Applies to

• OX Cloud
• OX Custom Cloud

Summary

This section describes how you use DomainKeys Identified Mail (DKIM) with OX Cloud to ensure that destination email systems trust messages sent outbound from your custom domain.

You should use DKIM in addition to SPF and extend this combination perspectively towards a DMARC policy to help prevent spoofers from sending messages that look like they are coming from your domain. DKIM lets you add a digital signature to outbound email messages in the message header. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message by using cryptographic authentication. Email systems that receive email from your domain can use this digital signature to help determine if incoming email that they receive is legitimate.

Basically, you use a private key to encrypt the header in your domain's outgoing email. You publish a public key to your domain's DNS records that receiving servers can then use to decode the signature. They use the public key to verify that the messages are really coming from you and not coming from someone spoofing your domain.

Now in practice at this moment OX by default automatically sets up DKIM via its generic domains. That means you don't need to do anything to set up DKIM for any domain names. This is the Brand signed as explained on the other page.

The also described old Mail domain signed only fits for customers managing a rather small number of domains where DNS is well controlled or ISPs w/o because of its mentioned disadvantages there.

As a replacement for the latter we are currently introducing a completely new process to allow signing per mail domain with specific keys for every domain. Please check availability for your tenant based on the platform where its hosted.