This article provides a detailed overview of Domain Key Identified Mail (DKIM) and how you can configure DKIM. You can also learn about a few troubleshooting scenarios and possible steps to resolve them.

TABLE OF CONTENTS


What is DKIM?

Domain verification is a mandatory check if you are using the default Freshdesk server for email communication. You can perform domain verification via Domain Key Identified Mail (DKIM ) and ensure that your business is Domain-based, Message Authentication, Reporting, and Conformance (DMARC) compliant, which includes SPF check within the DKIM records, making your organization capable of authenticating the communication between you and your customers.


Why is DKIM required?

DKIM generates a signature, which is attached to the message while in transit, to verify the authenticity of the message source. This signature is associated with the organization’s registered domain name. On reaching the destination, if the message has a valid signature, the email source is verified. 


Hence no one can send emails impersonating your organization and support emails sent by Freshdesk on your behalf will not be marked as spam. DKIM also authenticates the incoming emails to be valid in Freshdesk as well. 

DKIM plays a crucial role in enhancing email security, establishing sender legitimacy, and ensuring better email deliverability by reducing the chances of emails being marked as spam or phishing attempts.

The benefits of using DKIM are:

  • Email Authentication: DKIM verifies and ensures that the content of an email message has not been tampered with during transmission. This helps recipients trust the authenticity of the sender.
  • Sender Reputation: Implementing DKIM can positively impact the sender's reputation. Email service providers use DKIM as a factor to determine whether incoming emails are legitimate or spam.
  • Reducing Spoofing and Phishing: DKIM helps prevent attackers from impersonating legitimate senders, reducing the possibility of phishing attacks and email spoofing.
  • Improved Deliverability: Email messages signed with DKIM are more likely to bypass spam filters and reach recipients' inboxes, as it adds an extra layer of credibility to the sender.
  • Domain Reputation: DKIM contributes to the overall reputation of a sender's domain, influencing the possibility of successful email delivery.
  • Third-Party Services: Many email services and platforms require DKIM authentication for sending emails on behalf of a domain. Without DKIM, emails from these services might be treated as suspicious or rejected by recipients' email systems.


Note: Though DKIM (DomainKeys Identified Mail) verification is not specifically required for a custom email server in Freshdesk, we still recommend configuring DKIM for your own DNS at your end. This ensures enhanced email security and helps prevent spoofing and phishing attacks.


User Requirements: Ensure that you have admin access to configure DKIM.


How to configure DKIM?

Before proceeding with DKIM setup, you need to first update your DNS records with the Freshdesk domain key so that it can be located and used for verifying signatures. The UI and terminology might change across different domain registrars, but the essential setup will be similar.

Here is a quick video on setting up and verifying DKIM.



To configure DKIM:

  1. Log in as an admin.
  2. Go to Admin > Channels > Email > Advanced Settings> Configure DKIM.
  3. Copy the system-generated settings (4 CNAME records) to publish in your DNS server/domain provider’s account. This is a one-time configuration step per domain name.
     


Note: If you have the same records for other applications, contact Freshdesk Support. If you use GoDaddy, remove the domain name (under 'Host Value') before verifying the records inside Freshdesk. We will also need access to your Freshdesk account as an occasional agent to raise new records.


To update your DNS records with the Freshdesk domain key (In your domain registrar):

  1. Login to your domain registrar’s control panel with the credentials used to register your domain name.
  2. To change the DNS records, locate and click on the option called Manage DNS, Name Server Management, DNS Management, or Advanced Settings.
  3. Look for an option to create a CNAME record.
  4. Add the values copied from your helpdesk into the new CNAME record.
  5. Repeat the above steps for each domain in the case of multiple domains. For example, support@tripto.com and billing@tripto.com require only a single setup; however, if you have support@tripto.com and billing@holidayto.com, you need to set up DNS verification individually for both emails.
  6. Once you complete the setup, verify it in Freshdesk.
    Go to Admin > Email > Advanced Settings > Configure DKIM, expand the domain settings, and click Verify to make sure that the DNS settings are published correctly. 


Troubleshooting configurations with configuring DKIM

On rare occasions, there could be a delay in successful propagation. Once it is completed, the admin will receive an email.

