.prod.outlook.com (10.160.109.149) by DM2PR0701MB1389.namprd07.prod.outlook.com (10.161.251.153) with Microsoft SMTP Server (TLS) id 15.1.409.15 via Mailbox Transport; Wed, 17 Feb 2016 19:40:38 +0000 Received: from DM2PR07CA0028.namprd07.prod.outlook.com (10.141.52.156) by BY1PR0701MB1381.namprd07.prod.outlook.com (10.160.109.149) with Microsoft SMTP Server (TLS) id 15.1.409.15; Wed, 17 Feb 2016 19:40:37 +0000 Received: from BY2FFO11OLC011.protection.gbl (2a01:111:f400:7c0c::143) by DM2PR07CA0028.outlook.office365.com (2a01:111:e400:2414::28) with Microsoft SMTP Server (TLS) id 15.1.409.15 via Frontend Transport; Wed, 17 Feb 2016 19:40:36 +0000 Authentication-Results: spf=pass (sender IP is 54.240.8.19) smtp.mailfrom=amazonses.com; silanis.com; dkim=pass (signature was verified) header.d=mydomain.com;silanis.com; dmarc=pass action=none header.from=mydomain.com; Received-SPF: Pass (protection.outlook.com: domain of amazonses.com designates 54.240.8.19 as permitted sender) receiver=protection.outlook.com; client-ip=54.240.8.19; helo=a8-19.smtp-out.amazonses.com; Received: from a8-19.smtp-out.amazonses.com (54.240.8.19) by BY2FFO11OLC011.mail.protection.outlook.com (10.1.15.22) with Microsoft SMTP Server (TLS) id 15.1.415.6 via Frontend Transport; Wed, 17 Feb 2016 19:40:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; (3) s=y6oinrvtzki6qrnrbysmfhmohrt5jed5; d=mydomain.com; t=1455738033; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type; bh=tUqNZJ345kHNrop1Hd1cRWkwwGoS8Zgm4DEr/TqLJb8=; b=GiME5e7JxB97jYMMQFrxK6BDQSmghJ6NIFwxSV8wlXkhoP2eAz8+N3fM5q/iWtTI 3VUuPa7PRAkcVvtG8TcLHYagY+0i5xPoc0LPGNsKjY38/PZyyQgNjPN+RRGu4L38mfz ouk1YL3g8xJQmeLUUVqZzJykdgQAul4p5w2Wx9D4= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; (4) s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1455738033; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID; bh=tUqNZJ345kHNrop1Hd1cRWkwwGoS8Zgm4DEr/TqLJb8=; b=D6d+iaPdZtPeOAPRnYmmFE0UAWfTkiZ+4H8us4NY+Kst5IAToRhkQL7DPv/YBK/4 RP60r2ydUBRYBKwySfuTs5AUeNim+fjrsgNbf1Q85yurM4/oJaRFmUEc+XuFLALXlxZ gwZY1IcaAZ9U9NZ6RIt7HC5xRhUiFxf7RHinb2xs= Date: Wed, 17 Feb 2016 19:40:33 +0000 From: mydomain Treasury & Payment Solutions <[email protected]>To: imane chbani <[email protected]>Message-ID: <00000152f0bf94e6-fdef09cc-288b-4214-8dbf-9559687b87d8-000000@email.amazonses.com>Subject: mydomain