| DKIM / Domain Keys Support |
To enable DomainKeys/DKIM compliance in Connect, Administrator needs to get the private or public key pair to be used for a domain. The private key is used for signing outgoing messages and the public key is used by the recipient SMTP Server to verify DomainKeys/DKIM compliance. The private key needs to be configured for the corresponding receiver domain through Connect user interface. The public key needs to be published in DNS Server as DNS TXT record with various defined attributes for the domain.
The private or public key pair needs to be generated by the domain owner and made available to Connect Administrators. The private or public keys can be generated using OpenSSL (Secure Socket Layer) commands. The OpenSSL is an open source C library that can be downloaded from the internet.
The following steps can be performed to generate the keys when OpenSSL is used.
openssl genrsa -out keytest.pem 1024
openssl pkcs8 -nocrypt -in keytest.pem -topk8 -out keytest8.pem
openssl rsa -in keytest8.pem -out rsa.public -pubout -outform PEM
DomainKeys requires the following TXT records to be setup in the DNS Server.
Setting up DomainKeys policy record in DNS
The System Administrator needs to set up a single DomainKeys policy record for each domain and store the record at _domainkey.domainname.com. The following is a sample policy record with a list of possible tags and their definitions.
_domainkey IN TXT “t=y; o=~; [email protected]”
where: o = Outbound signing policy ('-' means that this domain signs all
e-mail, '~' is the default and means that this domain may sign some e-mail
message with DomainKeys). r = A reporting e-mail message address. If present,
this defines the e-mail address where invalid verification results are reported.
This tag is primarily intended for early implementors. t = Testing mode ('y'
means that this domain is testing DomainKeys so unsigned and unverifiable e-mail
message should not be treated differently from verified e-mail. Recipient
systems may wish to track testing mode results to assist the sender.) n = Notes
that may be of interest to a human. No interpretation is made by any
program.
To retrieve a policy record for a domain you can use the unix dig command:
dig _domainkey.domainname.com TXT;; ANSWER SECTION:_domainkey.example.com.
7200 IN TXT "t=y\; o=~\; n=http://antispam.example.com/domainkeys"
Setting up DomainKeys selector record in DNS
The System Administrator can set up multiple selector records for a single domain. Each selector record holds a public key. The Administrator can set up multiple selectors to be used on different servers or use one selector for all the outgoing e-mail messages. In addition, the Administrator can create a selector that only works for one specific e-mail address. The following is a sample selector record with a list of possible tags and their definitions.
myselector._domainkey IN TXT "k=rsa; p=AIGf ... AQAB"
where: g = Granularity of the key. If present with a non-zero length value,
this value MUST exactly match the local part of the sending address. The intent
of this tag is to constrain which sending address can legitimately use this
selector. An e-mail message with a sending address that does not match the value
of this tag constitutes a failed verification. This tag is optional. k = Key
type (rsa is the default). All signers and verifiers support the 'rsa' key type.
n = Notes that may be of interest to a human. No interpretation is made by any
program. This tag is optional. p = Public-key data, encoded as a Base64 string.
An empty value means that the public-key has been revoked. This tag is
mandatory. t = Testing mode ('y' means that this domain is testing DomainKeys
and unverified e-mail message MUST NOT be treated differently from the verified
e-mail message. Recipient systems MAY wish to track testing mode results to
assist the sender) This tag is optional.