MailEnable Enterprise Guide
DKIM

DKIM Overview

DKIM provides a mechanism for verifying the integrity of a message. The message is signed before sending by encrypting a hash of its headers using public key encryption and then verified upon receipt by decrypting the signature using a public key (provided by the sender in a DNS record) and comparing the hash. This provides extremely strong assurance of a message's fidelity and authenticity, since any change to the message's headers or body will cause verification to fail.

The only real disadvantage is the extra time it takes to process each message, since signing and verifying both involve relatively expensive cryptographic calculations and verifying requires a lookup of the sender's DNS records.

DKIM on MailEnable

To begin signing messages with DKIM, a DNS text record must be created for the sending domain in a sub domain called _domainkey. The text record will contain necessary information for verifiers, including the public key required for decrypting the signature hash. This information will be generated as part of the configuration process, and must be copied from the configuration window into the text record.

Note: instructions on setting up and maintaining DNS records are outside the scope of this document. Please contact your DNS administrator for more information.


Configuring DKIM Signing

  1. Open up the DKIM signing configuration utility through the MMC:
    1. Go to Mail Enable Management | Messaging Manager | Post Offices | <postoffice>.
    2. Right-click on the domain you with to configure for and select Properties.
    3. Select the DKIM tab and click Configure.
  2. Check the Sign outgoing messages box to enable message signing.
  3. Set the options for message signing. The following options are present:
    • Encryption algorithm: choose which algorithm will be used for signing the headers hash.
    • Canonicalization algorithm: this can be set independently for the headers and the body. The simple algorithm is stricter and will cause verification to fail if the message is changed at all in transit, whereas the relaxed algorithm will tolerate some whitespace insertion.
    • Impose body hash length limit: this allows you to limit how much of the message body will be used in the body hash.
      Note: setting a limit means that verification may succeed even if extra data is appended to the message somewhere in transit.
    • Include user identity: if checked, includes the sending user's identity in the signature header.
  4. Configure selectors. A selector represents a private/public key pairing and, from the verifier's point of view, an entry in a DNS text record.
    1. Clicking New will bring up the New Selector dialog: enter a unique name for the selector and choose a key size (the larger the key, the more secure the encryption, but the longer it will take to sign and verify each message).
    2. Options for each selector can be set by selecting the selector from the Selectors list, setting the options on the right, and then clicking Update. The following options are present:
      • Test mode: if this is checked, it indicates to verifiers that the server is testing DKIM, and that signed messages should not be treated any differently to unsigned messages, even if their verification fails.
      • Granularity: tells verifiers that only messages sent by a specified user should pass verification. This works by comparing the granularity with the user identity.
      • Notes: notes for human perusal.
      • Make this the active selector: use this selector for all outgoing messages. Only one selector can be active at a time, activating one will deactivate all others (however, even deactivated selectors are available for verifying against previously sent messages, so long as their entry remains in the appropriate DNS text record).
    3. It is recommended that selectors be regularly deactivated then decommissioned to prevent the key for the active (or a recently active) selector from being cracked. Selectors can be deleted with the Delete button.
    4. To make a selector available to verifiers, that selector must be selected, and the text generated in the box at the bottom of the form must be copied into a specially created DNS text record. This record must exist within a _domainkey sub domain and must have the same name as the selector.
  5. Click OK to save settings and exit, or Cancel to simply exit.


A Test Configuration

To test DKIM right away, try the following configuration:

Create a new selector called "test" with a key size of 1024. With this new selector selected, set the following options:

Click Update.

Now copy the text in the box into the DNS text record at test._domainkey.<your domain>.