On Jul 18, 2019, Taytay wrote:
> Furthermore, our DMARC settings are pretty strict, and require that our mail is approved via SPF/DKIM (or it gets deleted/quarantined), but I didn't see any mention of DKIM keys, so I didn't know if Apple was planning on signing the mail they forward on our behalf. If Apple is planning on signing the email, where do I find the public DKIM keys that I need to add to my DNS settings? If they are not signing our mail, isn't this going to cause the mail providers to distrust the mail that Apple is sending on our behalf?
In order to send email messages through the relay service to the users’ personal inboxes, you will need to register your outbound email domains. All registered domains must create Sender Policy Framework (SPF) DNS TXT records in order to transit Apple’s private mail relay.
If you’re enrolled as an individual, you can register up to 32 email sources. If you’re enrolled as an organization, you can register up to 100 email sources. You do not need to upload a file on your server to complete the registration process for domains and subdomains.
Authenticating Your Domains
All outbound emails sent through the Private Email Relay service must be authenticated with the Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) protocol. This is to prevent spam and ensure that messages sent to your users only come from your registered source email addresses and email domains. We recommend authenticating outbound emails using both SPF and DKIM if possible.
- Using SPF AuthenticationThe domain in the envelope sender (also known as the MAIL FROM, bounce, or Return-Path address) must be registered in the Domains section of Certificates, Identifiers & Profiles. This domain must pass SPF validation, and the registered domain and envelope sender domain must match exactly to pass the private relay service SPF check.
- Using DKIM AuthenticationIf you use an email service provider that uses their domain in the envelope sender of your outbound emails, you must sign your emails with DKIM to meet the private relay’s email authentication requirements. The DKIM domain (the d= value in your DKIM signature) will be matched against the domain used in your email’s From: address (aka the header From: address) that is registered in the Domains section Certificates, Identifiers & Profiles. To pass the private relay’s DKIM check, the DKIM signature must pass verification, the DKIM signature must include the From: address, and the DKIM domain and the domain in the From: address must match exactly.
- Registering Valid Source Domains and/or EmailsAfter the private relay authenticates inbound emails with either SPF or DKIM, it will also match the source email or domain against your registered email domains or email addresses.You must register and validate every source email domain or subdomain you intend to use. If you do not own a domain configured for email, you can register individual source email addresses. For example, if you want to send emails from “john@example.com” and “john@sales.example.com” you must choose to register source email domains as “example.com” and “sales.example.com” or you may choose to register individual source email addresses as “john@example.com” and ”john@sales.example.com”.If you want to send email addresses from any other source (for example, “john@help.example.com”) you must also register “help.example.com” or “john@help.example.com” as a separate source.If you do not register all the source domains or emails that you use, email sent to the private relay service will result in a bounce message.
- Configuring Your Email Service Provider (ESP) AccountIf you send outbound emails with email service providers such as Amazon SES, Mailchimp, or SendGrid, the SPF record you publish for your email sending domain should look similar to examples below. The “include” mechanism in the SPF record authorizes your email service provider’s mail servers to send on behalf of your domain.
Please see Developer Account Help: Sign in with Apple - Configure Private Email Relay Service for more information.
