DomainKeys Identified Mail (DKIM) integration

Administrator Help | TRITON AP-EMAIL | Version 8.2.x

The DomainKeys Identified Mail (DKIM) functionality provides an email authentication method to help ensure that a message is not modified while it is in transit from an organization's protected domains. The implementation depends on a set of keys (private and public), which a recipient domain can use to verify the sender domain.

A DKIM integration has the following components:

Email signing

Email verification

For the signing element, a private key resides in the mail transfer agent, providing a digital signature that is added to the header of each message sent from a protected domain. A public key is generated and published in the DNS as a text record that is used by a recipient mail system in the verification process.

A signing rule associates specified sender domains with a private and public key set.

Configuring a DKIM signing key

A signing key provides a digital signature for email sent from your protected domains. You may create a signing (private) key, import a key from a local directory, or export a key to a local directory.

You may also delete an existing key, unless it is currently in use by a signing rule. Select the desired key by marking its associated check box and click Delete.

The DKIM Signing Keys section contains a table of key information. You can configure the number of signing key entries per page, between 25 and 100, in the Per page drop-down list at the top of the table.

You can perform a keyword search by entering a term in the entry field at the top right of the table and clicking Search. Click Show all keys to clear the Search field and refresh the signing keys list.

The signing keys table includes the following information about each key:


Signing Key Item	Description
Key Name	Name of the signing key; link that opens the Edit Signing Key page
Key Size (bits)	Number of bits in the signing key. Currently, the only key size supported is 1024 bits.
Rule Name	Name of the rule with which the signing key is associated
Public Key	Link that opens a View Public Key box, which displays the public key text record

Adding a key

Use the following steps to create a DKIM signing key in the Settings > Inbound/Outbound > DKIM Settings page:

Click Add in the DKIM Signing Keys section to open the Add Signing Key page.

Enter a name for your key in the Key name entry field.

Select one of the following options for creating your key:

Generate key (default) to create the private key. Only 1024-bit keys are supported.

Private key to enter a key you have already created. Paste the key in the entry box.

Click OK.

Importing or exporting a key

To import a DKIM signing key in the Settings > Inbound/Outbound > DKIM Settings page, click Import to open a browser window. Navigate to the desired key file and click Open. You cannot import a duplicate key file.

To export a key, select the desired key in the signing keys table by marking its associated check box and click Export to open a browser window. Navigate to the desired directory location and click Save.

Creating a DKIM signing rule

A DKIM signing rule associates a private/public key pair with a set of domains and email addresses. Signing rule options let you determine which message headers to sign, how much of the message body to sign, and whether to attach additional signature tags for such items as signature date/time or expiration time.

You may create a signing rule, import an existing rule from a local directory, or export a rule to a local directory on the Settings > Inbound/Outbound > DKIM Settings page.

You may also delete a signing rule. Select the desired rule by marking its associated check box and click Delete.

The DKIM Signing Rules section contains a table of rule information. You can configure the number of signing rule entries per page, between 25 and 100, in the Per page drop-down list at the top of the table.

You can perform a keyword search by entering a term in the entry field at the top right of the table and clicking Search. Click Show all rules to clear the Search field and refresh the signing rules list.

The signing rules table includes the following information about each rule:


Signing Rule Item	Description
Rule Name	Name of the signing rule; link that opens the Edit Signing Rule page
Domain	Domain name to which the signing rule applies
Selector	Name component in addition to the domain name used in the DNS query. A given domain may have multiple selectors (e.g., for location or organization division).
Signing Key Name	Name of the signing key associated with this rule
DNS Text Record	Link that opens a Generate DNS Text Record dialog box. See Generating a DNS text record (public key) for information about creating a text record.
Test Rule	Link to test whether the signing rule is valid. A successful test must be performed before a rule can be enabled.
Enabled	Indicator of signing rule status (i.e., enabled or disabled). A rule must be enabled in order to take effect.

Adding a signing rule

Use the following steps to create a DKIM signing rule in the Settings > Inbound/Outbound > DKIM Settings page:

Click Add in the DKIM Signing Rules section to open the Add Signing Rule page.

