Frequently Asked Question
DKIM (DomainKeys Identified Mail) is a standard email authentication method that adds a digital signature to outgoing messages. Receiving mail servers that get messages signed with DKIM can verify messages actually came from the sender, and not someone impersonating the sender.
To deploy DKIM we need a certificate that will be used as the pair of private and public key that will be used for signing. The private key will remain on the server and will be used for signing while the public key will be published in the DNS and will can be used by the receiving mail servers for verifying the signature.
We will use a self signed certificate for this purpose. To create a self-signed certificate go to Configuration :: System :: Certificates Management and click on "Create Self-Signed Certificate..."
Choose any name for the certificate and a password to be used for encrypting the private key.
Key Size: It is recommended to use a key size of 1024 for the purpose of DKIM signing. Avoid using 2048, since some mail servers may not support it and may fail verifying the signature.
Validity: Choose the validity period of the certificate. Recommended value is a year (365 days). Note that the validity of the certificate used in DKIM is not checked by the signing server or the receiving servers and DKIM will work even when the certificate has expired. However, for security reasons, it is advised to periodically renew all certificates, so the validity will be checked by the system and used for reminding the administrator to renew this certificate too.
Click on "Create Self-Signed Certificate".
Once the certificate is created, go to "Configuration :: E-Mail Server :: DKIM Signing" and click on the "Domains" tab.
Next click on the "New Domain" button:
Certificate: Select the certificate that we created above. You will be prompted for the password that was used to encrypt the private key.
Domain: This is the domain name of the senders for which we want the messages signed.
Selector: The DKIM selector (also called a prefix selector) is part of the DKIM record and specifies the DNS location of the public key. The DKIM selector allows the publishing of multiple DKIM keys on domains. The signing server will add it as "s=" tag in the DKIM-Signature header and the receiving servers will use the prefix selector to find the public key. Choose a string to be used as the selector. The selector can only contain letters, numbers and hyphens. Some commonly used selector names are "default" and "mail".
Finally click on the "Save" button and the record will be added:
We can see the record that has been added and a list of action on the right side:
Click on the second icon to get the DNS record that needs to be added to the domain. This will display the TXT record that should be added to the domain:
The record contains the public key and must be published in the DNS server for the domain. Contact your DNS hosting provider and send them the record above so that they add it to the domain.
To test that the DNS record has been updated with the proper value, use the magnifying glass icon:
Once the DNS record has been added and the report indicates that all is ok, we can activate the DKIM signing process:
Note: Only emails submitted to the server using the submission port (TCP port 587) will be signed.
Certificate Renewal:
In case we want to renew the certificate, we should first disable the signing process so that the signature doesn't become invalid.
Next we issue a new self-signed certificate and use the newly created certificate in the same way as above.
After the new generated DNS record has been published in DNS, we can reenable the signing process.