Treasury & Payment Solutions e-Sign - Unable to Reach MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_5930_136818267.1455738033292" x-esl-recipient-id: Ib3aYD0pBuIY (1) x-esl-package-id: e00653d4-bcef-4c77-ab73-6bdffacc4186 (2) X-SES-Outgoing: 2016.02.17-54.240.8.19 Feedback-ID: 1.us-east-1.3NlfApUjweW/0cWJs3jOEOY1DYp+Nc6SU3jUh8AxWj0=:AmazonSES **Return-Path: 00000152f0bf94e6-fdef09cc-288b-4214-8dbf-9559687b87d8-000000@amazonses.com** X-MS-Exchange-Organization-Network-Message-Id: 0d001963-4797-48b5-fc73-08d337d234cb X-EOPAttributedMessage: 0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Forefront-Antispam-Report: CIP:54.240.8.19;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(31610200002)(31580200002)(2980300002)(438002)(286005)(65504003)(199003)(189002)(110136002)(19580405001)(25786007)(19580395003)(5008740100001)(10130500003)(90596001)(106466001)(6806005)(110476001)(229853001)(84326002)(64544003)(4001070100004)(104766002)(5001970100001)(107886002)(15650500001)(10300500001)(10770500004)(2476003)(620700001)(4290100001)(92566002)(956001)(10290500002)(4610100001)(54356999)(33646002)(15975445007)(5000100001)(18206015028)(77096005)(4001450100002)(450100001)(1580400003)(50986999)(586003)(270700001)(94776002)(42882005)(95006001);DIR:INB;SFP:;SCL:1;SRVR:BY1PR0701MB1381;H:a8-19.smtp-out.amazonses.com;FPR:;SPF:Pass;MLV:sfv;A:1;MX:1;LANG:en; X-DkimResult-Test: Passed X-Microsoft-Antispam: UriScan:;BCL:5;PCL:0;RULEID:(8251501001)(3001015)(3010001)(71701003)(71702001);SRVR:BY1PR0701MB1381; X-MS-Office365-Filtering-Correlation-Id: 0d001963-4797-48b5-fc73-08d337d234cb X-MS-Exchange-Organization-AVStamp-Service: 1.0 X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:5;PCL:0;RULEID:(601004)(2401047)(13018025)(13023025)(13024025)(8121501046)(13016025)(10201501046)(3002001);SRVR:BY1PR0701MB1381;BCL:5;PCL:0;RULEID:;SRVR:BY1PR0701MB1381; X-MS-Exchange-Organization-SCL: 1 SpamDiagnosticOutput: 1:5 SpamDiagnosticMetadata: 00000000%2D0000%2D0000%2D0000%2D000000000000 SpamDiagnosticMetadata: 5 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2016 19:40:35.5163 (UTC) X-MS-Exchange-CrossTenant-Id: 1ad27fb0-57cc-4272-a834-fe2500e4c569 X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0701MB1381 X-MS-Exchange-Organization-AuthSource: BY2FFO11OLC011.protection.gbl X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.1376165 