Setting Up and Using DKIM/DomainKeys

Here are the basic steps involved in setting up and using DKIM/DomainKeys. The steps are explained in more detail in the following sections.

1. Select the options you want in the DKIM/DomainKeys tab for a specific site. This includes generating public and private keys, which are essential to the operation of DKIM/DomainKeys.

2. Create and publish the domain TXT records (this includes publishing the public key to DNS).

3. When you send email, the private key generates a digital signature of the message.

4. The DKIM/DomainKeys-enabled receiving server extracts the digital signature and claimed From: or Sender: domain from the headers.

5. The receiving server fetches the public key from DNS and checks it against the private key. If it's a match, this proves that the claimed From: or Sender: domain is accurate and the headers and content were not altered. If the signature fails to verify, the email can be dropped, flagged or quarantined.

 

Details

 

Selecting Options in the DKIM/DomainKeys Tab

To enable DKIM and/or DomainKeys signing

Select or clear the DKIM signing enabled and/or DomainKeys signing enabled options.

To make the site settings (i.e., the settings you choose on this page) the default settings for signing

Select On for DKIM singing defaults to and/or DomainKeys signing defaults to.

To choose the headers you want to include in the digital signature

In the Available Headers box, click a header you want, and then click the >> button. The header appears in the Selected Headers box. Repeat for any additional headers you want.

IMPORTANT   DKIM/DomainKeys signing may fail if the From header does not contain a valid email address. If the From header contains a merged tag, make sure that this tag returns a valid email address.

To remove a header from the Selected Headers box

Click the header, and then click the << button. The header is moved back to the Available Headers box.

To add a new header

1. Click the Add Header button.

2. In the dialog that appears, type in a new header.

3. When you are finished, click the OK button. The new header appears in the Available Headers box.

To specify the default signing domain

(this will be used when there are no configured domains that match the "From" header domain)

In the Default Signing Domain box, type the domain.

To create a selector for the domain

In the Selector box, type a selector.

To generate the public and private keys

1. Click the Bits drop-down list and choose a bit size.

NOTE   This number determines the size (in bits) of the private key. You can choose one of five sizes: 512, 758, 1024, 1536 or 2048. The larger sizes offer greater security, but this is offset by a penalty in CPU performance. The current best practice size is 1024.

2. Click the Generate Key button. The private key and public key appear in the Private Key and Public Key boxes.

NOTE   This procedure runs a program called openssl.exe in the background. You can also generate public and private keys by running openssl.exe outside of ListManager. If you have existing public and private keys and don't need to generate them in ListManager, select the Paste Your Key option, and then paste your keys into the appropriate boxes.

To validate the key

Click the Validate Key button.

NOTE   For validation to be successful, you must first create and publish the domain TXT records (see the following section).

When you are finished with the options on this page, do one of the following

1. To save your work and return to the main Site page, click the Save button.

2. To save your work and continue to a page where you can add more domains, click the Save and Configure button.

Creating and Publishing the Domain TXT Records

You must create the Domain TXT Records which you will publish to DNS. Use your favorite text editor to create the records described below. You will then copy the text from the editor into whichever program you use to publish to DNS.

 

Creating the DKIM/DomainKeys Policy Record

 

The first type of record you need to create is called your policy record. The policy record is stored at _domainkey.domainname.com. Here is an example record:

 

_domainkey IN TXT "t=y; o=~; r=postmaster@yourdomain.com"

 

Here is a list of the possible tags, and their meanings:

 

o — Outbound Signing policy ('-' means that this domain signs all email, '~' is the default and means that this domain may sign some email with DomainKeys).

 

r — A reporting email address. If present, this defines the email address where invalid verification results are reported. This tag is primarily intended for early implementers—the content and frequency of the reports will be defined in a separate document.

 

t — testing mode ('y' means that this domain is testing DomainKeys so unsigned and unverifiable email should not be treated differently from verified email. Recipient systems may wish to track testing mode results to assist the sender.)

 

n — Notes that may be of interest to a human. No interpretation is made by any program.

Yahoo's Policy as of this writing is:

;; ANSWER SECTION:

_domainkey.yahoo.com. 7200 IN TXT "t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys"

Creating the DKIM/DomainKeys selector record

The selector is an arbitrary name you create for a domain. It can be any string that is considered legal in the DNS namespace and email headers; it must not contain a semicolon. When you generate a new public/private key combination, you must choose a new selector. It is a good idea to do this periodically for increased security.

