Using DKIM and SPF
  • 08 Oct 2024
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Using DKIM and SPF

  • Dark
    Light
  • PDF

Article summary

DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are standards that enable OneSpan Sign to send emails on behalf of a customer in a way that can be validated by a recipient's Email Service Provider. Specifically, the provider can perform the following verifications of such email messages:

  • DKIM authenticates the message body and headers against the FROM header domain.

  • SPF authenticates the IP address that originated the SMTP connection.

Any OneSpan Sign account can be configured to use DKIM. However, doing so requires modifications to the account owner’s Domain Name System (DNS) entries. Specifically, the account owner must add a Sender Policy Framework (SPF) record as a “txt” record to their DNS entries.

OneSpan supports both DKIM and SPF authentication. However, DKIM configuration and validation can occur only on certain dates. This activity requires OneSpan Sign's Cloud Operations team to do manual system configuration. To learn the next available dates, please contact your Professional Services Consultant.

Enabling DKIM with OneSpan Sign provides the following features:

  • Ability to make the "FROM" field an email address of your choice: By default, all emails sent from OneSpan Sign use an @onespan.com From email address. Enabling DKIM with OneSpan Sign will ensure that emails are not marked as SPAM when they are sent by a custom domain.

  • Out-of-the-box Email Bounce Back handling: OneSpan Sign's default email bounce- back behaviour will apply.

When sending an email on behalf of your domain, OneSpan Sign configures the email's headers to ensure that the replies on bounce-back are routed to OneSpan Sign, independent of the email's FROM field.

OneSpan Sign sends your emails from a "Mail-From" domain that its mail server owns. By enabling DKIM, your emails will pass SPF authentication.

The rest of this section discusses the following:

Enabling DKIM Signing

DKIM entries enable a message's content to be encrypted to ensure that no one has tampered with it. DKIM entries are provided by OneSpan Sign in the form of a .csv file.

When Domain Verification is used, entries consist of a txt entry and three CNAME entries.

Here are some examples of possible CNAME entries:

Record name

Record type

Record value

b2npb3nxdsbhzcbsab2npbrsknzg7gyl._domainkey.us.mydomain.com

CNAME

b2npb3nxdsbhzcbsab2npbrsknzg7gyl.dkim.amazonses.com

ft6st3nxdsbhzcbsapghm5f7xbpakw4e._domainkey.us.mydomain.com

CNAME

ft6st3nxdsbhzcbsapghm5f7xbpakw4e.dkim.amazonses.com

6yg63nxdsbhzcbsappqtz7jdx32pixgf._domainkey.us.mydomain.com

CNAME

6yg63nxdsbhzcbsappqtz7jdx32pixgf.dkim.amazonses.com

Enabling SPF Authentication

SPF authenticates the IP address that originated the SMTP connection. If an SPF record already exists, the “include:amazonses.com” clause can be added, separated by spaces. For example:

v=spf1 include:mail.yourdomain.com include:amazonses.com ~all

The “-all” option specifies that all sources not in the SPF record should be rejected. Using the “~all” option would validate but not reject other servers.

Record name

Record type

Record value

yourdomain.com

TXT

v=spf1 include:mail.yourdomain.com include:amazonses.com ~all

Enabling DKIM Authentication

If you want to enable DKIM email authentication, you must work with your Sales Representative to purchase the service. In particular:

  1. Once a technical consultant has been assigned to help you, you will be asked to provide a domain to be verified. OneSpan recommends that you provide the domain from which your emails will be sent.

  2. OneSpan Sign will provide you with the DKIM entries that you will use to update your DNS entries.

  3. Add these DKIM entries in the verified domain’s DNS from which you want to send emails. DKIM won't work unless the DNS entries are updated.

    If you don't update your DNS entries within 72 hours, you will need to restart this process.

  4. Once you have added your DKIM entries to your DNS, OneSpan will send you confirmation that the configuration has been completed.

  5. Log into your OneSpan Sign account to create and send a test transaction. Verify that the FROM email address in the invitation email is the one provided in Step 1.

    When sending an email on behalf of your domain, OneSpan Sign configures the email's headers to ensure that the replies on bounce-back are routed to OneSpan Sign, independent of the email's FROM field.

    OneSpan Sign sends your emails from a "Mail-From" domain that its mail server owns. By enabling DKIM, your emails will pass SPF authentication.

