DKIM for Outbound Email

[Guest David Calder]

Hi,

We're in the middle of a 30 day switch on, configuring direct outbound routing for email.

Our Information Security have asked if Hornbill supports DKIM: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

If not, is this something that is being considered for the future?

Many thanks,

David

[Gerry]

HI David,

Its not something we currently support but I would very much like to add support for it at some point in the future.  This is not likely to be in the next 90 days but its on the list of things to be looked at. 

Gerry

[jcorfield]

We are seeing a large increase in the number of our customers (mostly Council's) who are insisting on support for DKIM on outbound emails.  It is a feature we would find very beneficial. 

[Gerry]

@jcorfield @David Calder

We had a look at this today and have planned some development work to happen in the next 90 days for e-mail related stuff including.. (in this priority order)

* DKIM support for outbound DNS routed mail delivery
* A code change for dealing with CRLF normalisations and use of CHUNKED data transmission
* Direct inbound SMTP mail delivery to Hornbill

You will see these additions in release notes as we roll out over the next 90 days. 

Gerry

[Martyn Houghton]

@Gerry

That will be great, as you know we have been having issues with the CRLF issue and are also seeing the requirement for DKIM given our public sector customer base as well.

Cheers

Martyn

[Gerry]

@Martyn Houghton

Yes we have been looking into the CRLF issue so while we have cause to look at email related code we figured we would do the things we have in our backlog related to email. 

Cheers

Gerry

[Stephen Hutchinson]

Good afternoon Gerry

Over the past few weeks we have received bounce back emails from 0365 which relate to a Bare Line Feed issue. Victor has posted the following on topic "Bare line feeds (Email Issue)" the following:

Posted Wednesday at 04:18 PM · Report post

Just a quick update on this issue. Our investigation so far reveals the issue to be isolated to emails which are using templates (specifically the CK Editor we are using when designing email templates). All other outbound emails (such as email sent from our mail interface and email sent using default and not edited templates) are not affected. This is not caused by any change we have done recently in Hornbill.

For Office 365 users it occurs because until recently, Office 365 automatically removed bare line feed characters from mail to help it get delivered to recipients using email servers that don’t support chunking and the BDAT command (such as Hornbill).To comply with RFC 2822, Office 365 no longer removes bare line feeds from messages. As a result, messages sent to users from Hornbill may be more likely to be rejected.
(https://support.office.com/en-us/article/Fix-email-delivery-issues-for-error-code-5-6-11-in-Office-365-81dafee7-26af-4d79-b174-8f78980dfafb?ui=en-US&rs=en-US&ad=US)

For other mail services users (e.g. MS Exchange) the issue could occur due to SMTP connector changes whereby the connector is now configured to reject bare line feeds.

Currently we working to get Hornbill mail in line with RFC 2822 requirements (https://forums.hornbill.com/topic/10012-dkim-for-outbound-email/).

 

For the time being we suggest the following possible workarounds:

create an inbound transport rule on your mail server to append a disclaimer to the messages from Hornbill. The disclaimer will append the expected CR-LF combination to the message so that it can be delivered. This disclaimer may consist of a single character such as a period or a dash (https://support.microsoft.com/en-us/help/2998901/-smtpsent.barelinefeedsareillegal-ndr-received-by-exchange-online-or-eop-users-in-office-365-dedicated-itar).
avoid the use of email templates which have been edited in the email template editor - CK Editor - (out of the box templates which have not been edited should not have this issue). 

 

We currently use templates to notify our customers regarding updates, 3 strike rules & general correspondence, which was set up by the Consultants team. Because Hornbill are not yet inline with the RFC 2822 requirements our customers can not receive our emails. Am I right in saying that the templates out of the box (untouched) shouldn't be affected? If so can our templates be reset back to the default and re-created?

 

FW- Undeliverable- IN00009208 - *Headoffice - Bell Lane- ITIM Service Desk Incident ENT9865 has been logged for Head Office - has been logged..eml

[Gerry]

@Stephen Hutchinson

Thanks for the information, I was aware of this issue and today we added a fix for this. Basically its possible to introduce UNIX style line feeds from our front end web components by copy/paste or template editing etc.  To combat this we have added server-side code to "normalize" email content before we construct the RFC2822 message envelope, this solves the problem.  Microsoft with Office365 are absolutely correct in making this change, our own inbound SMTP handler also has the same lenient approach to handling Bare Linefeeds which we are also going to lock down.  

Anyway, the upshot is that fix will be going  through testing and beta over the next 2-3 days, and subject to there being no issues this fix will be pushed live early next week. 

Gerry

[HHH]

@Gerry
Is DKIM support in place and if so how do we configure it

[Gerry]

@HHH

I need to check, but I am pretty sure DKIM is not yet implemented for outbound mail, I cannot really remember why that is now, I will need to look back that the history. It made it into our 90-day backlog looking at my comments above but did not make it into the platform as best I can tell. So, no, not at this time I am afraid. 

Gerry

[clampj]

Hi @Gerry

Any update on this?  Is this something that you will be implementing?  We are currently working on implementing DMARC and unable to use SPF.

Thanks

J

[Paul Morrow]

Same, would be useful.

[Gerry]

Hi All,

Just to close this out, we have now added DKIM support as discussed above.  For each domain you have configured on your instance, you can create an RSA public/private key, which can either be 1024 or 2048 bit key size. Once created and added to your domain in the DNS system, you can verify your public DNS settings. Once verified, then Hornbill will digitally sign your outgoing emails using DKIM.  Setting it up is simple, see the screen below. 

This will be available in the next platform and admin tool updates, probably by the end of this week. 

Gerry

[Osman]

Afternoon All,

I appreciate that this is an old post, but thought it a good place as any to place a follow up query. As show in the screenshot from @Gerry above, we have enabled DKIM and added the appropriate TXT record to our domain DNS. However, everytime the Verify DKIM button is pressed to verify the record, we receive the same as above:

No matching DKIM TXT entry found

I suspect that I know why. We have added a TXT record with a custom selector, not the one that is default(DKIM). This is because it would not be practical to have the selector be so ambiguous, as we will have multiple DKIM entries for other 3rd Party providers. My question therefore is, how to we change the DKIM Selector value in the admin portal as it does not seem to be editable? I have checked through the settings that it I could find, but nothing?

Thanks

Osman

[Gerry]

@Osman

It seems that you can set the DKIM selector at the point you create the domain and enable DKIM, but once its set, you cannot edit it.  I am not sure that logic is correct, I expect what was intended was, once you verify the DKIM status it should then prevent you from editing the DKIM selector.  I will ask someone to have a look and verify this to confirm
Gerry