This topic describes the steps required for a LabKey Cloud Server
to be able to send emails from a non-LabKey email address, such as from a client's "home" email domain. In the legacy hosted environment, clients could configure such emails themselves without this process.
To send email from the client email domain, clients must authorize LabKey to send email on their behalf by creating a new text record in their DNS system known as a DKIM (DomainKeys Identified Mail)
record.What is DKIM?
DKIM is an email authentication method designed to detect email spoofing and prevent forged sender email addresses. Learn more on Wikipedia
.Why has LabKey implemented this new requirement?
LabKey takes client security seriously. LabKey Cloud Servers typically do not use client email servers to send email. Further, many clients use LabKey to manage PHI data and thus need to meet strict compliance guidelines. With LabKey using DKIM authorization, clients can be assured that email originating from LabKey systems has been authorized by their organization thus increasing the level of trust that the content of the email is legitimate.
PostMarkHow does mail get sent from a LabKey Cloud Server?
To prevent mail from our servers being filtered as spam and generating support calls when clients can't find messages, LabKey uses a mail service called PostMark
PostMark confirms through various methods that mail being sent by its servers isn't spam, and can therefore be trusted by recipients.
One part of the configuration requires that every "FROM" email domain being sent by through the LabKey account has a DKIM record
. A DKIM record is like a password that tells PostMark LabKey has permission to send mail from that domain. This prevents domain-spoofing in emails coming from LabKey and being sent through PostMark, thus ensuring the integrity of both LabKey and PostMark's reputation.
When LabKey sends a message from one of our cloud servers, it is sent to a specific PostMark email server via a password-protected account. PostMark then confirms the domain is one LabKey has a DKIM record for.
Because PostMark's model is to protect domains, LabKey cannot assign DKIM records to specific hosts, only to domains like labkey.com. As such, mail is sent from our cloud servers as username@domain, as opposed to email@example.com.
If there's no DKIM for the domain in the email address, PostMark bounces the email from its server and never sends it. If the domain is DKIM approved, the mail is then sent on to the recipient.
Configure DNS Records
To configure DNS records so mail from client email address goes through, the following steps must be completed by both LabKey and the client:
- The client tells LabKey which domain they want to send email from.
- LabKey's DevOps team then configures PostMark to accept mail with that domain in the from address. At this point, PostMark gives LabKey a DKIM record.
- LabKey passes the DKIM records to the client for the client to add to their DNS provider.
- The client tells LabKey when they've done this and the LabKey DevOps team confirms that the DKIM record is properly configured.
- LabKey sends a test message from that domain to ensure the mail is being accepted and sent.
- LabKey informs the client that they can then send from their domain.
This entire process can be done in less than a day, provided the client is able to add the DKIM record with quick turnaround.
DKIM RecordsWhat are the ramifications of adding a DKIM record for the client?
Because DKIM records are TXT records specific to PostMark, these records have no impact on the client apart from authorizing their LabKey Cloud Server to send email with their domain name. DKIM records do not impact existing mail configurations that the client is already using. They do not supplant MX records or add to them. For all intents and purposes, this record is invisible to the client -- it is only used by PostMark when mail is sent from a LabKey server with the client's domain in the from field.
Is there any way around needing the client to add a DKIM record?
- If the client wants to send mail from their domain from a LabKey Cloud Server, they must add the DKIM record.
- If they do not add this record, clients can configure their LabKey Cloud Server to send email from a LabKey domain (e.g. firstname.lastname@example.org). LabKey has already created DKIM records for its email domains.