DKIM in NetSuite essentially allows you to send Bulk Merges and Campaign to more than 10, 000 recipients. In the NetSuite Help Center article, it discusses that DKIM signs the emails to allow ISPs to authenticate emails that users are sending.
This is necessary because NetSuite sends emails and campaigns using a technique commonly called as Spoofing where the FROM part of the message is an email used by the company, but underneath it the sender header is still NetSuite. As it has been known, this behaviour is commonly misinterpreted by servers and ISPs as spam as it is one of the more well known methods exploited by spammers.
Here is an in depth explanation of how DKIM works and how the authentication happens:
DKIM settings in NetSuite:
When you navigate to the DKIM setup under Setup > Company > Email Prerences > Domain Keys tab, the DKIM setup in NetSuite is composed of the following 4 major and functional parts.
Here is what they do:
1. Since the Selector is already considered as a subdomain, no need to add another subdomain to the DKIM string.
As an example:
Domain Selector: Selector1
DNS Query: Selector1._domainkey.domain.com
Note: To know what Selector1._domainkey.domain.com currently contains, use this link to verify what information Selector1 above holds.
2. Domain Name: This is the location where the Domain Selector can be found.
3. Private Key & Public Key: A pair of asymmetrical mathematically generated keys that make use of the Public Key Encryption approach. There will always be only one Public Key that will decode a Private Key.
Note: Knowledge of the Public key only or the Private key only does not pose any security threats. With only knowing either only the Public or Private key alone, there is currently no mechanism to decode what the other key is due to the algorithms used in Public Key Encryption.
4. Generated DNS Entry: Once a pair of Private and Public Domain Keys is generated, this section will give a string in the format of: v=DKIM1;k=rsa;p=[Public Domain Key]. This is the DKIM format that Netsuite uses although other formats are available for DKIM as used by other programs or services according to their own purposes and needs. This will be the content of the TXT record or Domain selector that is placed in the domain or subdomain of your website.
Note: When setting up DKIM from the instructions found at the Help section in NetSuite found at Marketing, Sales Force Automation, and Partners > Marketing > Email Marketing Campaigns > Domain Key Identified Mail (DKIM), please note that propagation of data as well as refreshing of the DNS from your domain and Netsuite will at times take around 24 to 72 hours to complete, or alternatively, if you have control of the hosting server itself, flushing DNS entries will refresh them and should almost automatically allow you to use DKIM almost instantly.
Further Reading and Proof of Concept:
Note: Setting up DKIM does not guarantee a 100% delivery rate for bulk messages like Campaigns and Bulk Merges. There are certain factors that we cannot control which include, but are not limited to, the following:
- Mail Server security Policy: this includes mail servers that will not accept any FROM headers that are spoofed, mail servers configured to reject or junk HTML emails which link to "non-work" defined related links and so on.
- Blacklisting: when a Netsuite relay server reaches a DNSBL (Domain Name Server Black List), and the receiving email server reads from the blacklisting entity, DKIM will not be a factor to consider in terms of mail delivery. The blacklist needs to be cleared first before email can flow through.
- Marked As Spam: commonly, web mail users always have the option to report Spam emails in some way, by doing so, if enough users mark a particular origin as a spammer, the receiving entity will at most times block any emails coming from that origin. This is very different from being blacklisted as it is the receiving entity's discretion to allow email to flow through their system to protect their own infrastructure.