Starting with version 5.1, you can now generate DKIM keys and sign outbound emails with the SecureMail Gateway.
DomainKeys Identified Mail (DKIM) allows you to digitally sign the headers and body of outgoing emails. Receiving MTAs can then verify the signature with your public key, posted to your public DNS. DKIM signatures give your emails more credibility by assuring the receiving MTA that the email was sent by a server under your organization's control (and not a spammer), AND that the important message headers and email body were NOT altered in transit.
Once you also have established a valid SPF record for your domain, you can also enable DMARC for your domain, which instructs mail processing
agents how to handle emails that do NOT pass SPF and DKIM validation, and also where to send reports of these successes/failures.
Creating DKIM Records
In this section you can generate new DKIM signing keys to sign your outbound mail. By default these keys are NOT used until you set them to 'Active'. This allows you to generate the key and publish the public key record to DNS before you start signing emails. Otherwise, the signed emails will fail DKIM verification and may be rejected as spam or quarantined by receiving mail servers. Best practice is to utilize strong keys (preferably 2048 bit or higher) and rotate/replace your signing key every 3 months. The SMG will not allow you to generate a key less than 1024 bits. Here are the general steps to follow to start using DKIM signing:
- Navigate to the SMG's web administration and log in.
- In the top menu, go to "Network Configuration" -> "Mail Options" and scroll down to the "DKIM Settings" section.
- Generate a new key with a unique selector to indicate the date created (i.e. "2018JUN-SMG"), and enter the applicable domain, and the key length.
- Copy/Paste the public key into a new TXT record(s) in your domain's public DNS records. The record in the textbox is automatically 'split' across multiple TXT records surrounded by quotes. If your provider allows you to enter the entire record into one record, simply remove the quotes and spaces and combine the strings into one record.
- Ensure that the correct TXT record is present by querying DNS for the key (you will query for selector._domainkey.domainname.com) where "selector" is the selector you entered earlier, and "domainname.com" is the domain. You can validate your record with online tools like MX Toolbox.
- Once present, you may click the 'Activate' button next to the key to start signing outbound mail for the domain with this key. Ensure you have also turned on DKIM by clicking "Enable DKIM" at the top.
- Test outbound mail from the domain and ensure that the DKIM signature is present in the email header and matches.
Note: Make sure to click the "Enable DKIM" button at the top to turn on DKIM functionality. Even if there are keys are enabled, no signing will occur unless DKIM is enabled.
Key RotationWhen you wish to 'rotate' the domain's key, follow steps 3-5 to generate a new key and post it to DNS. Now you will have both your current and new key in DNS, under the different selector.Now, disable the old key by clicking "Disable" next to it, and enable the new one by clicking "Enable" next to it. Keep the old record in DNS for a few days in case recipients need to validate an email signed with the previous key.
Please note that you should only DKIM sign with the SMG if the email will not be modified further before delivery. For example, if outbound mail is routed to another gateway that appends a footer or company signature on the emails, this will invalidate the DKIM signature and will affect mail delivery.