X-Microsoft-Exchange-Diagnostics: 1;BY2FFO11OLC011;1:JNUR5hnFjemX+1dBC1rRZOnnWpWy4fC6RFsq6ezBXiheMk3adVUFPP6KJ1EAJUWR+x2PC6ikFhW3v2tH3ycG4QYZUBEccjA/B+/UKgW6IGpbzXtKW7KP+tocl8FNueGAaIwXl0NCCSU2CUpJno8czg520dO/EjaiCrRCu6bZnC7sMFuh0vpOn1gSAUrJCSJui+TnL0QRamOJFeiRBT6N1vrAtUUnnpBiexw3PIVGFAkgWbsTkU9McA2no6WIcX7FtPLxePuy0ntqhMEDLydzrM9NEy3wuxHD9uYIPzla4VcAxH7YMEKEy7BBlFHwRBQKPyJ1MpB/6e4oe/AE/NxdhXw1pg0zAlr8tsbn3voFNFCo/GQ27LN1lKoVDgmjKgT2/pHr4LXssBvHLObQcTa4xCKO26phA6DYrrQ7YRrXs/d5slp5XhJwhXt4ZluKow+g X-Microsoft-Exchange-Diagnostics: 1;BY1PR0701MB1381;2:e3OVX/29wymZMl44fwXkD8ckYWtsrdFPgnFktxm5zJmS8MAQdWmzRJUuevZjsL+z7gDYAKPXBLoOYfM77DBm/5OXFPot373N5XAOBlHMGqks3Iqlt92TVmo1rjm3PKlRu2aOPC8QwTJxabj5cExBLA==;3:RTUvhiLoXX+tUbL4GDhFBZYpl4syhKB/pjeb/crKyG4QxKTF3pmsf7oLM8szqOH5yR4MR4fo7rDrqoKmBCjKRpMKkNXUfqoSK+wAwBb371SGbd2MJcmPiQWSANl8YqlRfvycBs4rEtEW+V5A6NjM2Pm46UaX31kem+aMghndNGugQI2j2zC5YzxSp67NyWznYH0fxJpnPf8P1qdVNlgvoC2Gn2jOm2WsL+jZTRfPWXM6TW75/CI1FI5Cy25MxxnrFpODFNPc7IYiryEnawDhSiLPlh3NuJbbplIHQnyUychUTzRzw86AGJt/Zqg7OLhtbngZ0EV6L2sD+jY+YlDV2Q==;25:zcP5QMiZbUJLUd/fBeQMv3RLyGOKsg00O2FCqwhZRyN+rLhVlIFrrmqmYsbXn1RiFWvEmb7hXzGhobV6XkvnC0/RgHOuVKTY9AK+SWiUEF1Pbpd60qqZWvk6FbLppemXatAsoAPYCj2A/GfQ4sOtgdDZ3ascd9sQ1HTl9QjhTRIbUNuw0as/YPbYPtkGEGl+Qosq6zUOIFQgK4W9KnOcqiLPFZrQjTg+Z58MwL92CfShVqQ4GZw1qXXGGxJuOJRTsXbIf7FRU+476GzP/NvVxRqlUOaYCQT//9bwhJxukWyxE96JhjjqtjujxNb93rd3 X-Microsoft-Exchange-Diagnostics: 1;BY1PR0701MB1381;20:5CaLWq4djB/DstM5wR82wuWU2aAlVcRk6ha605dOqBPo7VrRxvpSzUImcY2p7oTXntVRqap/XaQBDRBISBxx4HVwBEGQnzquxrTlrbsLk2XfCdKVpdyta9F94SvAKh/cR470rRhTckZZUpllelrsxwbdceJBfhW/cY/o5rNEnndlr3vpeu2iqLznMYwl1WO09/v7p25lH0Ba21S05c5t/SzR+j6b8WaFEgMzxTdOMyUGo7NPc1I9hgySt60mekhG5Dm4eHac1PcZfA6+5+Lfws8X6vl25TNDHB/8AFsR1yfaT49Zll58Jlb915jatJXam1VWkE0NiO6TIxFVru8rK5Npc/agJ4LAO/ugVmwfWOGvr66NQrQfOlfgStDkAJEbIsobjoDYA0uLjjhYVFJCdtVa5eRUwDoy/jL/bdaJdtbkV9yxZjGGx6npxv5+Hh7x92QMBYLUKUPdCt85aj5DgZtb4GkiNxM/+ONbMJmpizmHJktdAxEN/Kmq8xaq5eS9;4:oSrb3yi2f32t62K/k0BM7AOPmy1N1zkOZ0oGrXAHpV1oPaoTJmZs/3waTy61jB0r+soptNjFLUkcORP1UQlsqFws/nzNPThJU56furk76gz0WXRloGC3+gkyhbuoKL6oSj0FuuKVQOL+kKA2dTM3f1GM7Pz4LNJpWxvrc8MwgMCsBOPEPcNqva6IsvpaEvr4ESed7wI+fdRW/yoMvLEKMzeJmlXD/D+3sxepsafyPZH9kvWOIPyVp1GT8gaDQlT39sWhHXnuHE1Ek/+WiJzJsjmH0+lcLcbXUlC7qp2GHapZhfmgKDxl2c//df8itVoOKI3UxFWTz08+l4E2JwmhZP3SMZP17Kdb6QMePHlkLMSPWU0ART3vil//XCE8j5eBJwJ6xWfooVM93MsS56sYsBzTG82wR/pwXvKocH2gXeY= X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;BY1PR0701MB1381;23:ZZG92vUNulj2A5yV524jpAmGdhmVXhS1MvVRmcd?