Validating DKIM

To verify that customers have correctly entered the CNAME records in their DNS, the following validation command can be run (using dig):

 dig abcdid312345gqbihlw2pjuhfgdd._domainkey.yourdomain.com cname

If the command has run successfully, you should get something like the following feedback — ANSWER: 1. If you get ANSWER: 0, the configuration is incorrect or has not propagated yet.

; <<>> DiG 1.22.5-P3-RedHat-1.23.6-2.P3.fc24 <<>> abcdid312345gqbihlw2pjuhfgdd._domainkey.yourdomain.com cname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

A useful reference is:

Determining Amazon SES IP Addresses

The following blog describes how to determine the outgoing IP addresses used by Amazon SES:

DKIM Bounce Email Header Sample

Received: from BY1PR0701MB1381.namprd07.prod.outlook.com (10.160.109.149) by
 DM2PR0701MB1389.namprd07.prod.outlook.com (10.161.251.153) with Microsoft
 SMTP Server (TLS) id 15.1.409.15 via Mailbox Transport; Wed, 17 Feb 2016
 19:40:38 +0000
Received: from DM2PR07CA0028.namprd07.prod.outlook.com (10.141.52.156) by
 BY1PR0701MB1381.namprd07.prod.outlook.com (10.160.109.149) with Microsoft
 SMTP Server (TLS) id 15.1.409.15; Wed, 17 Feb 2016 19:40:37 +0000
Received: from BY2FFO11OLC011.protection.gbl (2a01:111:f400:7c0c::143) by
 DM2PR07CA0028.outlook.office365.com (2a01:111:e400:2414::28) with Microsoft
 SMTP Server (TLS) id 15.1.409.15 via Frontend Transport; Wed, 17 Feb 2016
 19:40:36 +0000
Authentication-Results: spf=pass (sender IP is 54.240.8.19)
 smtp.mailfrom=amazonses.com; silanis.com; dkim=pass (signature was verified)
 header.d=mydomain.com;silanis.com; dmarc=pass action=none
 header.from=mydomain.com;
Received-SPF: Pass (protection.outlook.com: domain of amazonses.com designates
 54.240.8.19 as permitted sender) receiver=protection.outlook.com;
 client-ip=54.240.8.19; helo=a8-19.smtp-out.amazonses.com;
Received: from a8-19.smtp-out.amazonses.com (54.240.8.19) by
 BY2FFO11OLC011.mail.protection.outlook.com (10.1.15.22) with Microsoft SMTP
 Server (TLS) id 15.1.415.6 via Frontend Transport; Wed, 17 Feb 2016 19:40:35
 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; (3)
    s=y6oinrvtzki6qrnrbysmfhmohrt5jed5; d=mydomain.com; t=1455738033;
    h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
    bh=tUqNZJ345kHNrop1Hd1cRWkwwGoS8Zgm4DEr/TqLJb8=;
    b=GiME5e7JxB97jYMMQFrxK6BDQSmghJ6NIFwxSV8wlXkhoP2eAz8+N3fM5q/iWtTI
    3VUuPa7PRAkcVvtG8TcLHYagY+0i5xPoc0LPGNsKjY38/PZyyQgNjPN+RRGu4L38mfz
    ouk1YL3g8xJQmeLUUVqZzJykdgQAul4p5w2Wx9D4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; (4)
