You are viewing the documentation for Blueriq 14. Documentation for other versions is available in our documentation directory.

Enabling DomainKeys Identified Mail

AQ_MailService supports protecting against email spoofing using DKIM. It can be enabled or disabled per sender domain, but not per email address individually.

For enabling this feature, a set of keys has to be present:

  1. A private key placed on the server running the Runtime in order to sign the email message;
  2. A public key available in the DNS of the recipient (so either at ISP level, a sender public facing DNS server or a recipient private DNS server).

Runtime Configuration

In application.properties, add the following settings for each domain where DKIM should be activated:

blueriq.mail.domain_alias=something.com
blueriq.mail.domain_alias.dkim.enabled=true # default false
blueriq.mail.domain_alias.dkim.selector=dkim # default empty
blueriq.mail.domain_alias.dkim.privateKeyFile=<path to pem file> # error if not set and dkim enabled, error if not readable pem file

Details:

  1. The first setting allows aliasing of domain names to a short name. In the example, the something.com domain will be referred subsequently as domain_alias.
  2. DKIM can be enabled and disabled per domain by setting mail.<domain alias>.enabled = [true|false].
  3. The selector option specifies the DNS selector. The queried TXT record should be in the form <selector>.domainkey.<domain> (see Wikipedia for details).
  4. The private key file is used to sign the email message. It should be a readable pem file. It is highly recommended to properly secure this file.

No special configuration at the service definition level is required.

Testing DKIM

Assuming the email messages are sent correctly, there are two ways of checking that DKIM actually works. Both these methods assume the DNS TXT record is published by the sender domain (public corporate DNS server or ISP DNS server) properly:

  1. Send an email to a Gmail or Yahoo Mail account. The email should appear as secured when using the procedure described at http://www.appmaildev.com/en/dkim/.
  2. Use an online DKIM validator (just google "test dkim").

If the public key is not available publicly (so in the recipient private DNS only), you should first check if the public key is available on the receiving server. Something like "dig TXT <selector>.domainkey.<domain>" should return the public key if the DNS is correctly configured.

For local testing, Blueriq uses a BIND + postfix + opendkim linux setup.

Didn't find the answer you were looking for? Try the advanced search