This article covers the SPF and DKIM authentication processes for Netsuite and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.
TABLE OF CONTENTS
- Configuring DKIM authentication for your Netsuite emails
- Activate DKIM keys in NetSuite
- Verify your DKIM setup
- Add a Netsuite DKIM key in Enforce
- Configuring SPF authentication for your Netsuite emails
Configuring DKIM authentication for your Netsuite emails
1. Log in to your NetSuite account as an administrator and go to Setup -> Company -> Email -> Email Preferences.
2. Click the Domain Keys subtab.
3. In the Domain Selector field, enter the first domain selector. The number of DKIM selectors is limited to one selector per email domain. If you are sharing an email domain between multiple production accounts, use one selector for the shared email domain. Configure that same selector in each account that uses the same email domain.
Note: When naming domain selectors, follow the specifications outlined in RFC 6376 Section 3.1 Selectors and RFC 1035 Section 2.3.1 Preferred name syntax. A few suggestions for naming domain selectors based on these RFCs:
- The domain selector name (label) must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and a hyphen.
- Attempting to name a selector beginning with a digit results in an error message that the DKIM selector name is invalid. The record cannot be saved.
- Valid digits (numbers) are 0 through 9.
- Both uppercase and lowercase letters are allowed, but no significance is attached to the case of the letter.
- If using a hyphen as an interior character in the domain selector name, ensure that the character is a hyphen (Unicode U+2010) and not a different character that may look similar to a hyphen.
- The domain selector name must be 63 characters or less.
A suggested best practice is to structure the domain selector name to include information such as the purpose, the owner, and the creation date.
For example, to meet the criteria specified in the RFCs, dec2020-netsuite is a name you could enter in the Domain Selector field in NetSuite.
4. In the Domain Name field, enter the domain name you are using to send DKIM-signed email from NetSuite. For example, if the email address from which you are sending DKIM signed email is firstname.lastname@example.org, the domain is wolfeelectronics.com. An email address from this domain can appear in the From header.
5. Enter the Private and Public domain keys (in PEM format) used for signing in one of the following ways:
- If you have used the same domain keys with another application, enter the domain keys manually.
- If you have not generated a domain key for this domain previously, click Generate Key Pairs to have NetSuite generate them for you.
You need the public domain key to set up your domain with a domain hosting service.
6. After entering the domain keys, click Generated DNS Entry. Your complete, properly formatted DNS entry is shown in a popup window. Copy this DNS entry. Do not close the browser window.
7. Add the DKIM TXT key/s in Valimail Enforce.
Note: When a domain is shared by more than one NetSuite account, a message is displayed on the Domain Keys subtab indicting that the email domain is used by other NetSuite accounts. If the DKIM configuration needs to be modified, the customer must contact NetSuite Customer Support.
8. Make sure you add the generated DKIM key in Valimail Enforce procedure within 14 days after entering domain keys in NetSuite.
Important: If you do not complete the Set Up a DNS Text Record within 14 days, the From header of email sent from that particular domain will continue to be rewritten. For more information, please see From Headers in Email Can Be Rewritten.
You can also find the instructions on how to set up DKIM for Netsuite here.
Activate DKIM keys in NetSuite
To activate DKIM keys in your NetSuite account:
1. In your NetSuite account on the Email Preferences page, check the Active box for each key you have set up.
2. Click Save. All outgoing email messages sent from NetSuite using the domain or subdomain you entered will have a DKIM header.
This code header contains the domain authentication information but does not add any text to your messages.
3. Test your DKIM setup.
Verify your DKIM setup
After you have entered your Domain Keys in NetSuite, published the DKIM key in Valimail Enforce, and activated your DKIM keys, you can test your DKIM setup.
To verify your DKIM Setup:
1. Inside your Netsuite account, go to Setup -> Company -> Email -> Email Preferences.
2. On the Domain Keys subtab, select the domain key you want to verify and click Verify DNS Entry.
NetSuite checks to make sure the public domain key in the DNS record matches the public domain key entered in NetSuite.
3. The results of the test are displayed in a popup window. Possible results from this test include the following:
4. If you receive a message that your DNS entry for DKIM has been verified, click Send Test Email to DKIM Reflector to send a test email message.
A DKIM reflector is a service set up to receive and analyze email. This reflector then forwards a report on your domain key setup. The report is sent to the address shown in the Email Address to Receive Test Response field.
Add a Netsuite DKIM key in Enforce
1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.
a. Scroll down and add the DKIM key in your configuration, by clicking on Add a DKIM key.
b. Enter the selector name, the DKIM TXT value (the actual value is the entire string after the p= tag), associate the key with Netsuite and then click Add.
You can find more detailed information on how to add a DKIM key in Valimail Enforce here.
Configuring SPF authentication for your Netsuite emails
Once you establish that Netsuite is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.
1. Please go to your domain's Configuration page in Enforce.
2. Click on the + sign from the Enabled Senders section:
3. Choose Netsuite from the list of configurable senders and then click Enable:
We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.
As always, if you have any questions, please don't hesitate to submit a ticket.