    s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1455738033;
    h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID;
    bh=tUqNZJ345kHNrop1Hd1cRWkwwGoS8Zgm4DEr/TqLJb8=;
    b=D6d+iaPdZtPeOAPRnYmmFE0UAWfTkiZ+4H8us4NY+Kst5IAToRhkQL7DPv/YBK/4
    RP60r2ydUBRYBKwySfuTs5AUeNim+fjrsgNbf1Q85yurM4/oJaRFmUEc+XuFLALXlxZ
    gwZY1IcaAZ9U9NZ6RIt7HC5xRhUiFxf7RHinb2xs=
Date: Wed, 17 Feb 2016 19:40:33 +0000
From: mydomain Treasury & Payment Solutions <tps.esign@mydomain.com>To: imane chbani <imane_chbani@silanis.com>Message-ID: <00000152f0bf94e6-fdef09cc-288b-4214-8dbf-9559687b87d8-000000@email.amazonses.com>Subject: mydomain Treasury & Payment Solutions e-Sign - Unable to Reach
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_Part_5930_136818267.1455738033292"
x-esl-recipient-id: Ib3aYD0pBuIY (1)
x-esl-package-id: e00653d4-bcef-4c77-ab73-6bdffacc4186 (2)
X-SES-Outgoing: 2016.02.17-54.240.8.19
Feedback-ID: 1.us-east-1.3NlfApUjweW/0cWJs3jOEOY1DYp+Nc6SU3jUh8AxWj0=:AmazonSES
**Return-Path: 00000152f0bf94e6-fdef09cc-288b-4214-8dbf-9559687b87d8-000000@amazonses.com**
X-MS-Exchange-Organization-Network-Message-Id: 0d001963-4797-48b5-fc73-08d337d234cb
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report: CIP:54.240.8.19;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(31610200002)(31580200002)(2980300002)(438002)(286005)(65504003)(199003)(189002)(110136002)(19580405001)(25786007)(19580395003)(5008740100001)(10130500003)(90596001)(106466001)(6806005)(110476001)(229853001)(84326002)(64544003)(4001070100004)(104766002)(5001970100001)(107886002)(15650500001)(10300500001)(10770500004)(2476003)(620700001)(4290100001)(92566002)(956001)(10290500002)(4610100001)(54356999)(33646002)(15975445007)(5000100001)(18206015028)(77096005)(4001450100002)(450100001)(1580400003)(50986999)(586003)(270700001)(94776002)(42882005)(95006001);DIR:INB;SFP:;SCL:1;SRVR:BY1PR0701MB1381;H:a8-19.smtp-out.amazonses.com;FPR:;SPF:Pass;MLV:sfv;A:1;MX:1;LANG:en;
X-DkimResult-Test: Passed
X-Microsoft-Antispam: UriScan:;BCL:5;PCL:0;RULEID:(8251501001)(3001015)(3010001)(71701003)(71702001);SRVR:BY1PR0701MB1381;
X-MS-Office365-Filtering-Correlation-Id: 0d001963-4797-48b5-fc73-08d337d234cb
X-MS-Exchange-Organization-AVStamp-Service: 1.0
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:5;PCL:0;RULEID:(601004)(2401047)(13018025)(13023025)(13024025)(8121501046)(13016025)(10201501046)(3002001);SRVR:BY1PR0701MB1381;BCL:5;PCL:0;RULEID:;SRVR:BY1PR0701MB1381;
X-MS-Exchange-Organization-SCL: 1
SpamDiagnosticOutput: 1:5
SpamDiagnosticMetadata: 00000000%2D0000%2D0000%2D0000%2D000000000000
