This topic describes how you configure DKIM
DomainKeys Identified Mail to provide trust against spoof email from your organization's domains.
To configure DKIM signing for outbound messages, you need to:
- Enable DKIM signing from the SpamLogic Settings page.
-
Configure DKIM signing for each domain by providing public and private key pairs and DNS records from the Mail Domains and Routing page.
The
- Add DNS records to your organization's DNS.
To enable DKIM signing
- From the Policy Center Home page, click SpamLogic Settings and select the Spam Policy tab.
- In the DKIM signing on outbound messages panel, select the Enable DKIM signing on outbound messages check box. If you want to apply DKIM signing to messages such as out-of-office replies, which have empty message sender fields, enable If the message sender is empty, sign using the key for the domain of the From address. Click Save.
-
If you want to configure public and private key pairs and DNS records, click Mail Domains and Routing.
The Mail Domains and Routing page is displayed.
To configure public and private key pairs and DNS records
-
From the System Center Home page, go to SMTP Settings and click Mail Domains and Routing.
The Mail Domains and Routing page is displayed.
-
In the Hosted Domains tab, select the domain(s) you want to configure for DKIM and click the Configure DKIM Signing option.
The Configure DKIM Signing dialog is displayed.
You can configure multiple domains at the same time by selecting all check boxes.
-
To complete the Configure DKIM Signing dialog:
- Select the Enable DKIM Signing for the selected domain(s) check box.
-
Enter a value for Selector. By default, the value for the selector is everyone.
Using a selector enables you to have multiple public keys per sending domain. For example, a selector enables you to have different public keys for subsets of an organization’s domain name such as department or mail server.
The selector must contain a minimum of 1 and a maximum of 63 alphanumeric lower case characters, optionally followed by a dot and another 1-63 alphanumeric lower case characters. For example, department2.engineering1
-
Use the option buttons to select whether you want to sign messages using a new or an existing private key.
You can add a new public/private key by either importing a file containing the key or by cutting and pasting the key value in the box.Need help with creating keys?
Although DKIM requires a private and public key pair, you only need to create a private key as the
Clearswift recommends creating RSA keys with a key length of at least 1024 bits. However, when importing keys of 2048 bits and above into a DNS server, Clearswift advises that you check the format of the key to ensure it complies with the requirements of the DNS server.
The easiest way to create keys for DKIM purposes is to open Server Console and select Open Terminal Session. Log on using your cs-admin credentials and enter the following text which generates an RSA key of 1024 bits.:
openssl genrsa -out <private.key> 1024where
<private.key>is the name of the key you want to create.Enter and confirm the password for the new public/private key if required.
Use an alias to create a name that can be easily identified when you want to assign the same key pair to multiple domains. This alias has no impact on the DKIM signing or verification processes.
Click Save.
-
Click Export DKIM DNS Record and save the file to an appropriate location.
The
You must add the created records to your organization's DNS.