Please enable JavaScript to view this site.

SecurityGateway for Email Servers v10.0

Navigation: Security > Anti-Spoofing

Sign Outbound Messages

Scroll Prev Top Next More

Use the options on the Sign Outbound Messages page to control whether or not a domain's outgoing messages will be cryptographically signed using DomainKeys Identified Mail (DKIM). You can also use this page to create the selectors and keys used for signing the domain's messages, and to designate which selector to use. All keys are unique — they are never the same from one domain to another, regardless of the selector specified.

For more on DKIM, see:

DKIM Signing

Sign outbound messages using DomainKeys Identified Mail (DKIM)

Click this option if you wish to use DomainKeys Identified Mail to cryptographically sign the domain's outbound messages. In order for a message to be signed, it must be received by SecurityGateway on an authenticated session via SMTP AUTH, or be received from a Domain Mail Server. This is to ensure that the message is genuine before signing it.

Sign messages using this selector:

From the drop-down list, choose the selector whose corresponding public/private key pair you wish to use when signing the domain's messages. If you wish to create a new selector, click the New button, type the desired Selector Name in the space provided, and click Save and Close.


Click this button to create a new selector used for signing the domain's messages. Enter a Selector Name in the space provided and then click Save and Close.


To delete a selector, choose it from the drop-down list box and then click Delete.

View DNS configuration (public key) for this selector

Choose a selector from the drop-down list box above and then click this link to view the selector's DNS configuration. This is the DKIM information that must be placed in the domain's DNS record. Without this information in the DNS record, no one will be able to verify the signatures in your messages. The DNS Configuration page lists the following information:

DKIM selector record for DNS

This is the information that other servers will need in order to verify the domain's DKIM signed messages. It contains the selector, the domain, the public key, and other necessary information.

Placing this information in the domain's DNS record is required if you wish to sign its outgoing messages. Without this, the receiving servers will have no way to verify the signatures. For more information and other parameters that may be included in your DNS records, visit and the DomainKeys Distribution Options page at

DKIM Signing Options (All domains)

Signatures expire after [xx] days ("t=" tag, default 7 days)

Use this option to limit the number of days that a DKIM signature will be considered valid. Messages with expired signatures will always fail verification. This option corresponds to the signature's "x=" tag. It is enabled by default and is set to 7 days..

Signatures include query method(s) (include "q=" tag)

This option is used to include the query method tag in the DKIM signature (i.e. q=dns). It is included by default.

Signatures include body length count (include "l=" tag)

This option controls whether or not the body length count (the "l=" tag) will be included in DKIM signatures. This option is enabled by default.

Signatures include original header content (include "z=" tag)

Click this option if you wish to include the "z=" tag in the DKIM signature. This tag will contain a copy of the message's original headers, and can therefore potentially make signatures quite large. This option is disabled by default.


Canonicalization is a process whereby the message's headers and body are converted into a canonical standard and "normalized" before the DKIM signature is created. This is necessary because some email servers and relay systems will make various inconsequential changes to the message during normal processing, which could otherwise break the signature if a canonical standard was not used to prepare each message for signing. Currently there are two canonicalization methods used for DKIM signing and verification: Simple and Relaxed. Simple is the strictest method, allowing little to no changes to the message. Relaxed is more forgiving than Simple, allowing several inconsequential changes.

Canonicalize headers using: Simple, Relaxed

This is the canonicalization method used for the message headers when signing the message. Simple allows no changes to the header field in any way. Relaxed allows for converting header names (not header values) to lower case, converting one or more sequential spaces to a single space, and other innocuous changes. The default setting is "Simple.".

Canonicalize body using: Simple, Relaxed

This is the canonicalization method used for the message body when signing the message. Simple ignores empty lines at the end of the message body — no other changes to the body are allowed. Relaxed allows for blank lines at the end of the message, ignores spaces at the end of lines, reduces all sequences of spaces in a single line to a single space character, and other minor changes. The default setting is "Simple."