Setting Up DKIM for OpenAir Notifications

DKIM provides email authentication, which can be used to give the recipient server confidence that an email came from a given address and was not tampered with in transit. When DKIM is set up, the OpenAir email relay adds a DKIM signature to outbound notification email. The receiving email server verifies the signature on the email using the DKIM public key, which it retrieves from your DNS records. If the signature is verified successfully, the email pass DKIM checks, which in turn contribute to the DMARC policy check.

This process uses an RSA public/private key pair generated for a given domain name and unique selector name. The selector identifies the DKIM record, that is the TXT record you create in your DNS settings to store the DKIM public key.

DKIM keys do not expire, but you may want to rotate the DKIM key for OpenAir notifications from time to time. To do so, follow the steps below to have a new RSA key pair generated with a new selector. You should keep the old DNS TXT record for a few days after implementing the change to give the DNS time to update.

To set up DKIM for OpenAir notifications:

Contact OpenAir Customer Support and request to apply or change the DKIM signature to OpenAir notification email. Provide the information listed in the following table:

Name	Required / Optional	Description
Domain	Required	A fully qualified domain name (FQDN) is the complete address of the internet host or computer. It provides its exact location within the domain name system (DNS) by specifying the hostname, domain name and top-level domain. `mail.example.com` and `example.com` are examples of FQDN with the hostname `mail`, the domain name `example` and the top-level domain `com`.
Selector	Required	The unique name of your DKIM record. The DNS TXT record you create must be named `<selector>._domainkey.<domain>` where `<domain>` is the FQDN and `<selector>` is a unique name for the DKIM signature on this domain. For example, `openair._domainkey.example.com` can be used to find DKIM public key information for OpenAir notification email sent from an `example.com` email address. It is specified as an attribute for a DKIM signature, and is recorded in the `DKIM-Signature` header field.
Key length	Optional	If you require the DKIM key to be a specific length, specify the key length.

Name

Required / Optional

Description

Domain

Required

A fully qualified domain name (FQDN) is the complete address of the internet host or computer. It provides its exact location within the domain name system (DNS) by specifying the hostname, domain name and top-level domain. mail.example.com and example.com are examples of FQDN with the hostname mail, the domain name example and the top-level domain com.

Selector

Required

The unique name of your DKIM record. The DNS TXT record you create must be named <selector>._domainkey.<domain> where <domain> is the FQDN and <selector> is a unique name for the DKIM signature on this domain.

For example, openair._domainkey.example.com can be used to find DKIM public key information for OpenAir notification email sent from an example.com email address. It is specified as an attribute for a DKIM signature, and is recorded in the DKIM-Signature header field.

Key length

Optional

If you require the DKIM key to be a specific length, specify the key length.

OpenAir Customer Support will arrange for an RSA public/private key pair to be generated and will provide you with the DKIM signature you need to add to your DNS record.

Note:

You should let OpenAir generate the RSA public/private key pair. However, you can generate the RSA public/private key yourself and supply it to OpenAir Customer Support if required. If you prefer to generate and supply the DKIM private key, make sure you use all necessary precautions to keep the DKIM private key secret. Anyone with access to it can stamp tokens could pretend to be you.

Add the DKIM signature to a TXT record in your DNS record. Use the selector you provided to make up the name of your record following the format <selector>._domainkey.<domain>). Use the content supplied by OpenAir Customer Support for the content of the DNS TXT record, which includes the version, type and the public key among other information.

Example of DNS TXT record:

Name: openair._domainkey.example.com

Content:

                    v=DKIM1; h=sha256; k=rsa; s=email; p=ABCDEFGHIJKLMNOPQRSTWXYZ+abcdefghijklmnopqrstuvwxyz/1234567890+ABCDEFGHIJKLMNOPQRSTWXYZ/abcdefghijklmnopqrstuvwxyz+1234567890/ABCDEFGHIJKLMNOPQRSTWXYZ+abcdefghijklmnopqrstuvwxyz/1234567890+ABCDEFGHIJKLMNOPQRSTWXYZ/abcdefghijklmnopqrstuvwxyz+1234567890/ABCDEFGHIJKLMNOPQRSTWXYZ+abcdefghijklmnopqrstuvwxyz/1234567890+ABCDEFGHIJKLMNOPQRSTWXYZ/abcdefghijklmnopqrstuvwxyz+1234567890/BCDEFGHIJKLMNO

Contact OpenAir Customer Support to confirm the creation of the DNS record.

OpenAir engineers will confirm after the DKIM signature is enabled for notification email from your OpenAir account.
Test the DKIM set up. OpenAir notification email should include a DKIM signature in the email headers. The DKIM signature should look like the following example:
```
                smtp.mailfrom=example.com; dkim=pass (signature was verified)
 header.d=example.com;dmarc=pass action=none header.from=example.com;compauth=pass
 reason=100 

              
```
Note:
After DKIM is correctly set up, DKIM authentication fails if the message is changed during transit. If the bounce message includes the header information dkim=fail("body hash did not verify"), the message was modified. This may be the case if you use an email security gateway that is configured to remove email attachments and replaced them with a string, for example. Make sure that services in your email delivery infrastructure are not altering messages.