Have you ever wondered how to implement DKIM in Adobe Campaign Classic, look no further here is how you can do it. Implementing DKIM for Adobe Campaign Classic, gave many hard times as there is no official documentation you can follow step by step. But nothing is lost, it is easier than you may think.
DKIM – DomainKeys Identified Mail – is digital signature added to email messages, for sender authorization. Receivers often look for DKIM when looking for spam messages.
To implement DKIM we have to create a pair of keys, public and private. Public key will be published using DNS TXT record and private will be used by Adobe Campaign.
First we need our certificates
On linux based machines generate keys is matter of two commands. On windows you can download PuttyGen or similar tool.
Private key
openssl genrsa -out private.pem 2048
Public key
openssl rsa -in private.pem -out public.pem -pubout -outform PEM
Now that we are equipped with fresh key pair we will need to add the private part on our adobe campaign instance. We let Adobe Campaign know to use DKIM by setting option with exact naming convention:
selector_RSA_PRIVATE_KEY_email.domain.com
Another setting that needs to be configured in order to have fully functional DKIM email verification is to enable to use DKIM for selection of domains. This is set under the
Administration > Campaign management > Non deliverables Management > Mail rules sets -> Domain management
EDIT: Sender ID is not needed. On the other hand in order to DKIM work as expected you need to also check the DomainKeys option although the documentation says you do not have to as it is predecessor to DKIM.
What happened if domain keys were not checked, adobe campaign (somewhere) added sender header with default error address set in deployment wizard. Which looked not really appealing at least not in outlook email browsers.
Also enable TLS option on your Adobe campaign instance that has MTA servers are running. This is set in main server configuration – serverConfig.xml. Look for smtp option.
<smtp enableTLS="true" idleSessionTimeoutSec="5" initialDelaySec="4" maxSessionsPerChild="1000">
Provide your selector along with the public key to the infrastructure team so they will add it to the DNS TXT record type. Below you can find example set of all TXT records needed for achieving good deliverability
TXT DKIM Hostname: selector._domainkey v=DKIM1; k=rsa; p=public_key
_dmarc IN TXT "v=DMARC1; p=reject; pct=100;"
"v=spf1 include:domain.com -all"
Some ESPs also really like PTR records which is basically a pointer from IP address to the domain name
If everything above is set and confirmed by the infrastructure team we need to restart the MTA servers and send our selves a test email.
In the email headers you should be able to see something like:
ARC-Authentication-Results: i=1; relay.mimecast.com; dkim=pass header.d=example.com header.s=selector1 header.b=xxxxx; dmarc=pass (policy=quarantine) header.from=example.com; spf=pass (relay.mimecast.com: domain of sender@example.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mailfrom=error@example.com Received: from example.com
Great tool to check if all is set in DNS correctly is DIG found in google admin toolbox at https://toolbox.googleapps.com/apps/dig/
More relevant information can be also found here https://experienceleaguecommunities.adobe.com/t5/adobe-campaign-classic-questions/how-to-implement-dkim-and-dmarc-record-in-adobe-campaign/m-p/240789
Hello Marcel,
Do you know if same steps would work for ACS?
Thank you!
Hello Adams,
Thank you very much for you comment.
Youu need to contact support to change/add MX records. Take a look at the official documentation below
https://experienceleague.adobe.com/docs/campaign-standard/using/administrating/configuring-channels/configuring-email-channel.html?lang=en
Marcel