= =?us-ascii?Q?EyyKzTS+sEjII6UrKmo2TgkLxqCYANxFxhcxxaAzh3yBkkt64jrT34F1Clzj?= =?us-ascii?Q?RKCkuZF35MrzLFMnH0WRo02C/bxIDcpNDSKIcVEantLF3Fd9sdf0Z1vdtueH?= =?us-ascii?Q?T+yhP3lg89KjwP+JD79S/UsRCgO0cAVdNkmnZ/P6fuudqmWM8GRZo9tDE4GE?= =?us-ascii?Q?N6/QuWJIOQZJBn2NNc+W24j6L6cK6zfPgzScH2LOre1Zt4fRsKGvtpmnwRK+?= =?us-ascii?Q?YPJzF1M4hQQRdILJrDSi0uTr14qia72sQrHRpNoFFsTt2N/0/dTgIOAmYnHC?= =?us-ascii?Q?RE4PWbr2pUcKBIlWT3mn2vNk3dj8PSViMM/K5mlcJCSUh695jku9kff6XdEY?= =?us-ascii?Q?/VBYbjFq2wQ6OtWt3yu7E5Y1VYJJURGsLP/jeRViLNxxytkCVIMc1/UwULxx?= =?us-ascii?Q?5KPAICnNjPwcOjyavPNhM8BkALqdVWkDKm0M/TmeWKR+S7fA6UeY2V9KMFP0?= =?us-ascii?Q?/D19/vN03J9Oa+vcW/u1KiBjQ2BFCM8oq3a7r0JCJC9jJ45veCgy0B2Ucdbp?= =?us-ascii?Q?f9M1UfZxZQjseCPaXBpIkYNTpyLkbFo+DE6y2Wkuy26jWS3yE8qWJLA3DpyI?= =?us-ascii?Q?2g8oIffOJTV5XgxcRwawt9FGoVBqfCnJILUMJUGxbvbR1vHVdLACrRVVaDSv?= =?us-ascii?Q?J8nV8mU3xNfYt655w68Xjy3SMfiUqCuL4R9sZIm+S5xy51PfAIubmoHyOdat?= =?us-ascii?Q?pA1ZYDw2EkkZ147/5dKJXqVoG6FoOfSYMBJO1a7gXykYXh67Zm8unyA9x0wz?= =?us-ascii?Q?JNbLqjdI3nvqYxyr98p9HdAvaZvjLAs816lWJVeMdEkbmXDz+ybeTuOUmjyE?= =?us-ascii?Q?5UoSEJ9K6zJ9aHKlcZ+9hLJCspL6Up1kBBNu8aCrc9RWEn/xq7l5sDXVNVso?= =?us-ascii?Q?HJaA4vJWaj66HtIkznhw5F9ecD0nM++m857KlvRN9Z/mV9iqGj86th58x8LV?= =?us-ascii?Q?PXfPxa0vdx0ZaMgN/0Yw4tFHiBiBy6CrgdX14YCPmXQUDPYeEeYTxSahJhhm?= =?us-ascii?Q?yziSixwvo7woGZBkf1g12dIohmbzCc38hVMh1+s4KStdPbOxvj9xbbRYkRQi?= =?us-ascii?Q?sQ1MFJM6EUseLllQjffrI78rJwk7uVVWY6OpPM6K/RdcAkHyC86JlOMWNII+?= =?us-ascii?Q?TXL3Vn23V+u+fr9MGj2lgbSbPOK95xCz+10B8rwLUI7B5gypEpBV9ZQxfTmE?= =?us-ascii?Q?bwYGv5EuI5EjxLwrKCyncMUL43eyVBlcOMPoQAJFYk9vGVLosUs4y8Q4gBjk?= =?us-ascii?Q?O4HgClP7WelxYHH9Ts8mkpNmgCPCpP7eBpp2xixeCOamV?= X-Microsoft-Exchange-Diagnostics: 1;BY1PR0701MB1381;5:n8YeGbQZAj1JzZiFDWPnoTQhyAAzEz80Ljtj/wnjS1KhjDNfCaCX5M/jZ1ge98sBo/vjRxJI0tvV8xINXEtFjz1X8FbhUnOfK5mJ6uuYNJ5NVYEhGc15D3UVgw8fwK9JuaIh99Unb0PGhFJ6HcqFfw==;24:p4vbuJDhznnyDBtgFvL6Z+pARmadhLXR5uCaix7D1zISpKM37vcXItGSQWEzEsfwkyNJNo3t17ubDQX3Z1g9pd9b+zm8L5b0MKq0AZIpVpU= X-Microsoft-Exchange-Diagnostics: 1;DM2PR0701MB1389;9:pYLxi3VNGLKW64VQ9rw3vRZtI93sfp9bOnRDsdeXhzD9HfxUR+AyknaoM1NwM6/xBBXKR8rQHkpKDdWwUKL2vzNZ9flvT9vA+dT3AiO/lJ7BYve/5HE4x6a0GiA4fpTCS56bR+sQpJQjqRVQE1xMkw==