What is DKIM
DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. It is a stronger version of SPF which requires a little additional setup.
OpenCRM needs to be able to prove that it is allowed to send an email on your behalf by signing your emails with a key which matches one setup on your domain. (The difference with SPF is that you just tell your domain that OpenCRM's server is allowed to send on your behalf).
Additionally DKIM allows the receiving server to prove that the email has not been changed between it leaving OpenCRM and arriving at it's recipient's mailbox.
Some config is needed to setup the DKIM keys in OpenCRM and the matching key in your domain.
This is achieved using a public and private key pair, the public key is added to your DNS so mail servers and clients can confirm the email hasn't changed, and the private key is stored encrypted in your OpenCRM system
An additional level of security called DMARC allows you to specify on your domain that ALL emails sent from your domain must be DKIM signed. If you have this setup or don't but would like to, then it is important that you setup OpenCRM with DKIM.
The private key is used to generate the signature based on the content of the email, the public key is used to verify it but can't be used to sign it
As the private key can only be held on systems authorised to send emails this also verifies that the email came from a trusted source
Configuring OpenCRM to send emails using DKIM
There are two parts to this configuration - setting up OpenCRM and adding an entry to the DNS of your domain. We can't do the domain setup for you - you may need someone on hand who understands how to do this and has the relevant access to make changes to your domain setup.
From Settings->Configuration->Configure DKIM
This presents you with a screen showing the list below
By default this shows a list of domains found on your user records (ie the domains you can send emails from) and a blank with a placeholder at the bottom to add any other domains you may send from (e.g. for marketing or support purposes)
The Selector Column, this is given a default but can be set to any valid subdomain name, this will be used to add the DKIM DNS entry to your domain
Next you have DNS Name and DNS Value. These values will be generated when you click "Generate" - you do not need to (and in fact cannot) set these values. Again, they will be used to add the DKIM DNS entry to your domain.
Click generate to generate the DKIM record name and key (DNS Value) that you will need to add to your DKIM DNS entry for the domain shown in the Email domain column
Clicking Regenerate will update then DNS name if you have changed the selector, and update the DNS Value to be copied into your DNS record
Delete will remove the entry from the system
To add a domain that not listed, enter it into the last row with the "otherdomain.com" placeholder, set your own selector if you want something different then click generate on the row
If you have not setup OpenCRM with a DKIM entry, OpenCRM will not sign the email with DKIM, even if your domain has a TXT record setup for DKIM.
Important: If you setup a DKIM entry on OpenCRM and do not add the TXT entry to your domain - OpenCRM will sign the email with DKIM but the DKIM check done by a receiving server will fail, and this may cause your email to be more likely to be marked as spam than without any DKIM setup at all. Similarly, if you regenerate your DKIM values, you must update your DNS entry to match.
You will need to create a TXT DNS record in your DNS system for each domain listed in the Email domain column. The name of the TXT DNS entry should be the value in the DNS Record Name column. and the value is the contents of the DNS Value column.