Use the options on the DKIM Signing page to control whether or not a domain's outgoing messages will be cryptographically signed using DomainKeys Identified Mail (DKIM). You can also use this page to create the selectors and keys used for signing the domain's messages, and to designate which selector to use. All keys are unique — they are never the same from one domain to another, regardless of the selector specified.
For more on DKIM, see: www.dkim.org.
DKIM Signing
Sign outbound messages using DomainKeys Identified Mail (DKIM)
Click this option if you wish to use DomainKeys Identified Mail to cryptographically sign the domain's outbound messages. In order for a message to be signed, it must be received by SecurityGateway on an authenticated session via SMTP AUTH, or be received from a Domain Mail Server. This is to ensure that the message is genuine before signing it.
ARC Signing
ARC is an email authentication protocol that allows SecurityGateway, when acting as intermediate server for a message, to digitally sign the incoming message's authentication results, so that when the message continues to its final destination it can still be verified by the recipient's server. This is helpful, for example, when SecurityGateway is redirecting a message or dealing with a mailing list message that requires modifications to headers that were included in the message's DKIM signature. When the receiving server uses ARC Verification and has designated your SecurityGateway domain as a trusted ARC sealer, it can verify your ARC signature and then accept the message as genuine.
Sign eligible messages using ARC
Check this box if you wish to use ARC to sign eligible messages. Messages from a local domain do not require ARC signing, as they can be DKIM signed. Therefore all outbound messages that are not from a local domain are eligible for ARC signing. ARC signing is necessary when SecurityGateway modifies a message or any message header included in the DKIM signature. These modifications may include actions like From Header Screening, adding a disclaimer, or similar changes. Note that when ARC signing is enabled, all outbound messages not originating from a local domain are signed, not only those that are modified. ARC Signing is disabled by default.
For more information on the ARC protocol, see: RFC 8617: The Authenticated Received Chain (ARC) Protocol.
Selectors
Sign messages using this selector:
From the drop-down list, choose the selector whose corresponding public/private key pair you wish to use when signing the domain's messages. If you wish to create a new selector, click the New button, type the desired Selector Name in the space provided, and click Save and Close.
New
Click this button to create a new selector used for signing the domain's messages. Enter a Selector Name in the space provided and then click Save and Close.
Import
Click Import if you wish to import an RSA public/private key pair and create a new selector. It must be a .zip file and contain an rsa.private and rsa.public text file in PEM format. You must choose a name for the selector and the domain with which it will be associated (or set it as a global selector).
Export
Choose a selector and click Export to download that selector's RSA public/private key pair in a .zip file.
Delete
To delete a selector, choose it from the drop-down list box and then click Delete.
View DNS configuration (public key) for this selector
Choose a selector from the drop-down list box above and then click this button to view the selector's DNS configuration. This is the DKIM information that must be placed in the domain's DNS record. Without this information in the DNS record, no one will be able to verify the signatures in your messages. The DNS Configuration page lists the following information:
DKIM selector record for DNS
This is the information that other servers will need in order to verify the domain's DKIM signed messages. It contains the selector, the domain, the public key, and other necessary information.
|
Placing this information in the domain's DNS record is required if you wish to sign its outgoing messages. Without this, the receiving servers will have no way to verify the signatures. For more information and other parameters that may be included in your DNS records, visit www.dkim.org and the DomainKeys Distribution Options page at domainkeys.sourceforge.net. |
Using a Shared/Global Selector
When you wish to use the same selector for multiple of your SecurityGateway domains, there are two ways to do this:
Publish a separate DKIM selector record to DNS for each domain, but using the same public key
1.In the "For Domain:" option, choose "-- Global --".
2.Choose a selector or create a new one, and click View DNS configuration (public key) for this selector.
3.Copy the text under DKIM selector record for DNS.
4.Paste that text when creating the DKIM selector in DNS for one of the domains that will be sharing the selector, but replace %DOMAIN% with the domain name. For example, replace "selector01._domainkey.%DOMAIN%." with "selector01._domainkey.example.com.".
5.Repeat for each domain that will be sharing the selector.
6.Ensure that your DKIM Signing options are properly configured for all relevant domains to use the shared selector for signing.
Publish the DKIM selector record to DNS for one domain, then point additional domains to that domain using CNAME
1.Choose a selector and use the text under View DNS configuration (public key) for this selector to publish a DKIM record in DNS for one of your domains. For example:
selector01._domainkey.example.com IN TXT "v=DKIM1; p=MIGfMA0GCSq..."
2.For each domain that will share the selector, set up a CNAME record for the "selector01._domainkey" sub-domain, to point to the original domain. For example:
example01.com - selector01._domainkey.example01.com IN CNAME selector01._domainkey.example.com
example02.com - selector01._domainkey.example02.com IN CNAME selector01._domainkey.example.com
3.Ensure that your DKIM Signing options are properly configured for all relevant domains to use the shared selector for signing.
DKIM Signing Options (All domains)
Signatures expire after [xx] days ("t=" tag, default 7 days)
Use this option to limit the number of days that a DKIM signature will be considered valid. Messages with expired signatures will always fail verification. This option corresponds to the signature's "x=" tag. It is enabled by default and is set to 7 days..
Signatures include query method(s) (include "q=" tag)
This option is used to include the query method tag in the DKIM signature (i.e. q=dns). It is included by default.
Signatures include body length count (include "l=" tag)
This option controls whether or not the body length count (the "l=" tag) will be included in DKIM signatures. This option is enabled by default.
Signatures include original header content (include "z=" tag)
Click this option if you wish to include the "z=" tag in the DKIM signature. This tag will contain a copy of the message's original headers, and can therefore potentially make signatures quite large. This option is disabled by default.
Canonicalization
Canonicalization is a process whereby the message's headers and body are converted into a canonical standard and "normalized" before the DKIM signature is created. This is necessary because some email servers and relay systems will make various inconsequential changes to the message during normal processing, which could otherwise break the signature if a canonical standard was not used to prepare each message for signing. Currently there are two canonicalization methods used for DKIM signing and verification: Simple and Relaxed. Simple is the strictest method, allowing little to no changes to the message. Relaxed is more forgiving than Simple, allowing several inconsequential changes.
Canonicalize headers using: Simple, Relaxed
This is the canonicalization method used for the message headers when signing the message. Simple allows no changes to the header field in any way. Relaxed allows for converting header names (not header values) to lower case, converting one or more sequential spaces to a single space, and other innocuous changes. The default setting is "Simple.".
Canonicalize body using: Simple, Relaxed
This is the canonicalization method used for the message body when signing the message. Simple ignores empty lines at the end of the message body — no other changes to the body are allowed. Relaxed allows for blank lines at the end of the message, ignores spaces at the end of lines, reduces all sequences of spaces in a single line to a single space character, and other minor changes. The default setting is "Simple."
