Aurora: Configure DKIM for community emails

DKIM (Domain Keys Identified Mail) is an email authorization technique that leverages unique keys to digitally sign mail. This is done by adding an encrypted DKIM signature to the message header. It helps combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to come from legitimate organizations.

Our customers commonly implement DKIM records together with SPF to meet DMARC policies. This can provide better protection for your domain against malicious emails sent on behalf of your domains. Learn more about SPF setup.

Note: Khoros cannot support a custom DKIM implementation in conjunction with SendGrid custom relays. Custom DKIM implementations also prevent the use of Communities Email Analytics.

To perform this implementation with Khoros:

• Provide Khoros the mailer address to be used. Refer to Edit the Aurora community email sender name and address for best practices regarding the address choice.
• Khoros will provide the DKIM selector and key, which your teams will then install on the target mailer subdomain.
• Validate the DKIM configuration using tools such as mxtoolbox. 
• The domain to check is the part following the @ symbol in your mailer address. For example, if your address is notifications@mailer.customer.com, then the domain to check is mailer.customer.com. 
• Ensure all checks pass with the domain and selector.
• Once the DKIM configuration on your DNS entry is validated, Khoros completes the final Community configuration.

Best Practices

• Refer to Edit the Aurora community email sender name and address for best practices regarding the choice of mailer address.
• You must use DKIM if you have restrictive DMARC records in place, even if you do not want to DKIM sign emails. The strictness is indicated below:
  1. Strict - Reject
  2. Strict - Quarantine (with a 25%+ apply percentage) policy
  3. Relaxed - Quarantine (with a < 25% apply percentage) policy
  4. Relaxed - None policy

• DKIM deliverability is not as high as with SPF only due to the IP addresses of the Khoros DKIM mail relays being newer (~2020) and part of AWS’s IP space. These relay servers may never be considered trusted by some email vendors for this reason, thus being more susceptible to emails being blocked.
• You must ensure there is no SP (Subdomain Policy) attribute present on the same subdomain. This can result in your top level DMARC policy being applied to your subdomain, and as a result, email not being delivered.
  
  To do this:
1. Go to https://mxtoolbox.com/DMARC.aspx.
2. Add your domain in the field (for example, khoros.com or everything after the @).
3. Select DMARC Lookup and see if an SP message is displayed, which should look like this:
   
   “Organization Domain of this sub-domain is: example.com Inbox Receivers will apply example.com DMARC record to mail sent from mail.example.com”