DKIM Settings

DKIM Signatures

Starting with version 5.1, you can now generate DKIM keys and sign outbound emails with the SecureMail Gateway.


DomainKeys Identified Mail (DKIM) allows you to digitally sign the headers and body of outgoing emails. Receiving MTAs can then verify the signature with your public key, posted to your public DNS. DKIM signatures give your emails more credibility by assuring the receiving MTA that the email was sent by a server under your organization's control (and not a spammer), AND that the important message headers and email body were NOT altered in transit.
Once you also have established a valid SPF record for your domain, you can also enable DMARC for your domain, which instructs mail processing
agents how to handle emails that do NOT pass SPF and DKIM validation, and also where to send reports of these successes/failures.

Creating DKIM Records

In this section you can generate new DKIM signing keys to sign your outbound mail. By default these keys are NOT used until you set them to 'Active'. This allows you to generate the key and publish the public key record to DNS before you start signing emails. Otherwise, the signed emails will fail DKIM verification and may be rejected as spam or quarantined by receiving mail servers. Best practice is to utilize strong keys (preferably 2048 bit or higher) and rotate/replace your signing key every 3 months. The SMG will not allow you to generate a key less than 1024 bits. Here are the general steps to follow to start using DKIM signing:
  1. Navigate to the SMG's web administration and log in.
  2. In the top menu, go to "Network Configuration" -> "Mail Options" and scroll down to the "DKIM Settings" section.
  3. Generate a new key with a unique selector to indicate the date created (i.e. "2018JUN-SMG"), and enter the applicable domain, and the key length. 
  4. Copy/Paste the public key into a new TXT record(s) in your domain's public DNS records. The record in the textbox is automatically 'split' across multiple TXT records surrounded by quotes. If your provider allows you to enter the entire record into one record, simply remove the quotes and spaces and combine the strings into one record.
  5. Ensure that the correct TXT record is present by querying DNS for the key (you will query for where "selector" is the selector you entered earlier, and "" is the domain. You can validate your record with online tools like MX Toolbox.
  6. Once present, you may click the 'Activate' button next to the key to start signing outbound mail for the domain with this key. Ensure you have also turned on DKIM by clicking "Enable DKIM" at the top.
  7. Test outbound mail from the domain and ensure that the DKIM signature is present in the email header and matches.

DKIM settings

Note: Make sure to click the "Enable DKIM" button at the top to turn on DKIM functionality. Even if there are keys are enabled, no signing will occur unless DKIM is enabled.

Key Rotation

When you wish to 'rotate' the domain's key, follow steps 3-5 to generate a new key and post it to DNS. Now you will have both your current and new key in DNS, under the different selector.
Now, disable the old key by clicking "Disable" next to it, and enable the new one by clicking "Enable" next to it. Keep the old record in DNS for a few days in case recipients need to validate an email signed with the previous key.

Please note that you should only DKIM sign with the SMG if the email will not be modified further before delivery. For example, if outbound mail is routed to another gateway that appends a footer or company signature on the emails, this will invalidate the DKIM signature and will affect mail delivery.

    • Related Articles

    • How To Import SMG User's S/MIME Certificates into Microsoft Outlook

      Introduction The article describes how to manually trust and use GlobalCerts S/MIME certificates within Microsoft Outlook. It is useful for any 3rd parties that would like to use S/MIME to secure their email with a GlobalCerts user. It assumes you ...
    • Routing Mail From Microsoft 365 To Your SMG

      If you are using Microsoft 365 as your mail service, setting up your mail flow to include GlobalCerts SecureMail Gateway(s) is done using a 'Connector' and routing rules. First you need to set up a connector to your SMG. Then, you'll create mail flow ...
    • Mail Routing for Office 365

      If you are using Microsoft Office 365 as your mail service, setting up your mail flow to include GlobalCerts encryption services is done using a 'Connector'. First you need to set up a connector to our Fast&Secure service. Then, you'll create mail ...
    • SMG Mail Routing for Microsoft Exchange

      If your organization is using Microsoft Exchange for your email server infrastructure, below you will find details on routing your outbound email through the SecureMail Gateway server so that it can secure outgoing emails: ​ Setting up a "Send ...
    • Google G Suite Integration

      If your organization uses Google's G Suite for your email hosting, you can easily add our Fast&Secure encryption service by changing the advanced Gmail settings on your account. First, you will set up a Fast&Secure 'mail route', then set up rules to ...