SpamDiagnosticMetadata: 5
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2016 19:40:35.5163
 (UTC)
X-MS-Exchange-CrossTenant-Id: 1ad27fb0-57cc-4272-a834-fe2500e4c569
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0701MB1381
X-MS-Exchange-Organization-AuthSource: BY2FFO11OLC011.protection.gbl
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.1376165
X-Microsoft-Exchange-Diagnostics:
    1;BY2FFO11OLC011;1:JNUR5hnFjemX+1dBC1rRZOnnWpWy4fC6RFsq6ezBXiheMk3adVUFPP6KJ1EAJUWR+x2PC6ikFhW3v2tH3ycG4QYZUBEccjA/B+/UKgW6IGpbzXtKW7KP+tocl8FNueGAaIwXl0NCCSU2CUpJno8czg520dO/EjaiCrRCu6bZnC7sMFuh0vpOn1gSAUrJCSJui+TnL0QRamOJFeiRBT6N1vrAtUUnnpBiexw3PIVGFAkgWbsTkU9McA2no6WIcX7FtPLxePuy0ntqhMEDLydzrM9NEy3wuxHD9uYIPzla4VcAxH7YMEKEy7BBlFHwRBQKPyJ1MpB/6e4oe/AE/NxdhXw1pg0zAlr8tsbn3voFNFCo/GQ27LN1lKoVDgmjKgT2/pHr4LXssBvHLObQcTa4xCKO26phA6DYrrQ7YRrXs/d5slp5XhJwhXt4ZluKow+g
X-Microsoft-Exchange-Diagnostics:
    1;BY1PR0701MB1381;2:e3OVX/29wymZMl44fwXkD8ckYWtsrdFPgnFktxm5zJmS8MAQdWmzRJUuevZjsL+z7gDYAKPXBLoOYfM77DBm/5OXFPot373N5XAOBlHMGqks3Iqlt92TVmo1rjm3PKlRu2aOPC8QwTJxabj5cExBLA==;3:RTUvhiLoXX+tUbL4GDhFBZYpl4syhKB/pjeb/crKyG4QxKTF3pmsf7oLM8szqOH5yR4MR4fo7rDrqoKmBCjKRpMKkNXUfqoSK+wAwBb371SGbd2MJcmPiQWSANl8YqlRfvycBs4rEtEW+V5A6NjM2Pm46UaX31kem+aMghndNGugQI2j2zC5YzxSp67NyWznYH0fxJpnPf8P1qdVNlgvoC2Gn2jOm2WsL+jZTRfPWXM6TW75/CI1FI5Cy25MxxnrFpODFNPc7IYiryEnawDhSiLPlh3NuJbbplIHQnyUychUTzRzw86AGJt/Zqg7OLhtbngZ0EV6L2sD+jY+YlDV2Q==;25:zcP5QMiZbUJLUd/fBeQMv3RLyGOKsg00O2FCqwhZRyN+rLhVlIFrrmqmYsbXn1RiFWvEmb7hXzGhobV6XkvnC0/RgHOuVKTY9AK+SWiUEF1Pbpd60qqZWvk6FbLppemXatAsoAPYCj2A/GfQ4sOtgdDZ3ascd9sQ1HTl9QjhTRIbUNuw0as/YPbYPtkGEGl+Qosq6zUOIFQgK4W9KnOcqiLPFZrQjTg+Z58MwL92CfShVqQ4GZw1qXXGGxJuOJRTsXbIf7FRU+476GzP/NvVxRqlUOaYCQT//9bwhJxukWyxE96JhjjqtjujxNb93rd3
X-Microsoft-Exchange-Diagnostics:
    1;BY1PR0701MB1381;20:5CaLWq4djB/DstM5wR82wuWU2aAlVcRk6ha605dOqBPo7VrRxvpSzUImcY2p7oTXntVRqap/XaQBDRBISBxx4HVwBEGQnzquxrTlrbsLk2XfCdKVpdyta9F94SvAKh/cR470rRhTckZZUpllelrsxwbdceJBfhW/cY/o5rNEnndlr3vpeu2iqLznMYwl1WO09/v7p25lH0Ba21S05c5t/SzR+j6b8WaFEgMzxTdOMyUGo7NPc1I9hgySt60mekhG5Dm4eHac1PcZfA6+5+Lfws8X6vl25TNDHB/8AFsR1yfaT49Zll58Jlb915jatJXam1VWkE0NiO6TIxFVru8rK5Npc/agJ4LAO/ugVmwfWOGvr66NQrQfOlfgStDkAJEbIsobjoDYA0uLjjhYVFJCdtVa5eRUwDoy/jL/bdaJdtbkV9yxZjGGx6npxv5+Hh7x92QMBYLUKUPdCt85aj5DgZtb4GkiNxM/+ONbMJmpizmHJktdAxEN/Kmq8xaq5eS9;4:oSrb3yi2f32t62K/k0BM7AOPmy1N1zkOZ0oGrXAHpV1oPaoTJmZs/3waTy61jB0r+soptNjFLUkcORP1UQlsqFws/nzNPThJU56furk76gz0WXRloGC3+gkyhbuoKL6oSj0FuuKVQOL+kKA2dTM3f1GM7Pz4LNJpWxvrc8MwgMCsBOPEPcNqva6IsvpaEvr4ESed7wI+fdRW/yoMvLEKMzeJmlXD/D+3sxepsafyPZH9kvWOIPyVp1GT8gaDQlT39sWhHXnuHE1Ek/+WiJzJsjmH0+lcLcbXUlC7qp2GHapZhfmgKDxl2c//df8itVoOKI3UxFWTz08+l4E2JwmhZP3SMZP17Kdb6QMePHlkLMSPWU0ART3vil//XCE8j5eBJwJ6xWfooVM93MsS56sYsBzTG82wR/pwXvKocH2gXeY=
