DKIM on outbound messages

DKIM DomainKeys Identified Mail signing on outbound messages authenticates your organization's domains against spoofed messages, providing your business contacts with assurances.

By default, the DKIM-Signature header is removed from all outbound email traffic so that the Gateway can fully analyze and modify the message, according to your content security policy.

You can configure the Gateway to:

• Remove the original DKIM signature and send the message unsigned (default)

• Remove the original DKIM signature and then sign with a new DKIM signature on a per-hosted domain basis

• Preserve the original DKIM signature globally

Sign outbound messages with a new DKIM signature

To configure DKIM signing on outbound messages, you need to:

• Step 1: On the SpamLogic Settings page, enable DKIM signing on outbound messages

• Step 2: On the Mail Domains and Routing page, configure DKIM signing for each domain by providing public/private key The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt messages from recipients. Private keys should be password protected. pairs and DNS records

  The Gateway signs all messages sent from within a single domain using the same key. However, configuring a parent domain does not automatically configure sub domains. You must configure sub domains separately.

• Step 3: On the Mail Domains and Routing page, add DNS records to your organization's DNS

Enable DKIM signing

You can configure this from Policy > Manage Policy Definition > SpamLogic Settings.

See Spam Policy (DKIM signing on outbound messages) for more information.

Configure public/private key pairs and DNS records

1. Navigate to System > SMTP Settings > Mail Domains and Routing. The Mail Domains and Routing page is displayed.

2. Select the Hosted Domains tab.

3. Select the domain(s) you want to configure for DKIM and click Edit. The Edit Hosted Domain dialog is displayed.

   You can select and configure multiple domains at the same time.

4. Select the Outbound Authentication tab.

5. Under Outbound DKIM Settings, select the Enable DKIM Signing for the selected domain(s) check box.

6. Enter a value for Selector. By default, the value for the selector is everyone.

   Using a selector enables you to have multiple public keys per sending domain. For example, a selector enables you to have different public keys for subsets of an organization’s domain name such as department or mail server.

7. Specify how you sign messages.

   Sign messages using a new public/private key:

   • Either import a file containing the key, or cut and paste the key value in the box. If you cut and paste the key, ensure that there are no leading spaces on new lines.

     Create public and private keys for DKIM signing

     Although DKIM requires a private and public key The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt email messages to the sender. pair, you only need to create a private key as the Gateway elicits the public key from the private key.

     For example, the following command will generate an RSA key using OpenSSL:

     openssl genrsa -traditional -out <private.key> <bits>

     <private.key>^{: name of the key you want to create.} <bits>^{: key length, such as 1024 and 2048.}

     We recommend that RSA keys are created with a key length of at least 1024 bits. However, when importing keys of 2048 bits and above into a DNS server, it is advised that you check the format of the key to ensure it complies with the requirements of the DNS server. For FIPS mode, see FIPS mode for more information.

     Use an alias to create a name that can be easily identified when you want to assign the same key pair to multiple domains. This alias has no impact on the DKIM signing or verification processes.

   • If required, enter and confirm the password for the new public/private key.

   Sign messages using an existing public/private key:

   • From the drop-down menu, select an alias to identify the key pair.

8. Click Save.

9. Click Download DKIM DNS Records and save the file to an appropriate location.

   You must add the created records to your organization's DNS.

   The Gateway uses the value in the Selector field to define the name of the DKIM DNS record file. For example, everyone._domainkey.fortra.com.

10. Apply the configuration.

Preserve original DKIM signature on outbound messages

You can configure this from System > Gateway Settings > Policy Engine Settings.

See Advanced and OCR (Preserve DKIM signature on outbound messages) for more information.