Blackbaud recently changed how we add DKIM, or DomainKeys Identified Mail, signatures to emails sent from Luminate Online. Given that the DKIM keys in use were not long enough to be trustworthy, Gmail and other email services are no longer accepting emails with DKIM signatures that use keys shorter than 1024-bits. With this change, email deliverability will improve for those email services that are only accepting 1024-bit DKIM keys.
What is DKIM?
DKIM is a method of verifying an email’s authenticity and to verify that it was not tampered with in transit. This process helps email administrators to combat spam.
How does DKIM work?
Blackbaud adds a DKIM-signature header to all email messages that originate from Luminate Online. A DKIM-signature header is a digital signature of the contents of the email message. Receiving mail systems use the name specified in the DKIM-signature header to perform a DNS lookup. That DNS lookup will return the DKIM public key Blackbaud used to add the DKIM-signature header. Receiving mail systems retrieve the key, decrypt the header field and compare it to the email they received. If the two values match, this cryptographically proves that the mail was sent by the entity specified in the DKIM-signature header, and has not been tampered with in transit.
What does my organization need to do to send with 1024-bit DKIM signatures?
Nothing. In the interest of security, delete any DKIM public keys published with less than 1024-bits. This includes the convio1 key that many clients have published.
What DNS record needs to be removed?
DKIM public keys are published with DNS TXT records with names like convio1._domainkey.mydomain where mydomain is the domain name in question.
If you previously published the old convio1 DKIM public key with this DNS record, please delete the DNS record
Note: Removing DNS records varies by DNS server and/or service used.
What types of Blackbaud email does this affect?
All email sent from Luminate Online.