MDaemon 14.5.x - How to enable DKIM signing and configure records
DomainKeys Identified Mail (DKIM) is an open protocol for protecting email users against email address identity theft and email message content tampering. It does this by providing positive identification of the signer’s identity along with an encrypted “hash” of the message content.
To configure and use DKIM: The system administrator creates a private/public key pair for the server and publishes the public key in the domain’s domain name server. Using the private key, the sending server creates a signature for each outgoing message. The resulting signature data is stored in a “DKIM-Signature” header within the message. The receiving server obtains the signature from the “DKIM-Signature” header, uses DNS to lookup the public key and policy.
- Select Security
- Select Security Settings
- Expand Sender Authentication
- Select DKIM Signing
- Check Sign eligible outbound messages using DKIM
- Check ...sign mailing list messages also (optional).
- This will sign every message for all mailing list users, processing times are likely to increase for large lists.
- Either enter a new selector or use the default selector, MDaemon.
- Click Create new public and private keys.
- Select Yes to have MDaemon generate keys used to create your published DKIM record.
MDeamon creates the dns_readme.txt file in the \MDaemon\Pem\MDaemon\ directory and opens the file onscreen.
In the DNS server, create a TXT record called MDaemon._domainkey.domain.com
- Where MDaemon is the selector name and domain.com is your MDaemon domain name.
The highlighted public key should be entered inside the MDaemon._domainkey.domain.com TXT record.
- NOTE** Do not use this public key! Use the key generated in the dns_readme.txt file.
Using Author Domain Signing Practices (ADSP), another TXT record will need to be created to form your DKIM policy.
- Use the dns_readme.txt to review how the policy should be implemented and enforced.
- The record name will be called _adsp._domainkey.domain.com
There are three options using ADSP that will be entered in the TXT record;
- dkim=all - Use this if all outbound mail from domain.com is signed. Messages that are not signed are to be considered suspicious and will recieve a higher spam score.
- dkim=discardable - Use this if all outbound mail from domain.com is signed. Furthermore, this policy tells the receiving server messages that are not signed are to be discarded.
- dkim=unknown - Use this if some, most, or all email is signed. No action will be taken.
DKIM's predecessor, Domainkeys, used its own set of policies that are still valid in DKIM records. These policies are defined as such;
- o=~ NEUTRAL or RELAXED (signature optional)
- o=- STRONG (signature required, but not necessarily from my domain)
- o=! EXCLUSIVE (signature required, and it must be from my domain) *
- o=. NEVER (this site doesn't send mail)
- o=^ USER (reserved for future use)