App Suite Cloud

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Sidsel Jensen

Saved on

compared with

New Version 2

changes.mady.by.user Sidsel Jensen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It will be available to our OX Cloud US customers first - and we'll update with an availability date, as soon as we have it, and have verified that everything is working accordingly.

EnvironmentDeployment status
OX Cloud USin progress
OX Cloud Pro UScurrently under planning
OX Cloud EUnot started yet


What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication standard that uses a digital signature to verify an email's origin and ensure its content hasn't been altered, preventing spam and phishing by linking the message to a specific domain owner

...

Relevant standards documentation:

Document DescriptionLink

DomainKeys Identified Mail (DKIM) Signatures

https://datatracker.ietf.org/doc/html/rfc6376
Introduction of new key algorithms Ed25519https://www.rfc-editor.org/rfc/rfc8463
OX Cloud DKIM API descriptionhttps://documentation.open-xchange.com/components/dkim-service/latest/

A few words on the Why?

The email world is moving towards a situation where it becomes increasingly important that mails are signed by DKIM and that the DKIM alignment is respected.

...

We use the simple naming of selector1 and selector2.


dig TXT <selector>._domainkey.example.com +short

Example:

dig TXT selector1._domainkey.spamtrap.dk +short
selector1-spamtrap-dk._domainkey.oxcloud.zone.
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApLkV7oHRI/lFUN/CfEpbOadRtsFpjJNqSlwlOdJ1tOfOW0j24PRZj0ktGmdo04uHhtXMMu9PGEs/4OnEcycd6sLHpDWjaVueFCD6ykPzcY7iJZPDgJezBDevwb5N+T5UANfGSH+b2nQz/oQTriRpwU0GY7amAbXIXJrB9vdBCYuM52EqcrC/F6wHZzIUYEhlf" "oSRvi7bs7tpQ2ziLywqw93x0ZPzarHFvRUulb/435J/6EhtxQJgoVcODtHqR9TPe8aVYsO5v2zqvRrRB4MxbabdE1etpv1KX5AV+iFQn7lNMIO93dLZBLxt5iVIjL6iDmiK/D6l7MYJnFb80zV+WwIDAQAB;"


If nothing is setup with that selector name you will get an empty reply.

...

API access is granted with the standard provisioning credentials.

b. Check access works correctly:

curl -u {brand}:{secret} https://us.appsuite.cloud/cloudapi/v2/mail/dkim/{brand} to list all entries of that brand.

if no keys exist it will return "No DKIM entries found" with http status NOT_FOUND (404)

...

Depending on which environment you are currently using the URL is different:

EnvironmentURL
Cloud EUhttps://eu.appsuite.cloud/cloudapi/v2/mail/dkim/{brand}
Cloud UShttps://us.appsuite.cloud/cloudapi/v2/mail/dkim/{brand}
Cloud Pro UShttps://http.cloudprous.xion.oxcs.net/cloudapi/v2/mail/dkim/{brand}


c. Check if any keys already exists for the domain?

get /cloudapi/v2/mail/dkim/{brand}/{domain}


d. Generate new keys:

put /cloudapi/v2/mail/dkim/{brand}/{domain}


Step 3: Create the DNS CNAME entries

...

You need to create a CNAME for both selector1 and selector2, so it's set up for the later key rotation to happen.


Example:

selector1._domainkey.spamtrap.dk IN CNAME selector1-spamtrap-dk._domainkey.oxcloud.zone

selector2._domainkey.spamtrap.dk IN CNAME selector2-spamtrap-dk._domainkey.oxcloud.zone


We suggest you add this as part of your account creation provisioning process, so right after the first email account on a domain is created, 

...

a. Check the private keys exist on our side:

get /cloudapi/v2/mail/dkim/{brand}/{domain}/{selector}


b. Check the public keys can now be retrieved through the TXT record like in Step 1.

You can also use external tooling to check that the CNAME entry is correct in DNS - like https://mxtoolbox.com/dkim.aspx (it requires the domain name + the selector as input)

Example:

dig TXT selector1._domainkey.spamtrap.dk +short
selector1-spamtrap-dk._domainkey.oxcloud.zone.
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApLkV7oHRI/lFUN/CfEpbOadRtsFpjJNqSlwlOdJ1tOfOW0j24PRZj0ktGmdo04uHhtXMMu9PGEs/4OnEcycd6sLHpDWjaVueFCD6ykPzcY7iJZPDgJezBDevwb5N+T5UANfGSH+b2nQz/oQTriRpwU0GY7amAbXIXJrB9vdBCYuM52EqcrC/F6wHZzIUYEhlf" "oSRvi7bs7tpQ2ziLywqw93x0ZPzarHFvRUulb/435J/6EhtxQJgoVcODtHqR9TPe8aVYsO5v2zqvRrRB4MxbabdE1etpv1KX5AV+iFQn7lNMIO93dLZBLxt5iVIjL6iDmiK/D6l7MYJnFb80zV+WwIDAQAB;"


c. Send mail to yourself and check the DKIM signature in the mail source

...

a. Delete the active keys through the API

delete /cloudapi/v2/mail/dkim/{brand}/{domain}


b. Verify the keys are removed

get /cloudapi/v2/mail/dkim/{brand}/{domain}

you should get a 404 domain not found 

...

d. Verify the entry is gone

dig TXT selector1._domainkey.spamtrap.dk +short

dig TXT selector2._domainkey.spamtrap.dk +short

The empty response will show that the CNAME entries no longer exists

...