Reflexion KBA's: RTC
Reflexion and you: DKIM
Posted by Max McElroy on 23 October 2019 01:26 PM
This article applies to any Enterprises that are sending mail outbound through our Smarthost|
This article will: Briefly define DKIM and describe how it interacts with Reflexion
This article will NOT: describe how to configure DKIM
DomainKeys Identified Mail (DKIM) is a method to ensure that mail is A) coming from where it is supposed to, and B) not manipulated or altered while in transport. This is achieved by adding a txt record with a "public key" to the domain registry, adding a "private key" to the mail service, and encoding a hashed copy of the keys to all mail sent by the mail service. If the message is altered in transit, the hash of the keys is changed, and if the recipient server is enforcing DKIM checks, the message will be handled according to the recipient's checks. This can be used to prevent "man in the middle" and hijacking style attacks from being delivered through email. When used in conjunction with SPF or DMARC, DKIM can further helps prevent spoofed or false messages from being delivered.
However, Reflexion does not currently provide our own DKIM signing for outbound messages. In addition, because of how DKIM is designed to work, we also cannot recommend using the Control Panel Footer if you both have DKIM, and use our smarthost for outbound mail.
As previously described, altering a message while in transit will change the key-hash for a DKIM protected message. When Reflexion added the Control Panel Footer to an inbound message, this will break the hash for an inbound message. Furthermore, when a message is sent back outbound through our smarthost we will strip the footer out of a message if we detect it; which would also cause any outbound messages to then fail a DKIM check. Our official statement for our own clients is that we do not support the use of DKIM for this reason.
If your domain is utilizing DKIM to secure your messages, you can disable the Control Panel Footer for inbound messages. This will allow you to send outbound through Reflexion without the key-hash being disturbed. Alternatively, you can remove the Reflexion smarhost from your environment, but if the Control Panel Footer is active, external recipients will be able to see it.
Currently, we do not have any plans to initiate DKIM support. If this changes, we will notify our partners and clients, and provide in depth configuration instructions.