X-Microsoft-Exchange-Diagnostics:
    =?us-ascii?Q?1;BY1PR0701MB1381;23:ZZG92vUNulj2A5yV524jpAmGdhmVXhS1MvVRmcd?=
 =?us-ascii?Q?EyyKzTS+sEjII6UrKmo2TgkLxqCYANxFxhcxxaAzh3yBkkt64jrT34F1Clzj?=
 =?us-ascii?Q?RKCkuZF35MrzLFMnH0WRo02C/bxIDcpNDSKIcVEantLF3Fd9sdf0Z1vdtueH?=
 =?us-ascii?Q?T+yhP3lg89KjwP+JD79S/UsRCgO0cAVdNkmnZ/P6fuudqmWM8GRZo9tDE4GE?=
 =?us-ascii?Q?N6/QuWJIOQZJBn2NNc+W24j6L6cK6zfPgzScH2LOre1Zt4fRsKGvtpmnwRK+?=
 =?us-ascii?Q?YPJzF1M4hQQRdILJrDSi0uTr14qia72sQrHRpNoFFsTt2N/0/dTgIOAmYnHC?=
 =?us-ascii?Q?RE4PWbr2pUcKBIlWT3mn2vNk3dj8PSViMM/K5mlcJCSUh695jku9kff6XdEY?=
 =?us-ascii?Q?/VBYbjFq2wQ6OtWt3yu7E5Y1VYJJURGsLP/jeRViLNxxytkCVIMc1/UwULxx?=
 =?us-ascii?Q?5KPAICnNjPwcOjyavPNhM8BkALqdVWkDKm0M/TmeWKR+S7fA6UeY2V9KMFP0?=
 =?us-ascii?Q?/D19/vN03J9Oa+vcW/u1KiBjQ2BFCM8oq3a7r0JCJC9jJ45veCgy0B2Ucdbp?=
 =?us-ascii?Q?f9M1UfZxZQjseCPaXBpIkYNTpyLkbFo+DE6y2Wkuy26jWS3yE8qWJLA3DpyI?=
 =?us-ascii?Q?2g8oIffOJTV5XgxcRwawt9FGoVBqfCnJILUMJUGxbvbR1vHVdLACrRVVaDSv?=
 =?us-ascii?Q?J8nV8mU3xNfYt655w68Xjy3SMfiUqCuL4R9sZIm+S5xy51PfAIubmoHyOdat?=
 =?us-ascii?Q?pA1ZYDw2EkkZ147/5dKJXqVoG6FoOfSYMBJO1a7gXykYXh67Zm8unyA9x0wz?=
 =?us-ascii?Q?JNbLqjdI3nvqYxyr98p9HdAvaZvjLAs816lWJVeMdEkbmXDz+ybeTuOUmjyE?=
 =?us-ascii?Q?5UoSEJ9K6zJ9aHKlcZ+9hLJCspL6Up1kBBNu8aCrc9RWEn/xq7l5sDXVNVso?=
 =?us-ascii?Q?HJaA4vJWaj66HtIkznhw5F9ecD0nM++m857KlvRN9Z/mV9iqGj86th58x8LV?=
 =?us-ascii?Q?PXfPxa0vdx0ZaMgN/0Yw4tFHiBiBy6CrgdX14YCPmXQUDPYeEeYTxSahJhhm?=
 =?us-ascii?Q?yziSixwvo7woGZBkf1g12dIohmbzCc38hVMh1+s4KStdPbOxvj9xbbRYkRQi?=
 =?us-ascii?Q?sQ1MFJM6EUseLllQjffrI78rJwk7uVVWY6OpPM6K/RdcAkHyC86JlOMWNII+?=
 =?us-ascii?Q?TXL3Vn23V+u+fr9MGj2lgbSbPOK95xCz+10B8rwLUI7B5gypEpBV9ZQxfTmE?=
 =?us-ascii?Q?bwYGv5EuI5EjxLwrKCyncMUL43eyVBlcOMPoQAJFYk9vGVLosUs4y8Q4gBjk?=
 =?us-ascii?Q?O4HgClP7WelxYHH9Ts8mkpNmgCPCpP7eBpp2xixeCOamV?=
X-Microsoft-Exchange-Diagnostics:
    1;BY1PR0701MB1381;5:n8YeGbQZAj1JzZiFDWPnoTQhyAAzEz80Ljtj/wnjS1KhjDNfCaCX5M/jZ1ge98sBo/vjRxJI0tvV8xINXEtFjz1X8FbhUnOfK5mJ6uuYNJ5NVYEhGc15D3UVgw8fwK9JuaIh99Unb0PGhFJ6HcqFfw==;24:p4vbuJDhznnyDBtgFvL6Z+pARmadhLXR5uCaix7D1zISpKM37vcXItGSQWEzEsfwkyNJNo3t17ubDQX3Z1g9pd9b+zm8L5b0MKq0AZIpVpU=
X-Microsoft-Exchange-Diagnostics:
    1;DM2PR0701MB1389;9:pYLxi3VNGLKW64VQ9rw3vRZtI93sfp9bOnRDsdeXhzD9HfxUR+AyknaoM1NwM6/xBBXKR8rQHkpKDdWwUKL2vzNZ9flvT9vA+dT3AiO/lJ7BYve/5HE4x6a0GiA4fpTCS56bR+sQpJQjqRVQE1xMkw==


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant