ACC | Implementing DKIM

in  Adobe Campaign, Marketing Automation
2 minutes read
Adobe Campaign post

Have you ever wondered how to implement DKIM in Adobe Campaign Classic, look no further here is how you can do it. Implementing DKIM for Adobe Campaign Classic, gave many hard times as there is no official documentation you can follow step by step. But nothing is lost, it is easier than you may think.

DKIM – DomainKeys Identified Mail – is digital signature added to email messages, for sender authorization. Receivers often look for DKIM when looking for spam messages.

To implement DKIM we have to create a pair of keys, public and private. Public key will be published using DNS TXT record and private will be used by Adobe Campaign.

First we need our certificates

On linux based machines generate keys is matter of two commands. On windows you can download PuttyGen or similar tool.

Private key

openssl genrsa -out private.pem 2048

Public key

openssl rsa -in private.pem -out public.pem  -pubout -outform PEM

Now that we are equipped with fresh key pair we will need to add the private part on our adobe campaign instance. We let Adobe Campaign know to use DKIM by setting option with exact naming convention:

selector_RSA_PRIVATE_KEY_email.domain.com

Another setting that needs to be configured in order to have fully functional DKIM email verification is to enable to use DKIM for selection of domains. This is set under the

Administration > Campaign management > Non deliverables Management > Mail rules sets -> Domain management 

EDIT: Sender ID is not needed. On the other hand in order to DKIM work as expected you need to also check the DomainKeys option although the documentation says you do not have to as it is predecessor to DKIM.

What happened if domain keys were not checked, adobe campaign (somewhere) added sender header with default error address set in deployment wizard. Which looked not really appealing at least not in outlook email browsers.

DKIM – Management of email domains setting

Also enable TLS option on your Adobe campaign instance that has MTA servers are running. This is set in main server configuration  – serverConfig.xml. Look for smtp option.

<smtp enableTLS="true" idleSessionTimeoutSec="5" initialDelaySec="4" maxSessionsPerChild="1000">

Provide your selector along with the public key to the infrastructure team so they will add it to the DNS TXT record type. Below you can find example set of all TXT records needed for achieving good deliverability

TXT DKIM
Hostname: selector._domainkey
v=DKIM1; k=rsa; p=public_key
_dmarc		IN TXT		"v=DMARC1; p=reject; pct=100;"
 "v=spf1 include:domain.com -all"

Some ESPs also really like PTR records which is basically a pointer from IP address to the domain name

If everything above is set and confirmed by the infrastructure team we need to restart the MTA servers and send our selves a test email.

In the email headers you should be able to see something like:

ARC-Authentication-Results: i=1;
	relay.mimecast.com;
	dkim=pass header.d=example.com header.s=selector1 header.b=xxxxx;
	dmarc=pass (policy=quarantine) header.from=example.com;
	spf=pass (relay.mimecast.com: domain of sender@example.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mailfrom=error@example.com
Received: from example.com

Great tool to check if all is set in DNS correctly is DIG found in google admin toolbox at https://toolbox.googleapps.com/apps/dig/

More relevant information can be also found here https://experienceleaguecommunities.adobe.com/t5/adobe-campaign-classic-questions/how-to-implement-dkim-and-dmarc-record-in-adobe-campaign/m-p/240789

Leave a comment

Your email address will not be published. Required fields are marked *