Prerequisites

To enable DomainKeys/DKIM compliance in Connect, the administrator needs to get the private or public key pair used for a domain. The private key is used for signing outgoing messages and the public key is used by the recipient SMTP Server to verify DomainKeys/DKIM compliance. The private key needs to be configured for the corresponding receiver domain through the Connect user interface. Publish the public key in the DNS Server as a DNS TXT record with various defined attributes for the domain.

The private or public key pair needs to be generated by the domain owner and made available to Connect Administrators. The private or public keys can be generated using OpenSSL (Secure Socket Layer) commands. The OpenSSL is an open source C library that can be downloaded from the internet.

Note: The System Administrators can use different selectors to create multiple public keys for a single domain, however the current version of Connect allows only a single selector for each domain.

Generate Private/Public Keys

Complete the following directions to generate the keys when OpenSSL is used.

Install OpenSSL from http://www.slproweb.com/products/Win32OpenSSL.html.
Generate the private key using the following command. For more information about genrsa, in DomainKeys and Domain Keys Identified Mail.
openssl genrsa -out keytest.pem 1024

Note: Administrators must choose the appropriate size for the private key. Key size can proportionately affect the performance of Connect Mail Senders. The larger the private key, the slower the Mail Senders' performance.
Convert genrsa to pkcs8 format to create a JAVA object using the following command:
openssl pkcs8 -nocrypt -in keytest.pem -topk8 -out keytest8.pem
Generate the public key using the following command:
openssl rsa -in keytest8.pem -out rsa.public -pubout -outform PEM

Publish TXT Records in DNS Server

DomainKeys require the following TXT records to be setup in the DNS Server.

DomainKeys policy record
DomainKeys selector record

Set up DomainKeys Policy Record in DNS

System Administrators must set up a single DomainKeys policy record for each domain and store the record at _domainkey.domainname.com. The following is a sample policy record with a list of possible tags and definitions.

 _domainkey IN TXT “t=y; o=~; [email protected]”

o = Outbound signing policy
- - - Domain signs all e-mail.
- ~ - Default. The domain can sign some e-mail message with DomainKeys.
r = A reporting e-mail message address. If present, this defines the e-mail address where invalid verification results are reported. This tag is primarily intended for early implementors.
t = Testing mode ('y' means that the domain is testing DomainKeys and unverified e-mail messages MUST NOT be treated differently from the verified e-mail message. Recipient systems can track testing mode results to assist the sender). This tag is optional.
n = Notes about any subject. No interpretation is made by any program.

To retrieve a policy record for a domain you can use the UNIX dig command:

 dig _domainkey.domainname.com TXT;; ANSWER SECTION:_domainkey.example.com.
                7200 IN TXT "t=y\; o=~\; n=http://antispam.example.com/domainkeys"

Setting up DomainKeys Selector Record in DNS

The System Administrator can set up multiple selector records for a single domain. Each selector record holds a public key. The Administrator can set up multiple selectors for use on different servers or use one selector for all outgoing e-mail messages. In addition, the Administrator can create a selector that only works for one specific e-mail address. The following is a sample selector record with a list of possible tags and definitions.

 myselector._domainkey IN TXT "k=rsa; p=AIGf ... AQAB"

g = Key granularity. If present with a non-zero length value, this value MUST exactly match the local part of the sending address. The intent is to constrain which sending address can legitimately use this selector. An e-mail message with a sending address that does not match the value of this tag is a failed verification. This tag is optional.
k = Key type (rsa is the default). All signers and verifiers support the rsa key type.
n = Notes about any subject. No interpretation is made by any program. This tag is optional.
p = Public-key data, encoded as a Base64 string. An empty value means that the public-key is revoked. This tag is mandatory.
t = Testing mode ('y' means that the domain is testing DomainKeys and unverified e-mail message MUST NOT be treated differently from the verified e-mail message. Recipient systems can track testing mode results to assist the sender). This tag is optional.