Enter a name for your rule in the Rule name entry field.

Enter the name of the domain to which this signing rule applies.

If desired, mark the Include user identifier check box to include the identity of the user or agent for whom the message is signed.

Enter the user identifier in the User identifier entry field (optional). This field is not enabled if the Include user identifier check box is not marked.

Enter the domain name selector in the Selector entry field. A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors.

Select the signing key you want to associate with this rule from the Signing key drop-down list of existing keys.

Click Advanced Options to open a box with additional optional rule settings:

Select an encryption algorithm from the Algorithm drop-down list. Options include RSA-SHA-1 (default) or RSA-SHA-256.

Specify a canonicalization method for message header and body in the Canonicalization section. The canonicalization process prepares a message header and body before email is signed. Canonicalization is required because email processing may introduce minor changes to a message.

The following header and body changes are made, based on the selection of Simple or Relaxed:

Simple (default)

Relaxed

Message Header

No header changes made

Header names changed to lowercase

Header line breaks removed

Linear white spaces (including tabs and carriage returns) reduced to a single space

Leading and trailing spaces stripped

Message Body

Empty lines at end of body stripped;

Empty lines at end of message body stripped

Linear white spaces (including tabs and carriage returns) reduced to a single space

Trailing spaces stripped

Indicate the message headers you want to sign from the list of standard headers. You can include other headers as a comma-separated list in the Additional headers field.

Specify whether you want the entire message body signed or only a portion of it signed. For the latter selection, enter the maximum number of Kbytes you want signed (default is 1024).

Select any optional signature tags for the signing rule:

t lets you add a signature creation timestamp

x lets you specify a signature expiration time in seconds (default is 3600)

z adds the list of signed header fields to the signature

From the Signing rule options drop-down list, select either Sign email messages or Do not sign email messages. Then create a list of email addresses to which this option applies.

For example, if you select Sign email messages, then email from the addresses in the list are signed. Email from other addresses is not signed.

If you select Do not sign email messages, then email from the addresses in the list are not signed, and email from all other users is signed.

You may search the email address list by entering a keyword in the search entry field and clicking Search.

You may remove an email address from the list by selecting it and clicking Remove.

10.

Click OK.

Importing or exporting a rule

To import a DKIM signing rule in the Settings > Inbound/Outbound > DKIM Settings page, click Import to open a browser window. Navigate to the desired rule file and click Open. You cannot import a duplicate key rule.

To export a rule, select the desired rule in the signing rules table by marking its associated check box and click Export to open a browser window. Navigate to the desired directory location and click Save.

Generating a DNS text record (public key)

Generate a public key for a rule from the DKIM Signing Rules table by clicking the link for the desired rule in the DNS Text Record column. A Generate DNS Text Record box that contains the new public key appears.

You can view a public key by clicking View for a particular private key in the DKIM Signing Keys table Public Key column.

Testing a rule

Ensure that you have created a valid rule by clicking the Test link in the Test Rule column of the DKIM Signing Rules table for the desired signing rule. The test performs a DNS lookup query. You receive confirmation of success or failure when the test is complete.

You must have performed a successful rule test before a rule can be enabled.

Enabling DKIM verification

The DKIM validation method uses the message header digital signature to associate a domain name with the email. The DKIM signature verification function retrieves signer information, including the public key, from the DNS. This signer information is analyzed and verified to determine message legitimacy.

You can enable DKIM verification in the Settings > Inbound/Outbound > DKIM Settings page, in the DomainKeys Identified Mail (DKIM) Verification section. Mark any of the following check boxes to activate DKIM verification:

Enable DomainKeys Identified Mail (DKIM) verification for inbound messages

Enable DomainKeys Identified Mail (DKIM) verification for outbound messages

Enable DomainKeys Identified Mail (DKIM) verification for internal messages

By default, these check boxes are not marked.

You can configure a custom content policy filter to scan for a DKIM signature in the message header, along with a filter action to take when a message header triggers the filter. See Custom content for information about creating this filter.