The time it takes to publish a CNAME record for DKIM (DomainKeys Identified Mail) can vary depending on several factors. Here are a few reasons why:


  • DNS Propagation: When you create or modify a DNS record, such as a CNAME record, it takes time for the changes to propagate throughout the DNS (Domain Name System) infrastructure. DNS propagation is the process by which DNS servers worldwide update their cached records with the new information. This propagation can take anywhere from a few minutes to several hours, and in some cases, up to 48 hours. During this propagation period, different DNS servers may still have the old record cached, resulting in delays.
  • TTL (Time to Live): The TTL value of a DNS record determines how long other DNS servers and clients should cache the record before checking for updates. If the TTL value for the existing CNAME record is set to a high value, it can take longer for the changes to propagate. It is recommended to set a lower TTL value for the record before making changes, allowing for faster propagation once the modifications are made.
  • DNS Provider Configuration: The time taken to publish a CNAME record also depends on the DNS provider you are using. Different providers have different mechanisms for updating and propagating DNS records. Some providers may have faster update times, while others may have longer propagation periods.
  • Network Latency: Network latency can affect the time it takes for DNS changes to propagate. If there are network issues or delays between the DNS servers and clients, it can result in longer propagation times.


To minimize the time it takes to publish a CNAME for DKIM, you can follow these best practices:


  • Set a lower TTL value for the CNAME record before making changes.
  • Confirm with your DNS provider about their propagation times and any specific steps you need to take.
  • Monitor the propagation progress using online DNS propagation tools or by periodically checking from different locations.
  • If you require urgent DKIM record updates, you can consider reaching out to your DNS provider's support team for assistance.


It's important to note that while the propagation time can be a factor, DKIM record changes do not typically take an excessively long time to propagate. If you are experiencing significant delays, it's advisable to double-check your DNS configuration and contact your DNS provider for further assistance.

 


How to check DKIM verification status?

An email is sent to the account admin when the verification is complete. One email is sent for each configured domain name. To know the verification status, go to the DKIM Settings. You can check the status of the DKIM verification:

  • Green check mark: Indicates that the DNS is verified.
  • Red cross mark: Indicated unverified DNS.



Troubleshooting DKIM Issues

  1. General Issues
  2. DKIM Verification issues
  3. DKIM records not found


General Issues

  • If you get a '404' error while configuring DKIM, contact Freshdesk support at support@freshdesk.com with a screenshot of the error.
  • If you add an email, the domain will be created in DKIM automatically. To remove a domain from DKIM, navigate to Admin > Email > Advanced Email Settings > Configure DKIM, select the invalid domain, and click Configure if greyed out, or click Remove.
  • If you wish to add new records/domains for DKIM, contact support@freshdesk.com with your Freshdesk URL and plan details.
  • If the DKIM records are unique and valid but not verified yet, contact your DNS provider's support or contact us at support@freshdesk.com CCing them in the email. 
  • If you receive a 'Domain verified in other account' error message, remove the records you have added for the account, exit the page, and then add the values again. If the issue persists, write to support@freshdesk.com with a screenshot of the error displayed.

DKIM Verification issues

  1. Records not matching:
    There may be instances where certain characters are missing or extra characters are added in the DNS compared to what is displayed in Freshdesk. In such cases, the DKIM verification in Freshdesk may fail. Ensure that there are no spaces in the DNS.
  2. Avoid spaces in CNAME record:
    Ensure that there are no spaces before or after any of the characters in the CNAME record.
  3. Records not published:
    Even if the DKIM records are correctly added to the DNS, they may not be published. To verify if the records are published, perform a CNAME lookup with the CNAME record. A published CNAME record should look like this :

  4. DNS configuration with certain providers like GoDaddy:
    When using specific DNS providers like GoDaddy, it is not necessary to repeat the domain when adding the host value in the DNS.
    For example, if the CNAME is 'host: fwdkim1.sauls.com' and 'value: spfmx1.domainkey.freshemail.io,'
    enter only 'fwdkim1' in GoDaddy, as it automatically adds the domain to the record. If you add 'fwdkim1.sauls.com' directly in GoDaddy, it will be added as 'fwdkim1.sauls.com.sauls.com,' causing the validation to fail.
  5. Overlapping DKIM record values for the same email domain:
    When the same email domain is added to multiple Freshdesk accounts or multiple Freshdesk products, there may be overlapping DKIM record values. To address this, ensure that only a single entry is made in the DNS. It is not necessary to duplicate the same entry in the DNS, even if the values overlap. However, make sure that a single entry containing all the values from both accounts is added to the DNS and published for successful verification in Freshdesk.


DKIM records not found

If DKIM records are available for configuration in the Advanced Email Settings, you can perform the following steps:

  1. Verify if a custom support email domain is set up: 
    Check if a custom support email domain is set up under the Admin → Email section. It is important to ensure that the domain exists.
  2. Verify the status of the email domain: 
    Ensure that the email domain is verified. This means that the domain ownership and configuration have been successfully verified.
  3. If the above checks are satisfied but the domain is still not available, contact support@freshdesk.com.