DNS Configuration

Depending on your chosen setup, you may need to set two different DNS records. We describe each of them further in this guide.

fes.yourdomain.tld

There’re two scenarios in the case of this DNS:

• If you’re relying on the shared tenant FES, then you don’t need to set this DNS.
• If you’re running your own External Service or Enterprise Server, then it should be made accessible at fes.[domain] with a DNS record.

openpgpkey.yourdomain.tld

You can either rely on Attester (no need to set DNS), or you can run your WKD on openpgpkey subdomain or directly on your domain.

Answers to these questions will help you to make a decision:

• Are you planning to run your own Enterprise Server/Email Key Manager?
• Do you expect external users who aren’t using FlowCrypt to be able to communicate with your users and automatically fetch their public keys?
• Do you want to host your public keys yourself?

If the answer to at least one question is YES, you should run your own WKD. You’ll achieve smooth integration and key lifecycle management when you run your own WKD, using either advanced or direct methods depending on what’s more convenient to set up in your environment.

If all answers are NO, you may use Attester on your domain, as is the default for non-enterprise users. In this case, we recommend setting the ENFORCE_ATTESTER_SUBMIT client configuration.

If you’re relying on Attester, then you don’t need to set this DNS.

If you’re running your own Enterprise Server or WKD, you have two options to expose it publicly (or only within your own network if you don’t plan any external communication). Exposing at openpgpkey.[domain] or at [domain]/.well-known/openpgpkey/:

1. A subdomain at openpgpkey.[domain] (WKD advanced method). Set the DNS to point to the WKD Server. As an example, to look up a public key for user@domain.com, the OpenPGP clients will try to poll https://openpgpkey.yourdomain.tld/.well-known/openpgpkey/domain.com/hu/nmxk159crbcuk3imqiw13gkjmfwd8mqj?l=user, where it will return either an ERROR 404 (no public key) or the OpenPGP public key if any is found.
2. On the main domain at [domain]/.well-known/openpgpkey/ (WKD direct method). Update the Reverse Proxy on your main domain so that the [domain]/.well-known/openpgpkey/ subfolder is served content from the [wkd service]/.well-known/openpgpkey/. As an example, for user@domain.com the OpenPGP clients will try to poll https://domain.com/.well-known/openpgpkey/hu/nmxk159crbcuk3imqiw13gkjmfwd8mqj?l=user.