Blog > Action required for Group managers!: Change to DKIM-Signatures – domain alignment

Action required for Group managers!: Change to DKIM-Signatures – domain alignment

Lately we have seen a few emails not being delivered to third parties and bounced emails with messages about failing DKIM signatures.

DKIM is a mechanism that allows a receiving party of emails to determine whether an email has indeed been sent by the party that is claimed to be the sender, thus protecting against forged sender email addresses. Kolab Now implemented DKIM signatures a long time ago, but so far we have always used the kolabnow.com domain as the sender domain, when sending an email from a custom domain. An example signature header would look like this (please note the ‘d= tag’):

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h=
content-type:content-type:content-transfer-encoding:message-id
:subject:subject:from:from:date:date:mime-version:received
:received:received; s=dkim20240523; t=1734354313; x=1736168714;
bh=mBUfOmuiUe6nDmAiAsHAHqpD0F+Gd9nJUF5Z5spFd8I=; b=bVuQog18XlAx
+YG8FhYOSvrHhdAyr2PUb/24fINK1zlqDGQS56ULJp87ogvG0NBK7G4dNG94Nhnc
GIOtTwZX5+NDpOFcQ6hldkxU7thO1734fWHA6kL8CXKWZ35IWnyyf7/DAp1rPIhe
wUM9td8SwP+/SOibhOOLPKf4Zz9I3qygVvnzMBMFXb0bTQbpV45ASLk0RsG8Q+jP
RBFlRboeqE5mCEgrg3q0i3ip2bGkhqAGzUTmqi0ckTvXltm+nCFpVSKlRy+lgrXY
PQyaK97xt3pUHX9sdcJFHyIDldU/cSWCcTsrQobk5J0UPj8Dlh2RIma/06K9EEcl
Bx27XRIK4Q==

This used to be fine paired with our DMARC policy recommendation, but recently some parties in the email ecosystem have become more stringent, often ignoring the DMARC policy, and rejecting email that is not domain aligned.
Going forward, we are planning to adjust our DKIM-Signature so that it will use your sender domain for allignment. This means, that for a user ‘doe@kolab.org’ the signature would look something like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolab.org; h=
content-type:content-type:content-transfer-encoding:message-id
:subject:subject:from:from:date:date:mime-version:received
:received:received; s=dkim20240523; t=1734354313; x=1736168714;
bh=mBUfOmuiUe6nDmAiAsHAHqpD0F+Gd9nJUF5Z5spFd8I=; b=bVuQog18XlAx
+YG8FhYOSvrHhdAyr2PUb/24fINK1zlqDGQS56ULJp87ogvG0NBK7G4dNG94Nhnc
GIOtTwZX5+NDpOFcQ6hldkxU7thO1734fWHA6kL8CXKWZ35IWnyyf7/DAp1rPIhe
wUM9td8SwP+/SOibhOOLPKf4Zz9I3qygVvnzMBMFXb0bTQbpV45ASLk0RsG8Q+jP
RBFlRboeqE5mCEgrg3q0i3ip2bGkhqAGzUTmqi0ckTvXltm+nCFpVSKlRy+lgrXY
PQyaK97xt3pUHX9sdcJFHyIDldU/cSWCcTsrQobk5J0UPj8Dlh2RIma/06K9EEcl
Bx27XRIK4Q==

and so ensuring that all outgoing emails from this sender are domain aligned. However, this will require that the DKIM key is available on your domain in DNS. We recommend that group managers (the owners of private
domains) set the following CNAMEs (both of them) in the DNS of their private domain:

dkim1 CNAME dkim1.kolabnow.com.
dkim2 CNAME dkim2.kolabnow.com.

This will delegate the actual DKIM public key to be managed by the kolabnow.com domain, who in turn will align the key with the sending domain as mentioned above.

We will enable domain-aligned signatures in the end of January 2025, at which point DKIM validation will fail if these above (CNAME) records are not set.

Please keep an eye on this blog for news and updates. We hope this will improve email deliverability.

 

PS: Thank you to the users who reported the issue, and delivered content for our investigations. You know who you are.