DKIM on outbound messages

DKIM DomainKeys Identified Mail signing on outbound messages authenticates your organization's domains against spoofed messages, providing your business contacts with assurances.

By default, the DKIM-Signature header is removed from all outbound email traffic so that the Gateway can fully analyze and modify the message, according to your content security policy.

You can configure the Gateway to:

• Remove the original DKIM signature and send the message unsigned (default)

• Remove the original DKIM signature and then sign with a new DKIM signature on a per-hosted domain basis

• Preserve the original DKIM signature globally

Sign outbound messages with a new DKIM signature

To configure DKIM signing on outbound messages, you need to:

• Step 1: On the SpamLogic Settings page, enable DKIM signing on outbound messages

• Step 2: On the Mail Domains and Routing page, configure DKIM signing for each domain by providing public/private key The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt messages from recipients. Private keys should be password protected. pairs and DNS records

  The Gateway signs all messages sent from within a single domain using the same key. However, configuring a parent domain does not automatically configure sub domains. You must configure sub domains separately.

• Step 3: On the Mail Domains and Routing page, add DNS records to your organization's DNS

Enable DKIM signing

You can configure this from Policy > Manage Policy Definition > SpamLogic Settings.

See Spam Policy (DKIM signing on outbound messages) for more information.

Configure public/private key pairs and DNS records

1. Navigate to System > SMTP Settings > Mail Domains and Routing. The Mail Domains and Routing page is displayed.

2. Select the Hosted Domains tab.

3. Select the domain(s) you want to configure for DKIM and click Edit. The Edit Hosted Domain dialog is displayed.

   You can select and configure multiple domains at the same time.

4. Select the Outbound DKIM tab and complete the dialog.

   • Select the Enable DKIM Signing for the selected domain(s) check box.

   • Enter a value for Selector. By default, the value for the selector is everyone.

     Using a selector enables you to have multiple public keys per sending domain. For example, a selector enables you to have different public keys for subsets of an organization’s domain name such as department or mail server.

     The selector must contain a minimum of 1 and a maximum of 63 alphanumeric lower case characters, optionally followed by a dot and another 1-63 alphanumeric lower case characters. For example, department2.engineering1

   • Use the option buttons to select whether you want to sign messages using a new or an existing private key.

     You can add a new public/private key by either importing a file containing the key or by cutting and pasting the key value in the box.

     Create public and private keys for DKIM signing

     Although DKIM requires a private and public key The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt email messages to the sender. pair, you only need to create a private key as the Gateway elicits the public key from the private key.

     The easiest way to create a private key is to use OpenSSL. Enter the following from the command line to create an RSA key of 1024 bits:

     openssl genrsa -traditional -out <private.key> 1024

     where <private.key> is the name of the key you want to create.

     We recommend that RSA keys are created with a key length of at least 1024 bits. However, when importing keys of 2048 bits and above into a DNS server, it is advised that you check the format of the key to ensure it complies with the requirements of the DNS server.

     If required, enter and confirm the password for the new public/private key.

     Use an alias to create a name that can be easily identified when you want to assign the same key pair to multiple domains. This alias has no impact on the DKIM signing or verification processes.

   Click Save.

5. Click Export DKIM DNS Record and save the file to an appropriate location.

   The Gateway uses the value in the Selector field to define the name of the DKIM DNS Record file. For example, everyone._domainkey.clearswift.com.

   You must add the created records to your organization's DNS.

6. Apply the configuration.

Preserve original DKIM signature on outbound messages

You can configure this from System > Gateway Settings > Policy Engine Settings.

See Advanced and OCR (Preserve DKIM signature on outbound messages) for more information.

If you change any configuration or policy settings, you must Apply Configuration for the new settings to take effect. You can do this either from the Changes Made panel, or System > Configuration > Apply Configuration. See Apply new configuration for more information. If you use Peer Gateways (i.e. when multiple Gateways are peered), any configuration changes from a local Gateway can then be applied to all the peers at the same time. See Configure Peer Gateways for more information.