You can only set up one DKIM/DomainKeys policy record per domain, but you can have multiple selector records in DNS simultaneously. The selector record holds your public key. You can set up multiple selectors to be used on different servers if you like, or you can use one selector for all your outgoing email. You can also create a selector that only works for one specific email address. Here is an example selector record:

2006._domainkey.example.com IN TXT "k=rsa; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANtlhE1vNuUrz NPKjYblYUn0kBLgRzUbnZ9JCJe4w5/ocxIoeewlp328b20S2tETjIa4krj8OJ1lJFT8VhAHLmcCAwEAAQ=="

The selector record consists of the following three sections:

1. Selector: In this example, 2006 is the selector. It must always be followed by a dot, then an underscore, then the word "domainkey," then another dot, and then the domain name.

Example:

2006._domainkey.example.com

 

Make sure the selector you add to your selector record is the same as the one you typed in the Selector box in the DKIM/DomainKeys tab. NOTE, however, that you can have more than one selector record in DNS.

2. Record identifier: "IN TXT" is the record identifier, and it is the same for every record.

3. Tag=value pairs: Note that this section is enclosed in quotation marks. There is only one tag=value pair that must be included—the one that lists the public key. However, there are several other tag=value pairs that are optional. The example above contains this optional pair:

     k=rsa

 

RSA is an algorithm for public-key encryption. This tag=value pair is the same for every record. To learn about other tag=value pairs and why you might want to include them, go to:

 

http://tools.ietf.org/html/rfc4870

 

and review section 3.2.3., "Public key Representation in the DNS."

 

The required tag=value pair, again, is the one that contains the public key:

p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANtlhE1vNuUrz NPKjYblYUn0kBLgRzUbnZ9JCJe4w5/ocxIoeewlp328b20S2tETjIa4krj8OJ1lJFT8VhAHLmcCAwEAAQ==

To add the public key to the selector record

1. Go to the DKIM/DomainKeys tab for your site.

2. When you chose the options for this page, you clicked the Generate Key button which created public and private keys and displayed them in the Private Key and Public Key boxes. In the Public Key box, copy the string of characters starting with the first character after "-----BEGIN PUBLIC KEY-----" and ending with the last character before "-----END PUBLIC KEY-----."

3. In your selector record, type p=and then paste the string.

4. Type the closing quotation mark for the tag=value pair section. You may want to double-check to ensure that there is an opening quotation mark before the first tag=value pair (see placement of the quotation marks in the example at the beginning of this section).

Here, again, is an example of a finished selector record:

2006._domainkey.example.com IN TXT "k=rsa; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANtlhE1vNuUrz NPKjYblYUn0kBLgRzUbnZ9JCJe4w5/ocxIoeewlp328b20S2tETjIa4krj8OJ1lJFT8VhAHLmcCAwEAAQ=="

 

More About Selectors

You can have more than one selector record active in DNS at one time. Why would you want to do this? Here's one example: let's say it's December 2006; you have a Domain TXT record (public key) published to DNS with a "2006" selector, and your outgoing email is being signed with a 2006 selector (private key). The public/private key combination is matching, and your recipients are getting their mail verified.

The new year rolls around, and you decide you want to change the public/private key pair to "2007" for security reasons. There will probably be a period during which mail that was sent in 2006 (and therefore signed with the '2006" selector) is being opened in 2007. If you only have a "2007" TXT Record in DNS, that email will fail verification. You can leave the "2006" TXT Record in DNS for a transition period, and remove it when you feel confident that all "2006" email has been opened.

 

Publishing the Domain TXT Record to DNS

 

Publishing to DNS -- Windows

 

1. Run Windows DNS.

2. Expand the folder for the domain you want to add DomainKeys to.

3. Right-click the folder, and then select Other New Records.

4. In the Resource Record Type dialog, select TXT.

5. Click Create Record.

6. In the Record Name field, type the selector you added in the DKIM/DomainKeys tab for your site, followed by a dot, and then _domainkey. Example:

 

2006._domainkey

 

7. In the Text field, paste the full set of tag/value pairs without quotation marks. Example:

 

k=rsa; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANtlhE1vNuUrz NPKjYblYUn0kBLgRzUbnZ9JCJe4w5/ocxIoeewlp328b20S2tETjIa4krj8OJ1lJFT8VhAHLmcCAwEAAQ==

 

8. Click OK.

 

Publishing to DNS -- Linux

 

1. Open the zone file in the editor of your choice.

2. Paste your full public key into the zone file.

NOTES

·         You can paste the public key anywhere in the zone file.

·         The public key cannot have any line breaks. Make sure it is one continuous string of text.

Learn more about DomainKey Distribution Options.

Setting up DKIM/DomainKeys at the List Level

DKIM/DomainKeys is set up in ListManager at both the Site and List level.