This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is DKIM working now?

There are several threads here about issues with DKIM signing not working.  Most of these appear to be started about a year ago (or earlier).  There appear to have been some well-documented "challenges" in getting SMG to apply the DKIM signature, but none of the threads I can find seem to positively indicate the issue was fully resolved (and in what release)...

So, before I begin the trip down the DKIM rabbit-hole, can anyone confirm its working as expected?  I don't want to ask SMG to start signing email if its only going to cause more headaches...  (We just switched ISP and now have inherited a new block of IP's - none of which appear to be blacklisted but getting new pushback (bounces) from some previously happy customers anyway...)

I'm guessing that SMG will provide me the public key once I enable this feature (and maintain the corresponding private key internally)?

Can anyone confirm its working as expected in the current release?  (Thanks!)

  • Verified Answer

    +1  

    Yes, it is working. I am running Dkim successfully in more than one enviroment. 


    Use "Verified Answers" if your problem/issue has been solved!

  • 0 in reply to   

    Thanks Diethmar!

    So, SMG will provide me the Public key when I "enable" the feature?  ..and then just add a rule to sign outgoing email?

  • 0  

    Yes, it is working. I am running Dkim successfully in more than one enviroment.

    There is one situation where dkim is not working - if message body is empty. So give your test messages a body Wink


    Use "Verified Answers" if your problem/issue has been solved!

  • 0   in reply to 

    Yes, you are right. This is the hardest part of your work. Your DNS server has to understand this entry. Now you will find out that DNS is not DNS Joy.

    I.e. One of my customer's dns was too old to accept the whole key. 


    Use "Verified Answers" if your problem/issue has been solved!

  • 0

    I can confirm that it works as well. And it is safe to test if you create your DMARC record with a policy p=none. With a DMARC record you can receive reports about how DKIM works and/or what you still have to do.

  • 0  

    Sending a mail to gmail is a very good way to test your DKIM settings. Gmail shows useful information if you go for "show original".


    Use "Verified Answers" if your problem/issue has been solved!

  • 0 in reply to 

    Thanks, I already have DMARC running and have been getting reports for several days now (p=none)!

    Curiously, after changing ISP's, previously "happy" customers (at least one major) started bouncing our email.  I've checked several aggregate reporting sites (inc mxtoolbox) and our IP is coming up clean on every blacklist so not sure why they claim our "IP Reputation" is "poor". Anyway, I set up DMARC (which we didn't need to communicate previously) and I just want to be ready to implement DKIM if DMARC doesn't make them "happy" again.  We have always used SPF so right now DMARC is only using our long standing SPF record (which references our allowable sender by "MX" - as always - and not a specific IP - and the DNS/mx record has obviously been updated as well)

    So not sure why this one (US Gov) recipient was unhappy.  Maybe they just hadn't seen any traffic from our new IP before...

  • 0 in reply to   

    Thats good to know - thanks! 

    Eventually, I'll likely turn on DKIM in any case, but I'm hoping our new IP address will "settle in" before I start changing things again...

  • 0 in reply to 

    I have recently experienced poor performance with a customer when sending emails to a company protected by Cisco spamfilter equipment. Cisco has the talosintelligence database (https://www.talosintelligence.com/). And it's own rules to block IP's. One of the rules is that the sending IP dns fqn has to be the same as the fqn in the smtp ssl certificate. And the RR record has to be aligned as well.

  • 0   in reply to 
    So not sure why this one (US Gov) recipient was unhappy.  Maybe they just hadn't seen any traffic from our new IP before...

    Edward, this is the problem with IP reputation. I have the same issue.

    It's not that your IP address has a bad reputation, it just doesn't have a good reputation.

    Micro Focus uses SMG. When SMG started using Bitdefender, all my SR email replies were blocked. They had to create an IP address exception for me. For that reason, I don't filter email based on IP reputation. It doesn't matter where you set the slider, some important email will get blocked.

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada