How to enable DKIM signing and configure primary and additional domain records
DomainKeys Identified Mail (DKIM) is an open protocol for protecting email users against email address identity theft and email message content tampering. It does this by providing positive identification of the signer’s identity along with an encrypted “hash” of the message content.
To configure and use DKIM: The system administrator creates a private/public key pair for the server and publishes the public key in the domain’s domain name server. Using the private key, the sending server creates a signature for each outgoing message. The resulting signature data is stored in a “DKIM-Signature” header within the message. The receiving server obtains the signature from the “DKIM-Signature” header, uses DNS to lookup the public key and policy.
- Select Security
- Select Security Settings
- Expand Sender Authentication
- Select DKIM Signing
- Check Sign eligible outbound messages using DKIM
- Check ...sign mailing list messages also (optional).
This will sign every message for all mailing list users, processing times are likely to increase for large lists.
- Either enter a new selector or use the default selector, MDaemon.
- Click Create new public and private keys.
- Select Yes to have MDaemon generate keys used to create your published DKIM record.
All keys are stored in PEM format, and all selectors and keys are stored under the \MDaemon\Pem folder in the following way:
\MDaemon\Pem\<Selector>\rsa.public - public key for this selector
\MDaemon\Pem\<Selector>\rsa.private - private key for this selector
The files contained in these folders are not encrypted or hidden, but they contain RSA private encryption keys that should never be accessed by anyone without permission. You should therefore take steps to secure these folders and subfolders using your OS tools.
MDaemon creates the dns_readme.txt file in the \MDaemon\Pem\MDaemon\ directory and opens the file onscreen.
In the DNS server, create a TXT record called MDaemon._domainkey.domain.com
- Where MDaemon is the selector name and domain.com is your MDaemon domain name.
The highlighted public key should be entered inside the MDaemon._domainkey.domain.com TXT record.
- NOTE** Do not use this public key! Use the key generated in the dns_readme.txt file.
Repeat the above process for additional domains in MDaemon with the following considerations.
A new selector can be created or the existing selector can be used.
If a new selector is used, select Define which messages are eligible for signing in step 5.
from *@domain1.com s=selector1
from *@domain2.com s=selector2
Change the DNS entry to selector._domainkey.company2.test
Replace selector with the chosen selector for the domain.
Replace company2.test with the name of the additional domain.