ChurchInsight  is now

Support for Hubb users

How can we help you today?

Support > Other Technical Issues > Email Authentication (DKIM)

Email Authentication (DKIM)

Increase the chances of successful mail delivery with DKIM signing

We've all received those spam emails that appear to come from a friend or a well known business. The problem is that it's all too easy to forge the 'From' header to make it appear that an email is coming from someone else. A standard called DKIM aims to prevent people from sending mails that look like they came from you by using digital signatures.

We're not going to lie to you, this is not for the faint hearted; it's a technical subject and it can be hard to set up correctly. But we're here to help - especially if we manage your DNS records, so please get in touch if you need it.

DKIM (Domain Keys Identified Mail) is an important tool to protect the integrity of your domain name. It's a way of proving that an email comes from you, and is used in conjunction with DNS records which tell recipient email providers to check for it. When it's all set up, emails which purport to come from you, and which are not signed, should be rejected or sent to spam folders by recipients.

We've put detailed instructions on the new settings page, which you can find at Settings > General > Email Authentication (DKIM) but these are the broad steps you will need to take for each domain that you send email from:
  • Generate DKIM keys on the settings page (but don't enable them yet). This will give you all the information you need to create a DNS record to publish your DKIM public key.
  • Create a DMARC DNS record. According to how you set this up, it tells recipient mail servers whether to rejectquarantine, or just report any mails that fail to pass the DKIM and/or SPF record checks. We recommend setting this record just to report to begin with, until you are sure everything is working correctly. This is particularly important if you are also sending mails from other services like Google Workspace.
  • Enable your DKIM keys in the Web Office. From this point on, all mail sent from the Web Office will be DKIM-signed.
If you are sending emails from elsewhere then you should set up a DKIM record for sending from your provider. There are instructions for if you  send from Google here, and from Office 365 here. You may need to ask your email provider if they have specific records you should add. If you are sending emails via another method, (eg Mailchimp), you will also need to generate a DKIM record for these services.

A useful tool to help analyse your DMARC reports can be found here, or another option is here. If you upload your reports this will make them easier to read and will show whether the emails have passed both SPF and DKIM.
In conjunction with the DKIM features, we've added some new icons to help identify potential problems with mail sending. These will appear next to the 'From' address for any mails that you send.
  • Mail icon errorThe domain of the 'From' address for the email doesn't match any of your hostnames. This occurs, for example, when trying to send from your personal email address - for example . This is almost certain to end up in spam folders, or even rejected.
  • Mail icon warningThe domain is one of your hostnames, but does not have DKIM set up. This should work fine, but setting up DKIM will help to prevent others spoofing your domain (sending emails that appear to come from you).
  • Mail icon okDKIM is set up for the 'From' domain. This gives the best possible chance for emails to be successfully delivered.